Implementing password reset link in asp.net

Suggested Videos
Part 92 - Forms authentication against users in database table
Part 93 - Forms authentication and locking user accounts
Part 94 - Unlocking the locked user accounts



Step 1:
The first step is to design a page, that allows the user to enter their user name, for requesting, the reset of the password. Add a webform , with name "ResetPassword.aspx" to the "Registration" folder. The web.config file in this folder, allows anonymous access to all the pages without having the need to login. We discussed about having multiple web.config files and allowing anonymous access to a set of pages in Part 91 of this video series. Click here to watch Part 91, before proceeding.



Step 2:
Copy and paste the following HTML on "ResetPassword.aspx" page.
<div style="font-family:Arial">
    <table style="border: 1px solid black; width:300px">
        <tr>
            <td colspan="2">
                <b>Reset my password</b>
            </td>
        </tr>
        <tr>
            <td>
                User Name
            </td>    
            <td>
                <asp:TextBox ID="txtUserName" Width="150px" runat="server">
                </asp:TextBox>
            </td>    
        </tr>
        <tr>
            <td>
                    
            </td>    
            <td>
                <asp:Button ID="btnResetPassword" runat="server" 
                Width="150px" Text="Reset Password" onclick="btnResetPassword_Click" />
            </td>    
        </tr>
        <tr>
            <td colspan="2">
                <asp:Label ID="lblMessage" runat="server"></asp:Label>
            </td>    
        </tr>
    </table>
</div>

Step 3:
Create a table "tblResetPasswordRequests" in sql server. This table is going to store a unique GUID (Globally Unique Identifier) along with the user id, each time a user requests a password recovery. This GUID will then be passed as part of the querystring in the link to the password reset page. This link will then be emailed to the email address that is associated with the user id. When a user clicks on the link the page will look up the GUID in "tblResetPasswordRequests" table and get the user id from there allowing the user to change their password. I didn't use, UserId, as the querystring parameter, because it maybe open to abuse.

Create table tblResetPasswordRequests
(
Id UniqueIdentifier Primary key,
UserId int Foreign key references tblUsers(Id),
ResetRequestDateTime DateTime
)

Step 4:
Create a stored procedure to check if the username exists, and to insert a row into "tblResetPasswordRequests" table.
Create proc spResetPassword
@UserName nvarchar(100)
as
Begin
Declare @UserId int
Declare @Email nvarchar(100)

Select @UserId = Id, @Email = Email 
from tblUsers
where UserName = @UserName

if(@UserId IS NOT NULL)
Begin
--If username exists
Declare @GUID UniqueIdentifier
Set @GUID = NEWID()

Insert into tblResetPasswordRequests
(Id, UserId, ResetRequestDateTime)
Values(@GUID, @UserId, GETDATE())

Select 1 as ReturnCode, @GUID as UniqueId, @Email as Email
End
Else
Begin
--If username does not exist
SELECT 0 as ReturnCode, NULL as UniqueId, NULL as Email
End
End

Step 5:
Invoke the stored procedure and email the link, to the email address that is registered against the username. Copy and paste the following code in ResetPassword.aspx.cs page.

protected void btnResetPassword_Click(object sender, EventArgs e)
{
    string CS = ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString;
    using (SqlConnection con = new SqlConnection(CS))
    {
        SqlCommand cmd = new SqlCommand("spResetPassword", con);
        cmd.CommandType = CommandType.StoredProcedure;

        SqlParameter paramUsername = new SqlParameter("@UserName", txtUserName.Text);

        cmd.Parameters.Add(paramUsername);

        con.Open();
        SqlDataReader rdr = cmd.ExecuteReader();
        while (rdr.Read())
        {
            if (Convert.ToBoolean(rdr["ReturnCode"]))
            {
                SendPasswordResetEmail(rdr["Email"].ToString(), txtUserName.Text, rdr["UniqueId"].ToString());
                lblMessage.Text = "An email with instructions to reset your password is sent to your registered email";
            }
            else 
            {
                lblMessage.ForeColor = System.Drawing.Color.Red;
                lblMessage.Text = "Username not found!";
            }
        }
    }
}

private void SendPasswordResetEmail(string ToEmail, string UserName, string UniqueId)
{
    // MailMessage class is present is System.Net.Mail namespace
    MailMessage mailMessage = new MailMessage("YourEmail@gmail.com", ToEmail);
            
            
    // StringBuilder class is present in System.Text namespace
    StringBuilder sbEmailBody = new StringBuilder();
    sbEmailBody.Append("Dear " + UserName + ",<br/><br/>");
    sbEmailBody.Append("Please click on the following link to reset your password");
    sbEmailBody.Append("<br/>");      sbEmailBody.Append("http://localhost/WebApplication1/Registration/ChangePassword.aspx?uid=" + UniqueId);
    sbEmailBody.Append("<br/><br/>");
    sbEmailBody.Append("<b>Pragim Technologies</b>");

    mailMessage.IsBodyHtml = true;

    mailMessage.Body = sbEmailBody.ToString();
    mailMessage.Subject = "Reset Your Password";
    SmtpClient smtpClient = new SmtpClient("smtp.gmail.com", 587);

    smtpClient.Credentials = new System.Net.NetworkCredential()
    {
        UserName = "YourEmail@gmail.com",
        Password = "YourPassword"
    };
            
    smtpClient.EnableSsl = true;
    smtpClient.Send(mailMessage);
}

Step 6:
Add a webform with name, "ChangePassword.aspx", to "Registration" folder. Copy and paste the following HTML in the aspx page. In the next video session we will implement ChangePassword page.
<h1>Change Password Page</h1>

No comments