Asp.Net components and Internet solutions
Quality Data
  Shopping Cart
Home | Products| Support| Downloads| Contact Us| Your account
Skip Navigation Links

New!

Update your web pages just by sending Email


Send2Page Control »



MembershipProvider.RequiresQuestionAndAnswer must be False

Although the Asp.Net Membership Provider cannot retrieve passwords which have been one-way hashed, it does provide methods for resetting passwords if a valid password answer is available. If the MembershipProvider.RequiresQuestionAndAnswer property (as specified in your application's web.config file) is set to False, then the ResetPassword method may be called without providing a passwordAnswer. 

The article  Asp.Net Membership Provider Password Administration discusses how this capability may be leveraged by a webmaster or site administrator to provide customer assistance and in fact, this is how the Membership Manager Control provides you with the ability to change or reset passwords.

MembershipProvider.RequiresQuestionAndAnswer must be set to false


Since the Membership Manager Control calls upon the SqlMembershipProvider to perform the password reset, you must ensure that EnablePasswordReset = true and also that RequiresQuestionAndAnswer = false in your web.config if you wish to utilize the Reset Password feature.

If a member's password is not hashed and the Membership Provider RequiresQuestionAndAnswer property is set to false, then the Membership Manager Control can use the Membership.Provider.GetPassword method (without the requisite password answer) to retrieve the member's password answer. This also assumes that EnablePasswordRetrieval is set to true.  Armed with the old password, the control can then change the password to a new one using the method, Membership.Provider.ChangePassword.

For hashed passwords or when MembershipProvider.EnablePasswordRetrieval  is false in web.config, it is not possible to retrieve the old password however it is possible to change it to a new known value using a combination of Membership.Provider.ResetPassword and Membership.Provider.ChangePassword. Assuming RequiresQuestionAndAnswer has been set to false in the provider configuration, the former method can be called without the requisite passwordAnswer parameter to reset and obtain a new temporary password. Then, armed with the newly assigned password, the MembershipProvider.ChangePassword method can be called to reset the password to a known value.

If the MembershipProvider.RequiresQuestionAndAnswer is set to false, then the Reset Password panel will display the message: Unable to reset password unless RequiresQuestionAndAnswer=False in web.config as illustrated below.




 

Similarly, the Change Password panel will display the message: Provider requires Question and Answer. Unable to change passwords if MembershipProvider.RequiresQuestionAndAnswer is not set to false.




 

 

Related Topics

The Membership Manager Control
Membership Manager Configuration
Asp.Net SqlMembershipProvider Settings  

Tel: (407) 253-2266 | Home | Site Map | Contact us
(c) 2006, Quality Data, Inc.  All Rights Reserved | Legal | Privacy
Quality Data