c# - Password Recovery without sending password via email -

-

Then, I'm playing with asp: PasswordRecovery and I know that in fact I Do not like it, for several reasons:

1) Alice's password can also be reset without access to Alice's email. A security question for password reset reduces it, but does not really satisfy me.

2) Alice's new password is sent to him in Clarext. I would like to send him a special link to my page (for example, a page like example.com/recovery.aspx?P=lfaj0831uefjc), which will allow him to change his password.

I think I can do this by creating some type of table of expiry of password recovery pages and asking those pages to reset those pages. Either way these pages can also change user passwords behind the scenes (such as resetting the manual manually and then using the password of the new password to change the password, since the old password can not be changed without a password) . I am sure that others have come before this problem, and this kind of solution kills me as a little hackney, is there a better way of doing this?

An ideal solution does not violate the encapsulation by accessing the database directly, but rather uses existing stored procedures in the database ... though it may not be possible. I'm currently implementing an open source source at Spring + Spring Security, and here's how I was going to be <

  • A temporary "reset code" is generated and linked to the account, and emails the user embedded in the hyperlink.
  • Upon receiving the email, the user clicks on the link that takes them to a page to enter their new password.
  • Before accepting a new password, the reset code (from the link) is checked against the cached code, to ensure that it is correct and its timeout is not expired.

    • T avoids sending a password (in plain) in an email message. And it also saves one person's password against a person who resets the password to a nuisance, because the link is used only after resetting the link.

    But it relies on user's email account, and is not going to be transit email. For some applications, this is probably an unacceptable risk.

    The second piece of the equation is that you have to be really careful about changing the user's registered email addresses. At a very least, the user must enter his current password with the request to change the address ... to avoid hacking through inadvertent login sessions.


    Comments

    Post a Comment

    Popular posts from this blog

    c++ - Linux and clipboard -

    -
    After selecting the copies of the buffer in Linux, after the text, we can click and paste the button between the mouse. I think there is a special buffer for this, I want to use it. Programming Language: C ++ Your Library: Qt Thanks. There is just one more correct answer than Paul Dixon, which answers your needs: / P > QClipboard * clipboard = QApplication :: clipboard (); CastString Selected Text = Clipboard-> Text (QClipboard :: Selection);
    Read more

    What is expire header and how to achive them in ASP.NET and PHP? -

    -
    I have examined the performance statistics of my website today. I have received a warning (or error may occur) that is given below Add Terminal Headers Here are 15 static components without a 15-futures end date * (no end) Http://www.example.com/video/css/global.css * (no time limit) http://www.example.com/video/js/global.js * (no expiration ) Http: //www.example.com/video/images/main-bg.png what it means and how to achieve it both in PHP and ASP.Net. I am on a shared hosting server, so please tell me some ways to use the code, because I can not make any modifications at the end of the server. If I expire the header, then there is no chance that if I make changes to the CSS, then the user will not be able to remove them immediately because CSS and other files have a fixed time limit (1 month, week ) Are cached for. Is Is there any harm to using PHP? $ time = time () + 3 * 24 * 60 * 60; // 3 day headings ('End:'. GMDAT ('D, D MYH: i: s \ g \ m \ t',
    Read more

    sql server - How can I determine which of my SQL 2005 statistics are unused? -

    -
    After a few years, one of my biggest databases has deposited 73 figures out of its largest tables. With Indexes, I can run many types of reports and queries, how often / heavily specific indexes are used. What is an equivalent for data? We are running SQL 2005. To make statistics automatically managed and honest, I would like to "update statistics", "create statistics" and There is no information about any management except "drop statistics" orders. In theory, UPDATE should handle the addition and removal of statistical data. In addition, I've never heard about the amount of storage or storage taking in large amounts, so I'm not sure whether there is any reason for the alarm or not. If you are seeing a potential problem, then I would suggest running an update before, if it does not clean it, it is leaving and then it appears to be safe operation (because it is the only query optimizer Is for). I will not leave "left" in the
    Read more