How the Membership Provider settings affect password recovery capabilities
While the Membership Manager Control can provide much of the functionality of the
AspNetSqlMembershipProvider in a convenient control panel, it is
not intended to circumvent Microsoft's security model. Apart from a few stored procedure
calls directly into the AspNet membership and user tables to retrieve data which
is already available, the control is completely dependent on the underlying AspNetSqlMembershipProvider
for most of its own functionality.
Asp.Net Password Administration: Explained
See how the capabilities of the Asp.Net SQL Membership Provider are used by the
Membership Manager Control (or your own code) to effectively administer passwords.
If you have not specifically added a Membership section to the web.config
file for your application, then the default provider settings will be in place.
The default AspNetSqlMembershipProvider settings are quite restrictive:
- Passwords will be one-way hashed
- Password recovery will be disabled
- Password answers are required to perform password reset
These default settings work well with self-service web sites but limit the options
for a Web Master or Customer Service Representative to assist customers.
Even with the default provider settings, the Membership Manager Control may be useful
for helping a customer remember which login name or email address was used. The
Web Master or Customer Service representative will not, however, be able to reset
a forgotten password on the customer's behalf.
Some organizations may wish to intentionally disable administrative password changes
through provider configuration settings.
Custom Membership Provider Settings
Your web application is configured through entries in the web.config file which
is located in the root folder of your application. Even if you've never specifically
opened this file for editing, web.config may contain customized settings as a result
of using the Asp.Net Web Site Administration Tool or running the application in
debug mode. Unless you have specifically created a
membership section in
web.config, however, your membership provider will use the Asp.Net default settings.
Default settings for Asp.Net applications are retrieved from sections in a file
called machine.config (C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727. Since Machine.config
should never be modified, you may make entries in your application's web.config
file to override the default behaviors.
To create custom provider settings, you may open your application's web.config file
and add the membership section illustrated below:
<configuration>
...
<system.web>
...
<membership
defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
<providers>
<clear/>
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
applicationName="/" />
</providers>
</membership>
...
</system.web>
...
</configuration>
Note that the
<configuration> and
<system.web> sections may already exist and may already contain other sections. The
<clear/> element is required to unload the default provider. Also, the
connectionStringName (LocalSqlServer) is the default name used
by various providers and may require tailoring for your custom implementation.
-
The above code essentially configures your membership provider to work as it would if you had not added the section. Passwords will be hashed, password answers will be required, and so on.
With the membership section now defined in web.config, you can now change the behavior of the SqlMembershipProvider (and therefore the Membership Manager Control) by making certain changes:
|
passwordFormat |
If appropriate for your organization, you could change the passwordFormat
to "Encrypted" or "Clear" which are both less secure than "Hashed". Doing so will
not change the format of existing member passwords, however new member passwords
will be in the prescribed format. The Membership Manager control can still be used
to change hashed passwords if you set requiresQuestionAndAnswer
to false. Therefore, it is really not necessary to use the less secure formats.
Note: If you elect to use an Encrypted password format, then you must also
add a <machineKey> section in web.config to define how passwords
are encrypted.
|
|
enablePasswordRetrieval |
This may only be changed to true if you are using unhashed passwords. The
benefit to having this turned on is that the Membership Manager Control can use
the SQLMembershipProvider's GetPassword method to retrieve the password
and does not need to have requiresQuestionAndAnswer turned off.
|
|
enablePasswordReset |
There is no reason to disable this setting and in fact, it is required to be enabled
in order to reset hashed passwords. |
|
requiresQuestionAndAnswer |
This setting must be set to false if you wish to enable the Membership
Manager Control's reset password feature. (The reset password feature allows you
to reset hashed passwords.) Note that this setting affects the way the CreateUserWizard
control works. |
Choosing the right settings for your situation
You do not need to make an immediate decision on provider settings in order to start
using the Membership Manager Control. In fact, the Membership Manager Control's
About Panel will summarize for you the features that will and will not work based
on the current settings.
As you use the Membership Manager Control, you may encounter messages informing
you that a particular capability is disabled because of a provider configuration
setting. In many cases, a course of action will be suggested to enable the feature.
The following topics describe and explain various issues that you may encounter:
Related Topics
Membership Manager Help
Membership Manager Configuration