Reset Password Link (email)

Reset Password Link (email)

  
Hi guys,

I need to know how can i create a reset password process, that sends in the confirmation email a link to reset the user password?
Anyone have develop something similar?

Best Regards,
ES
Hello,

This is something I implement in most projects, but unfortunately I can't share an example at the moment.

I'l try to describe how it works, though:

1) Create an entity (e.g. UserPasswordRecovery) with attributes:
  • UserId - User identifier
  • Token - text (64)
  • TokenExpiry - datetime


2) Create a new screen that receives a Token as an input parameter (in this example I'll call it ResetPassword and assume it is in an eSpace called ResetPasswordApp, so its URL would be https://yourserver/ResetPasswordApp/ResetPassword.aspx).

In the preparation of this screen query, the UserPasswordRecovery entity for the Token. If the query returns a record and the TokenExpiry wasn't reached you should show the inputs to reset the user password. If not results are returned, or the TokenExpiry has been reached, show an error message.

When the user resets the password successully, delete the UserPasswordRecovery records for that user.


3) Create a new screen to start the password recovery process (usually asking for the user's email).

When the user starts the recovery process create a new record in the UserPasswordRecovery table. Fill in the Token attribute using the system function GeneratePassword() to generate a random string of 64 characters. Fill in the TokenExpiry attribute with the date and time your recovery link will expire (usually it goes from a couple of hours to 48 hours, depending on your level of security concern).

After creating the record, send the user an email with a link to the screen you created on 2), passing the Token you just generated as an input to that screen (e.g. https://yourserver/ResetPasswordApp/ResetPassword.aspx?Token=wvebde12ncrmeovneribv344irninefvn)

4) Add a "Forgot your password?" link from your login screen to the screen you created on 2)

Hope this helps!

How do I get the Token as the input parameter?
I have created a forget password link as described above however, when the user clicks on the link, I don't get the token as an input parameter token= "", what am I missing?
Colette, have you actually passed the token as a parameter?
Kilian honest answer,  I'm not sure...

I have Token as an Input Parameter in the Email, this works as it is being used to populate the link in the email.
I then have Token as an Input Parameter in the UserPasswordReset Screen, but when the UserPasswordReset is debugged Token Input Parameter = ""

I am sure I am missing something, but can't figure it out...

It's difficult to say what's wrong without more details. There could be a typo on the parameter name from the e-mail link, for example.
Hi Kilian,

The email looks correct, but I think there was a problem with the actual URL, I am editing this to see if it solves the problem.

Thanks
Colette





Colette
Kilian, thanks for pointing me in the right direction - it was the URL that was the problem.
Hi Colette,

Glad I could be of some help :).
Hi Satyabrata,

I think it's rather rude and lazy to ask for a reusable sample. Please refrain from such inquieries.

Hi I think your solution is the best out there but I have a question. How do yo insert the UserId? The user ins't logged in so the session variable equals 0. Or how do you get the UserId for the insert?

João Pedro Abreu wrote:

Hello,

This is something I implement in most projects, but unfortunately I can't share an example at the moment.

I'l try to describe how it works, though:

1) Create an entity (e.g. UserPasswordRecovery) with attributes:
  • UserId - User identifier
  • Token - text (64)
  • TokenExpiry - datetime


2) Create a new screen that receives a Token as an input parameter (in this example I'll call it ResetPassword and assume it is in an eSpace called ResetPasswordApp, so its URL would be https://yourserver/ResetPasswordApp/ResetPassword.aspx).

In the preparation of this screen query, the UserPasswordRecovery entity for the Token. If the query returns a record and the TokenExpiry wasn't reached you should show the inputs to reset the user password. If not results are returned, or the TokenExpiry has been reached, show an error message.

When the user resets the password successully, delete the UserPasswordRecovery records for that user.


3) Create a new screen to start the password recovery process (usually asking for the user's email).

When the user starts the recovery process create a new record in the UserPasswordRecovery table. Fill in the Token attribute using the system function GeneratePassword() to generate a random string of 64 characters. Fill in the TokenExpiry attribute with the date and time your recovery link will expire (usually it goes from a couple of hours to 48 hours, depending on your level of security concern).

After creating the record, send the user an email with a link to the screen you created on 2), passing the Token you just generated as an input to that screen (e.g. https://yourserver/ResetPasswordApp/ResetPassword.aspx?Token=wvebde12ncrmeovneribv344irninefvn)

4) Add a "Forgot your password?" link from your login screen to the screen you created on 2)

Hope this helps!



Hi Domingo,

Though João himself can probably best answer that, I'll give my 2c. For a user to recover their password, there must be something identifying that user. That may be an e-mail address, or a username, or a debitnumber or whatever you use in combination with the password for login or identification, something that must be unique to the user. In the password recovery screen, you ask for that unique identification (again, typically a username or e-mail address), and you can use that to query your database an link it to whatever user identifier you are using internally.