关于在asp.net mvc中实现忘记密码功能的一些问题

发布于 2024-10-28 23:08:16 字数 480 浏览 5 评论 0原文

我想在 asp.net mvc 中实现忘记密码功能,允许用户重置密码,并在这方面有一些问题:

  1. 假设在允许用户重置密码之前,我想验证一些额外的内容信息,例如他们的名字和姓氏。默认情况下,此信息不存储在 aspnet_regsql 创建的表中。解决此类问题的建议方法是什么?我应该将此类信息存储在单独的表中,并使用表联接来验证,还是应该修改由 aspnet_regsql 生成的表的架构(如何?)以便我不必使用联接?我需要编写自定义提供程序还是没有必要?

  2. 我已经阅读过一些地方,例如这篇帖子,而不是通过电子邮件发送临时密码,另一种方法是通过电子邮件发送一个 URL,单击该 URL 后允许用户更改密码。这是怎么做到的?如何确保 URL 在 1 小时后过期?

I want to implement a forgot-password feature in asp.net mvc that allows users to reset their password, and have some questions in this regard:

  1. Lets say that before allowing users to reset their password, I want to verify some extra information such as their first and last name. This info is not stored by default in the table created by aspnet_regsql. What is the recommended approach to address such issues? Should I store this kind of info in a separate table, and use table joins to verify OR should i modify the schema of the table generated by aspnet_regsql (how?) so that I don't have to use joins? Do I need to write a custom provider OR would that not be necessary?

  2. I have read at places e.g. in this post that instead of emailing a temporary password, an alternative is to email a URL that when clicked allows users to change their password. How is this done? How to ensure that the URL expires after 1 hour?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

回心转意 2024-11-04 23:08:16

我可以针对你提出的问题详细写出几个答案。有太多的细节无法详细介绍,但我会尽力抓住设计网站时牢记的要点。基本上,您可以(并且应该)与会员提供商合作,而不是绕过它。这需要一些工作,但可以使用提供程序和 ASP.NET MVC 完成以下所有操作。

  • 避免直接访问成员资格表或执行成员资格存储过程。
    1. 它们的结构和用法在旧版本或新版本中可能有所不同。
    2. 已经建立了提供程序来执行大多数任务。
    3. LINQ 其他框架方法并帮助完成剩下的工作。
  • 对于名称等“额外”信息,请使用 ASP.NET 配置文件
  • 用户电子邮件地址应该是唯一的。
  • 用户应该创建自己的帐户。
    1. 管理员不应直接创建新帐户。
    2. 密码和安全答案应该只有用户知道。
    3. 在激活帐户之前,应发送生成的密钥(以网址形式)以验证给定电子邮件地址的所有权。
  • 实施会员提供商已支持的安全问题和答案。
    1. 提供可供选择的好问题。
    2. 不要强迫或信任用户临时想出一个好问题。
    3. 只有知道当前密码才能更改问题/答案。
  • 忘记密码
    1. 可以通过正确回答安全问题来重置。
    2. 如果忘记了安全答案或帐户被锁定,可以通过管理操作进行重置。
  • 重置密码应该意味着:
    1. 生成的临时密码将发送到帐户上的电子邮件地址。临时手段:
      • 设置标志(配置文件值)以指示用户下次登录后必须设置新密码。
      • 密码在设定的时间后就会过期。
    2. 管理员可以重置密码,但永远不应该知道密码。
  • 密码或安全答案尝试失败次数过多后锁定帐户。
    1. 失败的尝试已在提供商内进行计数和配置。
    2. 可以选择在足够的时间过后自动解锁帐户。

如果我想到更多,我会扩展这个。

I could write at length several answers to the questions you pose. There are too many to get into implementation detail, but I'll try to hit the points that I've kept in mind when designing sites. Basically, you can (and should) work with the Membership provider instead of working around it. It's a bit of work but possible to do all of the following using the providers and ASP.NET MVC.

  • Avoid accessing membership tables or executing membership stored procedures directly.
    1. Their structure and usage could differ in older or newer versions.
    2. The providers are already established to perform most tasks.
    3. LINQ other framework methods and help to do the rest.
  • For 'extra' information like Names, use ASP.NET Profiles
  • User email addresses should be unique.
  • Users should create their own accounts.
    1. Administrators shouldn't create new accounts directly.
    2. Passwords and security answers should only ever be known to the user.
    3. A generated key (in the form of a URL) should be sent to verify ownership of the given email address before account activation.
  • Implement a Security Question and Answer, which the Membership provider already supports.
    1. Provide good questions from which to choose.
    2. Don't force or trust users to think up a good question ad hoc.
    3. Question/answer can only be changed by knowing the current password.
  • Forgotten passwords
    1. Can be reset by correctly answering the security question.
    2. Can be reset by administrative action if security answer is also forgotten or account gets locked.
  • Resetting a password should mean:
    1. A generated temporary password is sent to the email address on the account. Temporary means:
      • A flag (a Profile value) is set to indicate that the user must set a new password after next login.
      • The password expires after a set amount of time.
    2. An administrator can reset a password, but should never know the password.
  • Lock account after too many failed password or security answer attempts.
    1. Failed attempts are already counted and configured within the provider.
    2. Optionally unlock account automatically after enough time has passed.

I'll expand this if I think of any more.

给妤﹃绝世温柔 2024-11-04 23:08:16

我不知道这是否是推荐的方法,但您可以像您提到的那样创建一个单独的表,然后实现您自己的会员资格提供商。这样,在重置密码时,您就可以实现所需的附加功能。

对于第二部分:
我将生成一个令牌,请在此处了解生成它的各种方法。您可以存储带有日期/时间的令牌,通过电子邮件将链接发送给用户,并将令牌作为 URL 的一部分,然后,一旦用户单击它,您就可以根据经过的时间来检查它。

I don't know if this is the recommended approach but you could create a separate table like you mentioned and then implement your own membership provider. That way on a password reset you can implement the additional functionality required.

For the second part:
I would generate a token, read about a variety of ways to generate it here. You can store the token with a date/time, email a link to the user with the token as part of the URL, then you'd be able to check it against the amount of elapsed time, once the users clicks on it.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文