C# 我应该如何在 ASP.NET MVC 中实现“忘记密码”?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1316826/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How should I implement "Forgot your password" in ASP.NET MVC?
提问by
I'm using the standard SqlMembershipProvider that comes with the ASP.NET MVC demo.
我正在使用 ASP.NET MVC 演示附带的标准 SqlMembershipProvider。
I'm interested in implementing a "Forgot your password" link on my site.
我有兴趣在我的网站上实施“忘记密码”链接。
What is the correct way for this feature to be implemented? Should I overwrite the password with a temporary one and email it to their registered email?
实现此功能的正确方法是什么?我应该用临时密码覆盖密码并将其通过电子邮件发送到他们的注册电子邮件吗?
回答by Kevin LaBranche
The provider will automatically do the reset for you:
提供商将自动为您进行重置:
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.resetpassword.aspx
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.resetpassword.aspx
The sample just returns the new password to the browser instead of emailing the user but uses the secret question / answer that can be configured with the provider.
该示例只是将新密码返回给浏览器,而不是通过电子邮件发送给用户,而是使用可以通过提供程序配置的秘密问题/答案。
This sample gets the password and emails it:
此示例获取密码并通过电子邮件发送给它:
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.getpassword.aspx
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.getpassword.aspx
I think either approach is safe. The email it step is a bit safer since the user will have to know the question/answer and email password to hack an account.
我认为这两种方法都是安全的。电子邮件 it 步骤更安全一些,因为用户必须知道问题/答案和电子邮件密码才能破解帐户。
I realize these samples are not using MVC but I am sure it's enough to get you going. :)
我意识到这些示例没有使用 MVC,但我相信它足以让您继续前进。:)
回答by Rasik Jain
Based on the nature of the application, the Best practice for the forgot password should be in following order
根据应用程序的性质,忘记密码的最佳实践应按以下顺序进行
- Allow the user to verify the Secret/Questionfor a maximum of 3 to 5 attempts
- On successful validation, Send an e-mail with random generated passwordwith a validity of 24hrs.
- The e-mail must contain only the passwordbut not both username/password.
- When user logs in with temporary password, then user must be forced to create a new passwordbefore going to home page.
- 允许用户验证秘密/问题最多 3 到 5 次尝试
- 验证成功后,使用随机生成的密码发送电子邮件,密码有效期为 24 小时。
- 电子邮件必须仅包含密码,但不能同时包含用户名/密码。
- 当用户使用临时密码登录时,在进入主页之前必须强制用户创建一个新密码。
回答by ChrisFox
Surely it is better to email the user a link with some sort of impossible to guess URL (say containing a random Guid. When the user clicks the URL they are able to reset the password. The URL should be good for one use only, and should expire after a set time.
当然,最好通过电子邮件向用户发送带有某种无法猜测的 URL 的链接(例如包含随机 Guid。当用户单击 URL 时,他们能够重置密码。该 URL 应该仅供一次使用,并且应该在设定的时间后到期。
回答by Ihtsham Minhas
It depend what type of membership provider you are using. But I will recommend using simple membership provider for authentication for more detail please visit the following link
这取决于您使用的会员提供商类型。但我会建议使用简单的会员提供程序进行身份验证以获取更多详细信息, 请访问以下链接
Here is some code for you
这是给你的一些代码
[HttpPost]
[AllowAnonymous]
public ActionResult ForgotPassword(ForgotPasswordModel model)
{
.
.
.
.
if (WebSecurity.UserExists(model.UserName))
{
var token = WebSecurity.GeneratePasswordResetToken(model.UserName, 60);
.
.
.
.
// send this token by email
}
else
{
ModelState.AddModelError("", "Could not find User");
}
}
return View(model);
}
[HttpPost]
public ActionResult ResetPassword( ResetPasswordModel model)
{
string token = Request.Params["token"];
if (!string.IsNullOrEmpty(token))
{
if (WebSecurity.ResetPassword(token, model.NewPassword))
{
// send email…….. or
return View();
}
}
