Generate temporary URL to reset password

Question

I am looking to implement a Forgot Password feature on my website. I like the option where an email containing a temporary one-time use URL that expires after some time is sent

Answer 1

I would definitely include the database in this process. Once a reset is requested, it's a good idea to indicate that the account is locked out.

For example, if you are changing your pw because you think your account may have been compromised, you definitely don't want it to remain accessible while you go about the change process.

Also, inclusion of "real" information in the reset token could be decoded if someone really wants it and has the horsepower. It would be safer to generate a random string, save it in the db in the row for that user, and then key back to it when the link is clicked.

This gives you two things:

1) There's nothing to decrypt, and therefore nothing of value can be gained from it. 2) The presence of the token in the user record indicates that reset is in progress and the account should be treated as locked out.

Answer 2

Here, the System.Guid class in your friend, as it will generate a unique (well, unique enough) 128-bit number:

• Generate a new Guid ( System.Guid.NewGuid() )
• Store that Guid somewhere (Application object maybe?)
• Send a custom URL in an email with that Guid
• When the user hits the site, make them enter the password you sent in the email
• If the passwords match, go ahead and force them to enter a new password

Answer 3

Depending on your needs, you could encrypt information, in a format similar to the following format

(UserId)-(ExpireDate)

Encrypt the data, make that the link, then decrypt the data and take action from there...

Crude, but most likely usable, and not requiring DB usage

Answer 4

The goal of sending some data|string to user email is validation of account owner. Please care about some points:

• Avoid sending important information in reset or activate link.
• It's best way to store unique string data conjunction with user account and send it as that link. but be aware if you send just one section as link to user email and just check it in page, your application may be in dangerous by brute-force or dictionary attacker. It's enough to check a list of string to find some links and change password. I know that has a little chance, but not zero.

Result: I think it's better if you

1. combine user email with string link then encrypt them (not hash because hashed value can't be reverse) and send to user email.
2. User click and your page get the encrypted value.
3. decrypt value.
4. extract user email.
5. find email in database.
6. compare string from received link with other one attached to user email in database.

Good luck.

Answer 5

Probably the easiest way is going to be to modify your users table to add 2 extra columns, OR if you don't want to modify the existing table you could add a new dependent table called "UserPasswordReset" or something like that. The columns are like this:

PasswordResetToken UNIQUEIDENTIFIER,
PasswordResetExpiration DATETIME

If you go with the additional table route, you could do also add the UserID column, make it a primary key and a foriegn key reference back to your users table. A UNIQUE constraint would also be recommended. Then you simply use a Guid in your asp.net application as the token.

The flow could be something like this:

1. User requests password reset for their account
2. You insert a new record in the table (or update their user record) by setting the PasswordResetExpiration to a date in the future (DateTime.Now.AddDays(1)), and set the token to Guid.NewGuid()
3. Email the user a link to your ResetPassword.aspx page with the guid in the query string (http://www.yoursite.com/ResetPassword.aspx?token=Guid-here)
4. Use the ResetPassword.aspx page to validate the token and expiration fields. (I.E. Make sure DateTime.Now < PasswordResetExpiration)
5. Provide a simple form that allows the user to reset this password.

I know you wanted to avoid modifying the database, but it really is probably the simplest method.

Answer 6

@Alex

You can also use System.Security.Cryptography classes in .NET for the hash algorithms. For example:

using System.Security.Cryptography;
...
var hash = SHA256CryptoServiceProvider.Create().ComputeHash(myTokenToHash);
...