How to implement token to reset password?

3

I have an Asp.Net MVC project that I created without template (from scratch).
I would implement a function to recover password, but I'm not sure where to start.

  • What method is used to generate a secure Token that expires in a determined time? And what is the best way to generate a link with it?
  • I need to store the Token in the database or it is "alive" in the server memory by the given time?
  • When accessing the Token link, how do you validate it?
  • asked by anonymous 23.09.2015 / 16:00

    1 answer

    4

    First you will need a table to store the password change requests, let's call it password_change_requests and you will need the following information.

    Table id (recommended to be a GUID)

    User Id

    Time to expire

    After creating this table your process should work as follows;

  • In the login screen it is recommended to have a "Forgot Password?" link, where the user will be taken to a page where he will enter his login or email and will have a "Continue" button.
  • After clicking "Continue" the system will save the user id in the password_change_requests table and will send an email to the user by passing the password_change_requests table id as a parameter in the url: link {id of the password_change_requests table}
  • When entering the page to register a new password the system will check if the id passed by query string exists in the password_change_requests table and if it is not expired.
  • If everything is in order the user can change his password.
  • After entering the new password you should delete this registry, thus preventing it from being used again.
  • 30.09.2015 / 16:39