Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Mounhim Tahtahi 41 posts 62 karma points
    Jun 24, 2013 @ 20:31
    Mounhim Tahtahi

    Umbraco Membership Provider Password Reset and PasswordAnswer


    I am using the Umbraco Membership Provide in my Umbraco MVC project. One of the features for my users is the ability to reset the password in case a member has forgotten his. If a user wants to reset his password, the user first has to answer a password question. It's a quite familair pattern as far as I know.

    In order to do that I have the following line in my web.config:

    <add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" defaultMemberTypeAlias="customer" passwordFormat="Hashed" umbracoApprovePropertyTypeAlias="approved" umbracoLockPropertyTypeAlias="lockedOut" umbracoCommentPropertyTypeAlias="comments" umbracoLastLoginPropertyTypeAlias="lastLogonDate" umbracoPasswordRetrievalQuestionPropertyTypeAlias="passwordRetrievalQuestion" umbracoPasswordRetrievalAnswerPropertyTypeAlias="passwordRetrievalAnswer" />

    The properties mentioned in the config file (e.g. umbracoLastLoginPropertyTypeAlias, umbracoPasswordRetrievalAnswerPropertyTypeAlias, etc.) are added to the member type. So now when a user is registered all the properties are filled. BUT...also the password retrieval answer is there. In plain text. Why is this one not stored according to the chosen password format. I mean the password answer is almost as good as a password. 

    Is there a way to have this stored in a salted or hashed way as well, but still being able to use the ResetPassword feature of the Membership Provider?

  • Andreas Iseli 150 posts 427 karma points
    Jun 27, 2013 @ 11:12
    Andreas Iseli

    Hi Mounhim

    If you really want to do what you acquired, then you have to write your custom membership provider that inherits from the UmbracoMembershipProvider. Then you have to overwrite the passwort reset features (methods) as well as the update user profile properties methods to store the password answer in a hashed way.


Please Sign in or register to post replies

Write your reply to: