MVC password reset mail NO SIMPLEMEMBERSHIP - asp.net-mvc

Am I really that bad of a googler or is there no guides out there on how to reset a password WITHOUT simplemembership using tokenlink?
I want the anonymous user to input the mail of the account, send a mail with a link and when visiting that link the user is able to reset the password without the old password. I am not using simplemembership!
I know how to send emails and all that but I have never created a token and use it for the link in the mail etc. Are there any decent guides that could help me with this?
Side note, I'm storing all my user information in azure tablestorage.
Thanks

Stack Overflow isn't the best place to be asking overly broad "How do I do this?" questions, nor "recommend me a tutorial or guide".
(Having said that, I like the question/problem)
It should be fairly simple.
The user clicks on the "forgot password" link.
Generate a random string ("token"), such as a GUID and store it (such as in a database). Also store the time that it was generated or an expiration date.
Email the user a link to your site with the appropriate token.
The user comes back to your site. If the token exists and was done within the expiration time (15 - 30 minutes?) then give them a form to change their password.
Further reading
Resetting ASP.NET password - security issues?
Best way for a 'forgot password' implementation?

Related

Custom verification emails

I am trying to create a sort of recall system where an admin sends a message to the entire user base via email after which all users have to confirm the message by navigating a link in the email (Confirmation token) and retyping the message in. The would a submit button on the page which will check if messages match then clears a confirmation flag in the database. I am stuck on where to even begin here. I am not worried about comparison logic in the controller. I am confused about how to generate the confirmation tokens, sending them, then redirecting users to a page for confirmation. At the moment I am use Devise with Active Admin but I am open any other gem suggestions. If any of you could give me a link to a similar tutorial or problem that would be great! Yes I have done research before asking but it most results had little relevance.
U could do this with devise
I'll share what was recently done by me, which is almost similar to your Q.
I did not use Confirmation link or any token.
Only Admin can create user.
On creation of a user, an email is sent along with id and password.
Upon user login for first time, redirect him to edit account for only password change.
Note: U can use friendly token for generating random password.

How long should a password reset hash be valid for?

Here's the scenario:
A hacker hijacks the account of a user on my site. The hacker changes the password. My site sends out an email to the user's contact email address with a link containing a url with a hash value to reset the password. The hacker then changes the user's contact email address the following day. My site then sends out an email to the old and new email addresses.
Most answers here have said that the recovery hash should be valid for an hour. But what if the user is away from home and doesn't get the emails until a week later after the hash has expired? The user's password has been changed and can't get a new recovery email either. The user has now lost the account and has no way to recover it. Shouldn't the hash remain valid for a week or two, or until it is used?
And what happens if the hacker, knowing how this mechanism works on most sites, claims to forget the password and requests a new one. Should the site generate a new hash, replacing the old one, thereby rendering the real user's reset hash invalid? Or should the site not change the hash, and send out the same hash again? But now, both the real user and the hacker have a hash to reset the password?
I'm sooooo confused... Maybe there's no perfect solution to this problem...
Any other technique? I, personally, don't like "secret questions" because, more often than not, they provide a back door to hack into someone's account. When sites require them from me, I type gibberish as the answer.
BTW, I know there are similar questions like this, and I would have preferred to ask for clarification in a comment to an existing question rather than open a new question, but I don't have high enough reputation to add a comment to someone else's question.
I would set the hash until activated and a caphata is done because the hacker could use a bot to get on the website.
Edit: The Hacker will not know secret password for reset verification.

Devise sign in and sign up using single form

I'm trying to do the following: I have a page with a form for login and password.
Is it possible to use this form for both registration and authorization. For example i'm visiting the page for the first time and enter my email and password. Then if such email already exists i get an error, otherwise an account is created for me. Searching for the way of implementing this gave no results.
Does anyone know hot to make it possible?
This approach has one drawback: If user mistyped password then he would probably never login again. Solution - to use email for password recovery.
Other approach is to let user input email and while user will type password check if email is already in database. If it's not available then add password confirmation field to the form.
How to make it possible? Just program the necessary logic on server-side and client-side.

Sign in automation with a registration email

I'm a beginner to rails and I'm having trouble with signing users in when they click on the registration email. I'm calling a login method (sign_in) and then directing them to the a page in the site, but the logic does not work. I am using Sorcery for generating the activation email. My repo is Here. I would appreciate any help, I'm a beginner still learning. Thanks in advance.
There's nothing magical about the email -- well, okay, it's probably got a capability tacked onto the end of an URL that lets you know the email address exists long enough to receive one email -- but once they sign in using your login method, it should store a cookie in the browser with a reference to the session id. (Or store session data directly in the cookie... up to you.)
So long as the same browser is used from the email clicking to the normal site use, the cookie (and its reference to the session id or session data) should still be valid, and they should still be "logged in".

Is captcha required when I have email verification step, while registration?

I am building an asp.net mvc web application.
Do I need to use captcha while user registration.
Because we make the user verify the email, by the standard way, like sending a link in the email and when the user clicks on the link, the email is verified.
Do you think bots can actually open an email and verify? And moreover the bots will need a new email address for every registration.
Yes, bots can create new email accounts and send and receive email from those accounts.
You don't need to use a CAPTCHA if your site is unlikely to be targetted by bots but if you are worried about an attack then a CAPTCHA is a good idea and fairly cheap to implement. You should bear in mind that it negatively affects the usability of your site and could make it difficult for some users to log in.
The "new email address" for every registration requirement isn't hard to beat (think mailinator.com) but I can't imagine a bot confirming your email, you just have to deal with sending out redundant emails and assess if that is an issue.
I think the jist of it can be summed up like this:
captchas help protect against
automated signups
email confirmation helps protect
against impersonation
Email confirmation is much easier than a good CAPTCHA for a bot to pass.

Resources