ASP.NET 会员更改密码不起作用
我有这段代码,用于在用户单击密码重置按钮时更改用户的密码(使用额外的代码登录 ELMAH,以便我可以尝试找出问题所在)。
这是在 ASP.NET MVC 2 中,使用标准的 aspnet 成员资格提供程序,具有如下所示的简单视图:
New Password: ______
Confirm Password: ______
[Reset] [Cancel]
此视图的路径为 /Account/Reset/guid,其中 guid 是用户的 id aspnet 会员数据库。
代码的关键部分是调用 user.ChangePassword() 的地方。您可以看到成功时它会记录一条消息。问题是,对于某些用户来说,会记录成功消息,但他们无法使用新密码登录。对于其他用户,它会记录成功消息,他们可以登录。
if (user.ChangePassword(pwd, confirmPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - changed successfully!"));
return Json(new {
Msg = "You have reset your password successfully." },
JsonRequestBehavior.AllowGet);
}
完整的代码清单是:
[HttpPost]
public JsonResult ResetPassword(string id, string newPassword, string confirmPassword)
{
ErrorSignal.FromCurrentContext().Raise(new Exception("ResetPassword started for " + id));
ViewData["PasswordLength"] = Membership.MinRequiredPasswordLength;
if (string.IsNullOrWhiteSpace(newPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - new password was blank."));
ModelState.AddModelError("_FORM", "Please enter a new password.");
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (newPassword.Length < Membership.MinRequiredPasswordLength)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - new password was less than minimum length."));
ModelState.AddModelError("_FORM",
string.Format("The password must be at least {0} characters long.",
Membership.MinRequiredPasswordLength));
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (string.IsNullOrWhiteSpace(confirmPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - confirm password was blank."));
ModelState.AddModelError("_FORM",
"Please enter the same new password in the confirm password textbox.");
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (confirmPassword.Length < Membership.MinRequiredPasswordLength)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - confirm password was less than minimum length."));
ModelState.AddModelError("_FORM",
string.Format("The password must be at least {0} characters long.",
Membership.MinRequiredPasswordLength));
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (confirmPassword != newPassword)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - new password did not match the confirm password."));
ModelState.AddModelError("_FORM", "Please enter the same password again.");
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
bool isMatch = ValidationHelper.IsGUID(id);
if (string.IsNullOrWhiteSpace(id) || !isMatch)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - id was not a guid."));
ModelState.AddModelError("_FORM", "An invalid ID value was passed in through the URL");
}
else
{
//ID exists and is kosher, see if this user is already approved
//Get the ID sent in the querystring
Guid userId = new Guid(id);
try
{
//Get information about the user
MembershipUser user = Membership.GetUser(userId);
if (user == null)
{
//could not find the user
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - could not find user by id " + id));
ModelState.AddModelError("_FORM",
"The user account can not be found in the system.");
}
else
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - user is " + user.UserName));
string pwd = user.ResetPassword();
if (user.ChangePassword(pwd, confirmPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - changed successfully!"));
return Json(new {
Msg = "You have reset your password successfully." },
JsonRequestBehavior.AllowGet);
}
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword
- failed to change the password, for an unknown reason"));
}
}
catch (Exception ex)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword: " + ex));
return Json(new { Error = ex.Message + " -> "
+ ex.InnerException.Message }, JsonRequestBehavior.AllowGet);
}
}
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
编辑:添加赏金以尝试解决此问题。这是我的问题列表中最烦人的问题之一,我不知道如何继续。
I have this code for changing a user's password when they click the password reset button (with extra code to log to ELMAH so I can try to figure out what is going wrong).
This is in ASP.NET MVC 2, using the standard aspnet membership provider, with a simple View like this:
New Password: ______
Confirm Password: ______
[Reset] [Cancel]
The route to this view is /Account/Reset/guid, where guid is the user's id in the aspnet membership database.
The key portion of the code is where it calls user.ChangePassword(). You can see that it logs a message when successful. The problem is that for some users, the success message is logged, but they can not log in with the new password. For other users it logs the success message and they can log in.
if (user.ChangePassword(pwd, confirmPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - changed successfully!"));
return Json(new {
Msg = "You have reset your password successfully." },
JsonRequestBehavior.AllowGet);
}
The full code listing is:
[HttpPost]
public JsonResult ResetPassword(string id, string newPassword, string confirmPassword)
{
ErrorSignal.FromCurrentContext().Raise(new Exception("ResetPassword started for " + id));
ViewData["PasswordLength"] = Membership.MinRequiredPasswordLength;
if (string.IsNullOrWhiteSpace(newPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - new password was blank."));
ModelState.AddModelError("_FORM", "Please enter a new password.");
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (newPassword.Length < Membership.MinRequiredPasswordLength)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - new password was less than minimum length."));
ModelState.AddModelError("_FORM",
string.Format("The password must be at least {0} characters long.",
Membership.MinRequiredPasswordLength));
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (string.IsNullOrWhiteSpace(confirmPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - confirm password was blank."));
ModelState.AddModelError("_FORM",
"Please enter the same new password in the confirm password textbox.");
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (confirmPassword.Length < Membership.MinRequiredPasswordLength)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - confirm password was less than minimum length."));
ModelState.AddModelError("_FORM",
string.Format("The password must be at least {0} characters long.",
Membership.MinRequiredPasswordLength));
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
if (confirmPassword != newPassword)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - new password did not match the confirm password."));
ModelState.AddModelError("_FORM", "Please enter the same password again.");
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
bool isMatch = ValidationHelper.IsGUID(id);
if (string.IsNullOrWhiteSpace(id) || !isMatch)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - id was not a guid."));
ModelState.AddModelError("_FORM", "An invalid ID value was passed in through the URL");
}
else
{
//ID exists and is kosher, see if this user is already approved
//Get the ID sent in the querystring
Guid userId = new Guid(id);
try
{
//Get information about the user
MembershipUser user = Membership.GetUser(userId);
if (user == null)
{
//could not find the user
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - could not find user by id " + id));
ModelState.AddModelError("_FORM",
"The user account can not be found in the system.");
}
else
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - user is " + user.UserName));
string pwd = user.ResetPassword();
if (user.ChangePassword(pwd, confirmPassword))
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword - changed successfully!"));
return Json(new {
Msg = "You have reset your password successfully." },
JsonRequestBehavior.AllowGet);
}
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword
- failed to change the password, for an unknown reason"));
}
}
catch (Exception ex)
{
ErrorSignal.FromCurrentContext().Raise(
new Exception("ResetPassword: " + ex));
return Json(new { Error = ex.Message + " -> "
+ ex.InnerException.Message }, JsonRequestBehavior.AllowGet);
}
}
return Json(new { Errors = ModelState.Errors() }, JsonRequestBehavior.AllowGet);
}
Edit: Adding a bounty to try to get this solved. This is one of the most annoying problems on my issue list, and I have no idea how to proceed.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(10)
如果用户需要重置密码,则他们的帐户有可能因多次无效尝试而被锁定。如果是这种情况,则密码重置成功,但在锁定条件清除之前用户无法登录。
尝试检查 MembershipUser.IsLockedOut:
编辑
您是否还检查了IsApproved?如果用户的设置为
false,则身份验证将失败。另外,假设默认的成员资格提供程序是指 SqlMembershipProvider,您可以对数据库运行以下查询并确保一切看起来正确吗?
在尝试登录之前尝试执行查询,以验证
IsApproved和IsLockedOut是否正常。另请注意FailedPasswordAttemptCount的值。尝试登录,然后再次运行查询。如果登录失败,
FailedPasswordAttemptCount的值是否会增加?您还可以查看 aspnet_Membership 表中的
PasswordFormat并根据您使用的格式确保它是正确的值(0 表示清除,1 表示散列,2 表示加密)。If the user needs to reset his password, there is a chance their account has been locked out from too many invalid attempts. If this is the case, then the password is being reset successfully, but the user cannot log in until the lockout condition is cleared.
Try checking MembershipUser.IsLockedOut:
Edit
Did you also check IsApproved? Authentication will fail is this is
falsefor the user.Also, assuming by default membership provider, you mean the SqlMembershipProvider, can you run the following query against your database and make sure everything looks correct?
Try executing the query before attempting to sign in to verify
IsApprovedandIsLockedOutare ok. Also note the value forFailedPasswordAttemptCount.Try signing in, and then run the query again. If signin fails, has the value for
FailedPasswordAttemptCountbeen incremented?You could also look at
PasswordFormatin the aspnet_Membership table and make sure it is the correct value depending on the format you are using (0 for Clear, 1 for Hashed, and 2 for Encrypted).嗯,我一直使用它
,我从来没有遇到过它返回 true 并且密码未正确更改的问题。
据我所知,您的代码看起来不错。里面充满了 Elmah 的噪音,很难跟上。 (您可能想要删除它或用简单的日志调用替换它,以便更容易理解)。
验证您作为参数传递的字符串 ID 是否与目标用户的 UserId 相对应。您可能会从其他用户发送 userId 并更改该用户的密码。
Hmm, I've always used
I've never had an issue with it returning true and the password not being changed correctly.
As fas as I can tell your code looks ok. It is difficult to follow, with all the Elmah noise in there. (you might want to remove it or replace with a simple log call so it's easier to follow).
Verify that the string id that you pass as an argument corresponds to the UserId of the intended user. You might be sending the userId from some other user and changing that users password instead.
已编辑 - 以下答案是错误的,请参阅评论
那么等等,您是否想通过 Guid 来查找某人?通过这样做,
您实际上正在创建一个保证唯一的 ID。所以我的猜测是你永远找不到用户并且你正在为任何人成功重置密码。不可以直接通过你传入的id参数来查找吗?
Edited - following answer is false see comments
So wait are you trying to locate someone by a Guid? By doing
You are practically creating a guaranteed to be unique ID. So my guess is you are never finding a user and you are resetting a password successfully for nobody. Can you not just find them by the id parameter you pass in?
这对我有用:
This works for me:
我想知道问题是否在于您在更改密码之前重置了密码。在不深入了解 Membership 类的所有内部结构的情况下,您可以尝试在这两个命令之间添加某种延迟吗?
I wonder if the problem is that you are resetting the password right before you change it. Without getting into all of the internals of the Membership class, could you try putting in some kind of delay between those two commands?
您使用的是哪个 MemberShipProvider?每个用户都一样吗?例如,如果您使用 SqlMembershipProvider 并将enablePasswordReset 设置为 false,它将悄悄地无法更新密码。在本例中,ChangePassword 返回 true,就好像一切顺利一样。
Which MemberShipProvider are you using? Is it the same for every user? For instance, if you use SqlMembershipProvider and set enablePasswordReset to false, it will quietly fail to update the password. ChangePassword, in this case, returns true as if everything went fine.
如果您使用基于内置 SQLServer 的提供程序,请查看您的 SQL 存储过程。这就是我的默认过程:
如您所见,更新语句可能完全失败,并且存储过程可能返回 true。我认为这就是您的错误可能来自的地方。可能是锁定问题...
If you are using the built-in SQLServer based providers take a look at your SQL Stored procs. This is what my default proc looks like:
As you can see the update statement could totally fail and the stored proc could return true. I think this is where your errors are probably coming from. Could be locking issues...
嗯,这当然是一件有趣的事情。 “它对某些人有效,对其他人无效”部分确实很奇怪。
这是间歇性问题,还是某些用户总是发生,而其他用户总是不发生?
这里的其他人之一建议运行 ValidateUser(username, newPassword) 来确认用户可以在假设成功之前正确进行身份验证。
你试过这个吗?您可以不断循环,重置+更改密码,直到 ValidateUser 成功,也许在 N 次失败后退出。
注意:这不适用于生产,仅用于测试以查看是否可以解决问题。
Well this is certainly an interesting one. The "it works for some, not for others" part is really bizarre.
Is this an intermittent problem, or does it always occur for certain users, and always not occur for other users?
One of the other people here suggested running
ValidateUser(username, newPassword)to confirm that the user could properly authenticate before assuming success.Have you tried this? You could continuously loop, resetting + changing the password until ValidateUser is successful, perhaps exiting after N failures.
Note: This is not for use in production, just for testing to see if this resolves the problem.
您使用的是 1 个网络服务器还是多个网络服务器?对于多个服务器,用于加密密码的机器密钥可能在所有服务器上都不相同。
Are you using 1 webserver or multiple webservers? With multiple servers it could be that the machinekey used for encrypting the password is not the same on al servers.
您的主要 catch 块本身是否会引发您没有注意到的异常?
ex.InnerException.Message 语句不安全,因为它可能引发 NullReferenceException。
Could your main catch block be throwing an exception itself that you haven't noticed?
The ex.InnerException.Message statement is not safe because it could throw a NullReferenceException.