473,224 Members | 1,712 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,224 software developers and data experts.

Adding security question/answer check to ASP.NET *ChangePassword* control

I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the PasswordRecovery with a
Password reset required; a temporary password is sent to the account on
file. I want an extra layer of security to accommodate the very unlikely
contingency that someone's e-mail account is compromised. Challenging with
the user's security question and answer will address this contingency.

Put another way, this is the setup I want:
1) User requests password reset
2) email is sent with temp password
3) user's/username's Membership info is evaluated, if comment ==
"UserResetPasswordMustChange" user is sent to password change form
4) User changes password using an augmented ChangePassword control that
evaluates an answer against the user's security question on file.

I have completed items 1-3.

I have extended other login controls by exposing the templates, playing
around with FindControl, and writing functions on the OnWhatever events, so
I am familiar with the basic concepts involved in extending the
functionality of these things.

In the case of a ChangePassword control I imagine I will want to inspect the
answer to the security question on file during the
ChangePassword1_ChangingPassword event and e.Cancel it in the event that the
answer is incorrect.

I don't know how exactly to do this comparison, especially since the answers
to the security questions are hashed. Somehow in code I would need to do a
comparison of the cryptographic "fingerprints" of the user's input vs. the
hashed answer on file.

Any help out there? Somewhere someone has written a tutorial on how to do
all of the above, I'm sure, but even a few snips of code would probably set
me on my way.

Thanks!

Aug 15 '08 #1
2 7624
Hi Ken,

From your description you want to get the security answer in the
ChangingPassword event handler of ChangePassword control. You're using
ASP.NET membership, the provider is
System.Web.Security.SqlMembershipProvider and the passwordFormat is Hashed,
which is the default setting. If my understanding is wrong please correct
me.

If so it's not that easy to retrieve the password answer. If you want to do
so I suggest you to write a custom provider. You can refer to the source
code of System.Web.Security.SqlMembershipProvider. In its ResetPassword
method it calls base.EncodePassword to encode the password answer and then
call a stored procedure aspnet_Membership_ResetPassword to reset the
password. You can encode the password answer in the same way and compare it
with the password answer stored in the database.

The above workaround is a bit complex. Here I would suggest you to use a
tricky one:

<asp:ChangePassword DisplayUserName="true" ID="ChangePassword1"
runat="server"
onchangingpassword="ChangePassword1_ChangingPasswo rd">
<ChangePasswordTemplate>
<table border="0" cellpadding="4">
<tr>
<td>
<table border="0" cellpadding="0"
style="font-family: Verdana;">
<tr>
<td align="center" colspan="2"
style="color: White;
background-color: #1C5E55;

font-weight: bold;">
Change Your Password</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Black;
font-style: italic;">
Enter your username and old
password.
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedControlID="UserName"
ID="UserNameLabel" runat="server">
User Name:</asp:Label>
</td>
<td>
<asp:TextBox ID="UserName"
runat="server"></asp:TextBox>
<asp:RequiredFieldValidator
ControlToValidate="UserName"
ErrorMessage="User Name is
required."
ID="UserNameRequired"
runat="server"
ToolTip="User Name is
required."

ValidationGroup="ChangePassword1">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedControlID="CurrentPassword"
ID="CurrentPasswordLabel"

runat="server">Password:</asp:Label>
</td>
<td>
<asp:TextBox ID="CurrentPassword"
runat="server"
TextMode="Password">
</asp:TextBox>
<asp:RequiredFieldValidator

ControlToValidate="CurrentPassword"
ErrorMessage="Password is
required."
ID="CurrentPasswordRequired"
runat="server"
ToolTip="Password is required."

ValidationGroup="ChangePassword1">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label
AssociatedControlID="NewPassword"
ID="NewPasswordLabel"
runat="server">New Password:
</asp:Label></td>
<td>
<asp:TextBox ID="NewPassword"
runat="server"
TextMode="Password">
</asp:TextBox>
<asp:RequiredFieldValidator
ControlToValidate="NewPassword"
ErrorMessage="New Password is
required."
ID="NewPasswordRequired"
runat="server"
ToolTip="New Password is
required."

ValidationGroup="ChangePassword1">*
</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label

AssociatedControlID="ConfirmNewPassword"
ID="ConfirmNewPasswordLabel"
runat="server">Confirm New
Password:
</asp:Label>
</td>
<td>
<asp:TextBox
ID="ConfirmNewPassword"
runat="server"
TextMode="Password">
</asp:TextBox>
<asp:RequiredFieldValidator

ControlToValidate="ConfirmNewPassword"
ErrorMessage="Confirm New
Password is required."
ID="ConfirmNewPasswordRequired"
runat="server"
ToolTip="Confirm New Password is
required."

ValidationGroup="ChangePassword1">*
</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="center" colspan="2">
<asp:CompareValidator
ControlToCompare="NewPassword"

ControlToValidate="ConfirmNewPassword"
Display="Dynamic"
ErrorMessage="The confirm New
Password must match the New Password entry."
ID="NewPasswordCompare"
runat="server"

ValidationGroup="ChangePassword1">
</asp:CompareValidator>
</td>
</tr>
<tr>
<td align="center" colspan="2"
style="color: Red;">
<asp:Literal
EnableViewState="False"
ID="FailureText" runat="server">
</asp:Literal>
</td>
</tr>
<tr>
<td>
Question:<asp:Label ID="Label1"
runat="server" Text="question"
onload="Label1_Load"></asp:Label>
<br />
Answer: <asp:TextBox ID="PasswordAnswer"
runat="server"></asp:TextBox>
<asp:CompareValidator
ID="CompareValidator1" runat="server"
ControlToValidate="PasswordAnswer"
ErrorMessage="Please input the answer!"></asp:CompareValidator>
<br />
</td></tr>
<tr>
<td align="right">
<asp:Button BackColor="White"
BorderColor="#C5BBAF"
BorderStyle="Solid"
BorderWidth="1px"
CommandName="ChangePassword"
Font-Names="Verdana"
ForeColor="#1C5E55"
ID="ChangePasswordPushButton"
runat="server"
Text="Change Password"

ValidationGroup="ChangePassword1" />
</td>
<td>
<asp:Button BackColor="White"
BorderColor="#C5BBAF"
BorderStyle="Solid"
BorderWidth="1px"
CausesValidation="False"
CommandName="Cancel"
Font-Names="Verdana"
ForeColor="#1C5E55"
ID="CancelPushButton"
runat="server"
Text="Cancel" />
</td>
</tr>

</table>
</td>
</tr>
</table>

</ChangePasswordTemplate>
</asp:ChangePassword>

protected void ChangePassword1_ChangingPassword(object sender,
LoginCancelEventArgs e)
{

ChangePassword cp=sender as ChangePassword;
TextBox newpassword= cp.Controls[0].FindControl("NewPassword") as
TextBox;
TextBox passwordanswer=cp.Controls[0].FindControl("PasswordAnswer")
as TextBox;

try
{ //test is my username. You need to use the correct one in your
case
MembershipUser user = Membership.GetUser("test");
string autogeneratedpassword
=user.ResetPassword(passwordanswer.Text);
//now a new auto-generated password is got, we have to change it
to a new one
user.ChangePassword(autogeneratedpassword, newpassword.Text);
//Password successfully changed. You can show a message here
Response.Write("Done!");
}
catch (MembershipPasswordException ex)
{
//the password answer is incorrect
Response.Write("Incorrect!");
}
//cancel the subsequent process since we've changed the password.
e.Cancel = true;

}

From above code you can see I called MembershipUser. ResetPassword method
again. This is used to validate the password answer that is input by the
user. If the exception is thrown we can know the password answer is
incorrect.

Please let me know if it works. Looking forward to your test result.

Regards
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
ms****@microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Ken Fine" <ke*****@newsgroup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword* control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: meta.urel.washington.edu 128.95.9.50
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:73903
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecovery tool. I have implemented the PasswordRecovery with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPasswordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1_ChangingPassword event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprints" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|

Aug 15 '08 #2
Hi Ken,

Is this problem solved? Please feel free to let me know if you need further
assistance.

Regards,
Allen Chen
Microsoft Online Support
--------------------
| From: "Ken Fine" <ke*****@newsgroup.nospam>
| Subject: Adding security question/answer check to ASP.NET
*ChangePassword* control
| Date: Thu, 14 Aug 2008 21:55:21 -0700
| Lines: 1
| Message-ID: <E6**********************************@microsoft.co m>
| MIME-Version: 1.0
| Content-Type: text/plain;
| format=flowed;
| charset="iso-8859-1";
| reply-type=original
| Content-Transfer-Encoding: 7bit
| X-Priority: 3
| X-MSMail-Priority: Normal
| Importance: Normal
| X-Newsreader: Microsoft Windows Live Mail 12.0.1606
| X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1606
| X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
| X-MS-CommunityGroup-PostID: {E6AE7961-017F-4633-8287-9041A12ED72B}
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: meta.urel.washington.edu 128.95.9.50
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSF TNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.dotnet.framework.aspnet:73903
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| I want to add the security question and answer security feature to the
| ChangePassword control. I am aware that this functionality is built into
the
| PasswordRecovery tool. I have implemented the PasswordRecovery with a
| Password reset required; a temporary password is sent to the account on
| file. I want an extra layer of security to accommodate the very unlikely
| contingency that someone's e-mail account is compromised. Challenging
with
| the user's security question and answer will address this contingency.
|
| Put another way, this is the setup I want:
| 1) User requests password reset
| 2) email is sent with temp password
| 3) user's/username's Membership info is evaluated, if comment ==
| "UserResetPasswordMustChange" user is sent to password change form
| 4) User changes password using an augmented ChangePassword control that
| evaluates an answer against the user's security question on file.
|
| I have completed items 1-3.
|
| I have extended other login controls by exposing the templates, playing
| around with FindControl, and writing functions on the OnWhatever events,
so
| I am familiar with the basic concepts involved in extending the
| functionality of these things.
|
| In the case of a ChangePassword control I imagine I will want to inspect
the
| answer to the security question on file during the
| ChangePassword1_ChangingPassword event and e.Cancel it in the event that
the
| answer is incorrect.
|
| I don't know how exactly to do this comparison, especially since the
answers
| to the security questions are hashed. Somehow in code I would need to do
a
| comparison of the cryptographic "fingerprints" of the user's input vs.
the
| hashed answer on file.
|
| Any help out there? Somewhere someone has written a tutorial on how to do
| all of the above, I'm sure, but even a few snips of code would probably
set
| me on my way.
|
| Thanks!
|
|

Aug 25 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: razvan | last post by:
I need advice about adding security to a web service without using WSE, as the clients will run Win98.
4
by: David R. | last post by:
Is there a way to remove the security question step from the Password Recovery control? i.e. I just want the user to enter the username and have the password emailed to him immediately. No need...
1
by: J.G. | last post by:
I have set up my web application to utilize an ADAM membership provider. Everything is going well, except I do not wish to utilize the built-in PasswordRecovery control (I don't want the randomly...
0
by: Showjumper | last post by:
I need to get the answer to the security question. This is to allow the user the change his/her password. I am not using any of the server controls like the creatuser control but instead calling...
0
by: davidr | last post by:
Hi, I am having a weird problem with the change password control. Unlike the createwizard control that creates new users and passwords, the changepassword control has no way of setting the...
4
by: vincent90152900 | last post by:
How to remove Security Question and Security Answer from membership provider? Following is my codes. Please tell me how to remove Question and Answer from membership provider. Thank you for...
0
by: asumal | last post by:
Hello I am new to ASP.NET. I am using CreateUserWizard control to register & create a user. I am using Membership API. I have a Cancel button on the second step of CreateUserWizard control...
1
by: PJ6 | last post by:
Setting e.Cancel = true on the ChangingPassword event, fired from a ChangePassword control, does not show its failure message. Do I have to use a MembershipProvider, or is there a way to simply...
1
by: Jeff | last post by:
hi asp.net 2.0 Here is the ChangePassword control markup on my webpage. The problem is that when I click the Submit button nothing happens (except that the textfields in the ChangePassword...
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
0
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.