This asp.net password recovery code has an error. Can anyone spot it?
We use email address instead of user id. But when the user enters his email address into the password recovery form and submits it, the site returns "We were unable to access your information. Please try again." and replaces the email value in the text box with a long string of characters and numbers (e.g. e61686cb-93a5-4737-8c40-52g8eb01bb67).
Here's the relevant aspx page code...
<asp:Content ID="Content1" ContentPlaceHolderID="head" runat="server">
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder1"
runat="server">
<div class="login_page">
<div class="login_header">Password Reset</div>
<div class="login_body">
<asp:PasswordRecovery ID="PasswordRecovery1" runat="server"
onverifyinguser="PasswordRecovery1_VerifyingUser"
onsendingmail="PasswordRecovery1_SendingMail">
</asp:PasswordRecovery>
</div>
</div>
</asp:Content>
And the code behind...
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;
using System.Text.RegularExpressions;
using System.Net.Mail;
using System.Configuration;
using System.Web.Profile;
using System.Text;
namespace Sample.Web
{
public partial class PasswordReset : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
bool IsValidEmail(string strIn)
{
//开发者_如何转开发 Return true if strIn is in valid e-mail format.
return Regex.IsMatch(strIn, @"^([\w-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([\w-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)$");
}
protected void PasswordRecovery1_VerifyingUser(object sender, LoginCancelEventArgs e)
{
if (IsValidEmail(PasswordRecovery1.UserName))
{
string username = Membership.GetUserNameByEmail(PasswordRecovery1.UserName);
if (username != null)
{
PasswordRecovery1.UserName = username;
}
else
{
PasswordRecovery1.UserNameInstructionText = "We were unable to access your information. Check your user name and try again.";
e.Cancel = true;
}
}
else
{
PasswordRecovery1.UserNameInstructionText = "You must enter a valid e-mail address.";
e.Cancel = true;
}
}
protected void PasswordRecovery1_SendingMail(object sender, MailMessageEventArgs e)
{
string pwd = Membership.GetUser(PasswordRecovery1.UserName).ResetPassword(PasswordRecovery1.Answer);
string email = StorageByMail.BLL.SBMUser.SelectUser(
StorageByMail.Data.User.GetIDFromUserName(PasswordRecovery1.UserName)).Email;
MailMessage m = new MailMessage(ConfigurationManager.AppSettings["AdminEmail"].Trim(), email);
m.ReplyTo = new MailAddress(ConfigurationSettings.AppSettings["AdminEmailReply"].Trim());
StringBuilder sb = new StringBuilder();
sb.Append("Please return to the site and log in using the following information.\n");
sb.Append("User Name: " + email + "\n");
sb.Append("Password: " + pwd);
m.Body = sb.ToString();
m.Subject = "Password reset from StorageByMail.com";
SmtpClient o = new SmtpClient(ConfigurationManager.AppSettings["SMTPHost"].Trim());
string smtpUser = ConfigurationSettings.AppSettings["SMTPUser"].Trim();
string smtpPass = ConfigurationSettings.AppSettings["SMTPPassword"].Trim();
if (smtpUser.Length > 0 && smtpPass.Length > 0)
{
o.Credentials = new System.Net.NetworkCredential(smtpUser, smtpPass);
}
o.Send(m);
e.Cancel = true;
}
}
}
Without knowing a lot about ASP.NET membership, my guess would be that the line:
PasswordRecovery1.UserName = username;
// where username = Membership.GetUserNameByEmail(PasswordRecovery1.UserName);
is causing your problem. Even though you say you're not using username in your model, I'd bet that ASP.NET populates the username column in your database with a GUID. Take a look at your database, and see if that GUID matches up with the username column in your table for this user.
加载中,请稍侯......
精彩评论