Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Ken Mark 82 posts 94 karma points
    Nov 19, 2009 @ 10:40
    Ken Mark
    0

    Password Reset with hasshed password

    Hello!

    I have a lot of trouble to implement a successfull password reset when using hashed passwords. Clear text is not an option for me.

    Has anyone a working solution? Would be greatly appreciated

     

  • Simon Dingley 1474 posts 3431 karma points c-trib
    Nov 19, 2009 @ 10:51
    Simon Dingley
    0

    Have you checked if the provider has implemented it correctly?

  • Tim 225 posts 690 karma points
    Nov 19, 2009 @ 11:42
    Tim
    0

    Umbraco appears (happy to be corrected if I'm wrong) to have a bug in it's Membership provider where hashed passwords are somehow corrupted (possibly hashed twice??) by the ResetPassword function. Therefore the password which is returned is incorrect.

    It works perfectly with clear passwords, so it feels like it's a ploblem with the hashing method.

    Tim

     

     

  • Tim 225 posts 690 karma points
    Nov 19, 2009 @ 11:55
    Tim
    0

    Here is a codeplex work item which I think describes the problem.

    Tim

  • Tim 225 posts 690 karma points
    Nov 19, 2009 @ 13:40
    Tim
    0

    I have submitted a patch for this (ID:4475) - hopefully it'll get incorporated in the next release.

    Tim

  • Tim 225 posts 690 karma points
    Nov 19, 2009 @ 13:44
    Tim
    0

    I've also found this post on a workaround that you can use now.

    http://our.umbraco.org/forum/developers/extending-umbraco/2641-Password-Reset-saving-incorrect-password

    Tim

  • Ken Mark 82 posts 94 karma points
    Nov 19, 2009 @ 14:12
    Ken Mark
    0

    I finally came up with a solution of my own. Thanks to two posts (this and this) who pointed me in the right direction. With the hash bug still being around I don't think it's possible to do it in another way.

    On the OnSendingMail event I'm setting the password directly on the Member object, which seems to be the only way to make it right.

    The OnVerifyingUser is there because I wan't my users to enter there email instad of their username. It's easier to remember.

    The text strings are in swedish, if you need translation I could help you ;)

     

    <script runat="server">
        protected void PasswordRecovery1_VerifyingUser(object sender, LoginCancelEventArgs e)
    {
            umbraco.cms.businesslogic.member.Member currentMember =
            umbraco.cms.businesslogic.member.Member.GetMemberFromEmail(PasswordRecovery1.UserName);

            if (currentMember != null && currentMember.Id > 0)
        {
                PasswordRecovery1.UserName = currentMember.LoginName;
            }
        else
        {
            Literal errorText = (Literal)PasswordRecovery1.UserNameTemplateContainer.FindControl("FailureText");
            errorText.Text = "E-postadressen kunde inte hittas";
                e.Cancel = true;
            }
        }

        protected void PasswordRecovery1_SendingMail(object sender, MailMessageEventArgs e)
        {
            string newPassword = "";
            Regex rgxLines = new Regex("\n");
            string[] arrSegments = rgxLines.Split(e.Message.Body);

            for (int i = 0; i < arrSegments.Length; i++)
            {
                if (arrSegments[i].IndexOf("Password: ") >= 0)
                {
                    newPassword = arrSegments[i].Substring(arrSegments[i].IndexOf("Password: ") + 10, arrSegments[i].Length-10);
                    break;
                }
            }

            umbraco.cms.businesslogic.member.Member currentMember =
            umbraco.cms.businesslogic.member.Member.GetMemberFromLoginName(PasswordRecovery1.UserName);

        if (currentMember != null && currentMember.Id > 0)
    {
            currentMember.Password = newPassword;
            currentMember.Save();
            HyperLink btnLogin = (HyperLink)PasswordRecovery1.SuccessTemplateContainer.FindControl("btnLogin");
            btnLogin.NavigateUrl = umbraco.library.NiceUrl(1161);
        }
        }
    </script>

        <asp:PasswordRecovery runat="server" id="PasswordRecovery1" OnSendingMail="PasswordRecovery1_SendingMail"
            OnVerifyingUser="PasswordRecovery1_VerifyingUser">
            <usernametemplate>
             <div style='width:300px;'>
                <div>
                    Ange din e-postadress för kontot. Ett nytt lösenord kommer att skickas till dig som du
                sedan kan ändra till något som du lättare kommer ihåg.
                </div>
                <div class="fields" style='margin-top:20px;'>
                E-post: <asp:textbox runat="server" id="UserName" CssClass="loginLightBox_username"></asp:textbox>
                <asp:requiredfieldvalidator runat="server" controltovalidate="UserName"
                 errormessage="E-post" id="UserNameRequired">*</asp:requiredfieldvalidator>
                </div>
                <div class="fields" style='color:red;'>
                <asp:literal runat="server" id="FailureText" EnableViewState="False"></asp:literal>
                </div>
                <div class="fields" style='margin-top:20px;'>
                <asp:button runat="server" commandname="Submit" text="Submit" id="Button"></asp:button>
                </div>
            </div>
        </usernametemplate> 
        <SuccessTemplate>
            <div style='margin-bottom:20px;'>Ett nytt lösenord har skickats till dig!</div>
            <asp:HyperLink id="btnLogin" runat="server" Text="Logga in" />
        </SuccessTemplate>
        </asp:PasswordRecovery>
  • Ken Mark 82 posts 94 karma points
    Nov 19, 2009 @ 14:23
    Ken Mark
    0

    I saw your post after I posted mine, so there seems to be at least three solutions to the problem then.

    1. Patch
    2. Overriding the UmbracoMembershipProvider
    3. Set password manually in the OnSendingMail event

     

  • Fredrik Esseen 610 posts 906 karma points
    Nov 17, 2010 @ 15:27
    Fredrik Esseen
    0

    I tried your code, Kenneth but got this answer:

    Membership provider does not support password retrieval or reset.

    Is this because I use hasched passwords?

  • Fredrik Esseen 610 posts 906 karma points
    Nov 17, 2010 @ 15:32
    Fredrik Esseen
    0

    Arrgh!

    Ignore post..

    enablePasswordReset=true in web.config..

Please Sign in or register to post replies

Write your reply to:

Draft