Geek asks and answers

Forgot Password URL

I have a web application that uses an asp.net access control. In addition, I also use a password recovery tool to recover my password. After the user finishes entering data into the recovery control, an email containing the validation URL will be sent to the user's email address. After clicking on the URL, he will direct the user to the UserProfile of my web application, which inside the user will allow the user to change the password.

Now the problem is that I set the access rule for UserProfile.aspx to reject an anonymous user when I redirect the URL to the UserProfile.aspx page, instead it directs me to LoginPage (the system recognizes me as an anonymous user).

Why is that? Is there anywhere that I could redirect to the userprofile page after clicking the URL (including all user information)?

The url is as follows:

http://localhost:1039/Members/UserProfile.aspx?ID=56f74cc7-7680-4f1b-9207-0ab8dad63cad

If the last part of the url was actually userId.

Here is the code for userprofile aspx:

<asp:SqlDataSource ID="SqlDataSource1" runat="server" 
              ConnectionString="<%$ ConnectionStrings:ASPNETDBConnectionString1 %>" 
              SelectCommand="SELECT aspnet_Membership.Email, Details.CustName, Details.CustNum, Details.CustRole, Details.CustStatus, Details.PName, Details.PEmail, Details.PRole, Details.WedDate, aspnet_Users.UserName, Details.UserId FROM Details INNER JOIN aspnet_Membership ON Details.UserId = aspnet_Membership.UserId INNER JOIN aspnet_Users ON aspnet_Membership.UserId = aspnet_Users.UserId WHERE (Details.UserId = @UserId)" 


              UpdateCommand="update Details SET CustName = @CustName, CustNum = @CustNum, CustRole = @CustRole, CustStatus = @CustStatus, PName = @PName, PEmail = @PEmail, PRole = @PRole, WedDate = @WedDate WHERE [UserId] = @UserId

                            Update aspnet_Membership Set Email= @email WHERE [UserId] = @UserId"

              DeleteCommand= "DELETE FROM Details WHERE UserId = @UserId;"> 

              <DeleteParameters>
                  <asp:ControlParameter ControlID="lblHidden" Name="UserId" PropertyName="Text" 
                      Type="String" />
              </DeleteParameters>

              <SelectParameters>
                  <asp:ControlParameter ControlID="lblHidden" Name="UserId" PropertyName="Text" />

              </SelectParameters>

              <UpdateParameters>
                  <asp:Parameter Name="CustName" />
                  <asp:Parameter Name="CustNum" />
                  <asp:Parameter Name="CustRole" />
                  <asp:Parameter Name="CustStatus" />
                  <asp:Parameter Name="PName" />
                  <asp:Parameter Name="PEmail" />
                  <asp:Parameter Name="PRole" />
                  <asp:Parameter Name="WedDate" />
                  <asp:Parameter Name="UserId" />
                  <asp:Parameter Name="email" />
              </UpdateParameters>


          </asp:SqlDataSource>
          <asp:DetailsView ID="DetailsView1" runat="server" AutoGenerateRows="False" 
              DataSourceID="SqlDataSource1" Height="50px" Width="125px">
              <Fields>
                  <asp:BoundField DataField="Email" HeaderText="Email" SortExpression="Email" />
                  <asp:BoundField DataField="CustName" HeaderText="CustName" 
                      SortExpression="CustName" />
                  <asp:BoundField DataField="CustNum" HeaderText="CustNum" 
                      SortExpression="CustNum" />
                  <asp:BoundField DataField="CustRole" HeaderText="CustRole" 
                      SortExpression="CustRole" />
                  <asp:BoundField DataField="CustStatus" HeaderText="CustStatus" 
                      SortExpression="CustStatus" />
                  <asp:BoundField DataField="PName" HeaderText="PName" SortExpression="PName" />
                  <asp:BoundField DataField="PEmail" HeaderText="PEmail" 
                      SortExpression="PEmail" />
                  <asp:BoundField DataField="PRole" HeaderText="PRole" SortExpression="PRole" />
                  <asp:BoundField DataField="WedDate" HeaderText="WedDate" 
                      SortExpression="WedDate" />
                  <asp:BoundField DataField="UserName" HeaderText="UserName" 
                      SortExpression="UserName" />
                  <asp:BoundField DataField="UserId" HeaderText="UserId" 
                      SortExpression="UserId" />
                  <asp:CommandField ShowEditButton="True" />
              </Fields>
          </asp:DetailsView>
          <asp:Label ID="lblHidden" runat="server" Text="Label" Visible="False"></asp:Label>



          <asp:Button ID="btnDelete" runat="server" onclick="btnDelete_Click" 
              Text="Delete" />

Here is the code behind:

protected void Page_Load(object sender, EventArgs e)
    {
         MembershipUser currentUser = Membership.GetUser();
        lblHidden.Text = currentUser.ProviderUserKey.ToString();
    }

    protected void SqlDataSource1_Selecting(object sender, SqlDataSourceSelectingEventArgs e)
    {
        // Get a reference to the currently logged on user
        MembershipUser currentUser = Membership.GetUser();

        // Determine the currently logged on user UserId value
        // Assign the currently logged on user UserId to the @UserId parameter
        //access the parameter value using e.Command.Parameters 
        //programmatically set the @UserId:
        e.Command.Parameters["@UserId"].Value = currentUser.ProviderUserKey.ToString();



    }
    protected void btnDelete_Click(object sender, EventArgs e)
    {

        SqlConnection connection = new SqlConnection();
        connection.ConnectionString = ConfigurationManager.ConnectionStrings["ASPNETDBConnectionString1"].ConnectionString;
        SqlCommand cmd = new SqlCommand();
        SqlCommand cmd1 = new SqlCommand(); 
        string userId = lblHidden.Text;

        cmd.Connection = connection;
        cmd.CommandText = "DELETE FROM Details WHERE UserId ='" + userId + "'";


        cmd1.Connection = connection;
        cmd1.CommandText = "DELETE FROM aspnet_Membership WHERE UserId ='" + userId + "'"; 

        connection.Open();

        cmd.ExecuteNonQuery();
        cmd1.ExecuteNonQuery();


        connection.Close();


      Response.Redirect("Home.aspx");
    }

-, URL-? URL- , . , . , , ???

+5
3

changepassword. . , . :

<location path="changepassword.aspx">
 <system.web>
   <authorization>
     <allow users="*"/>
   </authorization>
 </system.web>
</location>

- . , :

PK | Identifier | UserID                               | expires
1  | abcd       | ffffffff-ffff-ffff-ffff-ffffffffffff | 16-jul-2012 18:26

, , . , - , (, ).

+5

, reset tools...

-.

?

-, , . " " pasword reset , , .

, ?

, , . URL- , ( ). , , .

. - (, URL-, , ), . , , .

?

- , , . , , , - , . ( , , base64 16 - 96 ) (, userid, ( ), ..). , , ( , , , ).

, , , . ( , ), . , , , , .

, , , , , , , , . , , . , . , , . reset , , , .:)

, URL-, , . , - , . URL-, .

, UserID , 100% , , .

+2

you can try to allow anonymous users to go to your user profile page by adding the following to your web.config inside the tag <configuration>.

  <location path="userProfile.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
+1
source

More articles:


All Articles