473,287 Members | 1,880 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,287 software developers and data experts.

Adding security question/answer check to ASP.NET *ChangePassword* control

I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the PasswordRecovery with a
Password reset required; a temporary password is sent to the account on
file. I want an extra layer of security to accommodate the very unlikely
contingency that someone's e-mail account is compromised. Challenging with
the user's security question and answer will address this contingency.

Put another way, this is the setup I want:
1) User requests password reset
2) email is sent with temp password
3) user's/username's Membership info is evaluated, if comment ==
"UserResetPasswordMustChange" user is sent to password change form
4) User changes password using an augmented ChangePassword control that
evaluates an answer against the user's security question on file.

I have completed items 1-3.

I have extended other login controls by exposing the templates, playing
around with FindControl, and writing functions on the OnWhatever events, so
I am familiar with the basic concepts involved in extending the
functionality of these things.

In the case of a ChangePassword control I imagine I will want to inspect the
answer to the security question on file during the
ChangePassword1_ChangingPassword event and e.Cancel it in the event that the
answer is incorrect.

I don't know how exactly to do this comparison, especially since the answers
to the security questions are hashed. Somehow in code I would need to do a
comparison of the cryptographic "fingerprints" of the user's input vs. the
hashed answer on file.

Any help out there? Somewhere someone has written a tutorial on how to do
all of the above, I'm sure, but even a few snips of code would probably set
me on my way.

Thanks!

Aug 15 '08 #1
2 7629
Hi Ken,

From your description you want to get the security answer in the
ChangingPassword event handler of ChangePassword control. You're using
ASP.NET membership, the provider is
System.Web.Security.SqlMembershipProvider and the passwordFormat is Hashed,
which is the default setting. If my understanding is wrong please correct
me.

If so it's not that easy to retrieve the password answer. If you want to do
so I suggest you to write a custom provider. You can refer to the source
code of System.Web.Security.SqlMembershipProvider. In its ResetPassword
method it calls base.EncodePassword to encode the password answer and then
call a stored procedure aspnet_Membership_ResetPassword to reset the
password. You can encode the password answer in the same way and compare it
with the password answer stored in the database.

The above workaround is a bit complex. Here I would suggest you to use a
tricky one:

<asp:ChangePassword DisplayUserName="true" ID="ChangePassword1"
runat="server"
onchangingpassword="ChangePassword1_ChangingPasswo rd">
<ChangePasswordTemplate>
<table border="0" cellpadding="4">
<tr>
<td>
<table border="0" cellpadding="0"
style="font-family: Verdana;">
<tr>
<td align="center" colspan="2"
style="color: White;
background-color: #1C5E55;

font-weight: bold;">
Change Your Password</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Black;
font-style: italic;">
Enter your username and old
password.
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedControlID="UserName"
ID="UserNameLabel" runat="server">
User Name:</asp:Label>
</td>
<td>
<asp:TextBox ID="UserName"
runat="server"></asp:TextBox>
<asp:RequiredFieldValidator
ControlToValidate="UserName"
ErrorMessage="User Name is
required."
ID="UserNameRequired"
runat="server"
ToolTip="User Name is
required."

ValidationGroup="ChangePassword1">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedControlID="CurrentPassword"
ID="CurrentPasswordLabel"

runat="server">Password:</asp:Label>
</td>
<td>
<asp:TextBox ID="CurrentPassword"
runat="server"
TextMode="Password">
</asp:TextBox>
<asp:RequiredFieldValidator

ControlToValidate="CurrentPassword"
ErrorMessage="Password is
required."
ID="CurrentPasswordRequired"
runat="server"
ToolTip="Password is required."

ValidationGroup="ChangePassword1">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedControlID="NewPassword"
ID="NewPasswordLabel"
runat="server">New Password:
</asp:Label></td>
<td>
<asp:TextBox ID="NewPassword"
runat="server"
TextMode="Password">
</asp:TextBox>
<asp:RequiredFieldValidator
ControlToValidate="NewPassword"
ErrorMessage="New Password is
required."
ID="NewPasswordRequired"
runat="server"
ToolTip="New Password is
required."

ValidationGroup="ChangePassword1">*
</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedControlID="ConfirmNewPassword"
ID="ConfirmNewPasswordLabel"
runat="server">Confirm New
Password:
</asp:Label>
</td>
<td>
<asp:TextBox
ID="ConfirmNewPassword"
runat="server"
TextMode="Password">
</asp:TextBox>
<asp:RequiredFieldValidator

ControlToValidate="ConfirmNewPassword"
ErrorMessage="Confirm New
Password is required."
ID="ConfirmNewPasswordRequired"
runat="server"
ToolTip="Confirm New Password is
required."

ValidationGroup="ChangePassword1">*
</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="center" colspan="2">
<asp:CompareValidator
ControlToCompare="NewPassword"

ControlToValidate="ConfirmNewPassword"
Display="Dynamic"
ErrorMessage="The confirm New
Password must match the New Password entry."
ID="NewPasswordCompare"
runat="server"

ValidationGroup="ChangePassword1">
</asp:CompareValidator>
</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Red;">
<asp:Literal
EnableViewState="False"
ID="FailureText" runat="server">
</asp:Literal>
</td>
</tr>
<tr>
<td>
Question:<asp:Label ID="Label1"
runat="server" Text="question"
onload="Label1_Load"></asp:Label>
<br />
Answer: <asp:TextBox ID="PasswordAnswer"
runat="server"></asp:TextBox>
<asp:CompareValidator
ID="CompareValidator1" runat="server"
ControlToValidate="PasswordAnswer"
ErrorMessage="Please input the answer!"></asp:CompareValidator>
<br />
</td></tr>
<tr>
<td align="right">
<asp:Button BackColor="White"
BorderColor="#C5BBAF"
BorderStyle="Solid"
BorderWidth="1px"
CommandName="ChangePassword"
Font-Names="Verdana"
ForeColor="#1C5E55"
ID="ChangePasswordPushButton"
runat="server"
Text="Change Password"

ValidationGroup="ChangePassword1" />
</td>
<td>
<asp:Button BackColor="White"
BorderColor="#C5BBAF"
BorderStyle="Solid"
BorderWidth="1px"
CausesValidation="False"
CommandName="Cancel"
Font-Names="Verdana"
ForeColor="#1C5E55"
ID="CancelPushButton"
runat="server"
Text="Cancel" />
</td>
</tr>

</table>
</td>
</tr>
</table>

</ChangePasswordTemplate>
</asp:ChangePassword>

protected void ChangePassword1_ChangingPassword(object sender,
LoginCancelEventArgs e)
{

ChangePassword cp=sender as ChangePassword;
TextBox newpassword= cp.Controls[0].FindControl("NewPassword") as
TextBox;
TextBox passwordanswer=cp.Controls[0].FindControl("PasswordAnswer")
as TextBox;

try
{ //test is my username. You need to use the correct one in your
case
MembershipUser user = Membership.GetUser("test");
string autogeneratedpassword
=user.ResetPassword(passwordanswer.Text);
//now a new auto-generated password is got, we have to change it
to a new one
user.ChangePassword(autogeneratedpassword, newpassword.Text);
//Password successfully changed. You can show a message here
Response.Write("Done!");
}
catch (MembershipPasswordException ex)
{
//the password answer is incorrect
Response.Write("Incorrect!");
}
//cancel the subsequent process since we've changed the password.
e.Cancel = true;

}

From above code you can see I called MembershipUser. ResetPassword method
again. This is used to validate the password answer that is input by the
user. If the exception is thrown we can know the password answer is
incorrect.

Please let me know if it works. Looking forward to your test result.

Regards
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Ken Fine" <ke*****@newsgroup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword* control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: meta.urel.washington.edu 128.95.9.50
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:73903
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecovery tool. I have implemented the PasswordRecovery with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPasswordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1_ChangingPassword event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprints" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|

Aug 15 '08 #2
Hi Ken,

Is this problem solved? Please feel free to let me know if you need further
assistance.

Regards,
Allen Chen
Microsoft Online Support
--------------------
| From: "Ken Fine" <ke*****@newsgroup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword* control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: meta.urel.washington.edu 128.95.9.50
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:73903
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecovery tool. I have implemented the PasswordRecovery with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPasswordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1_ChangingPassword event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprints" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|

Aug 25 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: razvan | last post by:
I need advice about adding security to a web service without using WSE, as the clients will run Win98.
4
by: David R. | last post by:
Is there a way to remove the security question step from the Password Recovery control? i.e. I just want the user to enter the username and have the password emailed to him immediately. No need...
1
by: J.G. | last post by:
I have set up my web application to utilize an ADAM membership provider. Everything is going well, except I do not wish to utilize the built-in PasswordRecovery control (I don't want the randomly...
0
by: Showjumper | last post by:
I need to get the answer to the security question. This is to allow the user the change his/her password. I am not using any of the server controls like the creatuser control but instead calling...
0
by: davidr | last post by:
Hi, I am having a weird problem with the change password control. Unlike the createwizard control that creates new users and passwords, the changepassword control has no way of setting the...
4
by: vincent90152900 | last post by:
How to remove Security Question and Security Answer from membership provider? Following is my codes. Please tell me how to remove Question and Answer from membership provider. Thank you for...
0
by: asumal | last post by:
Hello I am new to ASP.NET. I am using CreateUserWizard control to register & create a user. I am using Membership API. I have a Cancel button on the second step of CreateUserWizard control...
1
by: PJ6 | last post by:
Setting e.Cancel = true on the ChangingPassword event, fired from a ChangePassword control, does not show its failure message. Do I have to use a MembershipProvider, or is there a way to simply...
1
by: Jeff | last post by:
hi asp.net 2.0 Here is the ChangePassword control markup on my webpage. The problem is that when I click the Submit button nothing happens (except that the textfields in the ChangePassword...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.