Forums (Obsolete)

Member

jasonlancester-gmail - 10/11/2010 9:14:29 PM

Forgotten password keeps old password

I'm trying to configure and set up an authentication scheme for a site and the forgotten password option sends a new password in an email but the new password doesn't work while the old one does.

I've tried overriding the UserInfoProvider.ForgottenEmailRequest method but I'm not sure if I'm doing it right. The same thing happens, it's like the SetPassword method call doesn't actually set the password and keeps the old one.

Member

kentico_michal - 10/12/2010 2:32:39 AM

RE:Forgotten password keeps old password

Hi,

Please keep in mind, that UserInfoProvider.ForgottenEmailRequest does not generate new password, it just send email with current password.

To send email with new one, you need to generate it at first.
It can be done with UserInfoProvider.GenerateNewPassword() method. It returns new password in string format.

Than you need to set this password for specified user, please use method
UserInfoProvider.SetPassword(UserInfo, string) method to do so.

After that you can call UserInfoProvider.ForgottenEmailRequest method, that just send new current password, that you set in previous step.

More information about these methods can be found in API reference
http://devnet.kentico.com/downloads/kenticocms_api.zip

Best regards,
Michal Legen

Member

jasonlancester-gmail - 10/12/2010 8:22:59 AM

RE:Forgotten password keeps old password

First of all, it doesn't send their current password in the email, it sends a string like 'E}-8$6'.

Furthermore, the passwords for this site are supposed to be hashed so how is it supposed to send them their current password? The whole point is to send them a new password that they have to use to log in with from that point on.

Member

kentico_michal - 10/14/2010 9:34:00 AM

RE:Forgotten password keeps old password

Hi,

I am really sorry for the confusion. Method UserInfoProvider.ForgottenEmailRequest does generate the new password without using GenerateNewPassword and SetPassword methods and send it to to the user whose e-mail or username equals to the userIdent parameter as you can see in following definition of this method:

public static string ForgottenEmailRequest(
	string userIdent,
	string siteName,
	string source,
	string sendEmailFrom
)

So you do not need to override this method. You can just call it with appropriate user identity and with others paramers and new password will be send to users email. Example of this method can be seen in Logon form web part (Corporate Site -> Examples -> Webparts -> Membership -> Logon form).

Could you please try to use this web part. What is the result?

Best regards,
Michal Legen

Member

jasonlancester-gmail - 10/14/2010 9:52:12 AM

RE:Forgotten password keeps old password

I forgot to say thank you for the quick response last time but we got it figured out. For some reason, disabling caching on the page made everything work as expected.

We were using the logon form but using that method or not, the password was not setting to the new one when we tried to log in with it.

I guess anyone else with this problem, try disabling cache on the document.


Member	saul.munoz-gmail - 1/4/2011 4:53:04 PM RE:Forgotten password keeps old password Hi i want to take advantage of this topic, my requirement is the users want´s the recover the current password that they have on the system. Best Regards

Kentico Consulting

kentico_mirekr - 1/5/2011 1:11:27 AM

RE:Forgotten password keeps old password

Hi,

If the password is stored in database (CMS_User table) in SHA-1 format (CMS Site Manager -> Settings -> Security -> Password format) that is only hash of the password, you will be not able to get password from this hash representation of password.

Here you can find more information how hash works:

http://en.wikipedia.org/wiki/Hash_function

Storing passwords in plain text format is not recommended.

Best regards,
Miro Remias.