Search code examples
c#asp.netweb-configasp.net-membershipweb.config-transform

Membership: Resetting user password


I'm using ASP.NET Membership (SQL Server) Provider to manage my users. For normal users, they need to use question/answer method to reset their password, so the requiresQuestionAndAnswer flag is true in web.config. But in the Admin section (which resides in a subfolder in the website), I need to enable password reset without requiring him to enter question's answer. So I tried to adding a separate web.config in the Admin subfolder, expecting it to inherit everything from the root folder by default, and then applied the following transform onto it, for both Debug and Release configurations:

<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
    <system.web>
        <membership>
            <providers>
                <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" requiresQuestionAndAnswer="false"              xdt:Transform="SetAttributes" xdt:Locator="Match(name)" />
            </providers>
        </membership>
    </system.web>
</configuration>

The web.config of the Admin subfolder itself is empty in the sense that it just contains
<?xml version="1.0"?><configuration />. Of course I expect it to inherit all other settings from the root folder's web.config. But it doesn't seem to work. ResetPassword() method of Membership still gives me Value cannot be null error when I try to call the parameter-less overload. What am I doing wrong?


Solution

  • OK. Figured it out. The approach I was taking was wrong. There's no need to setup another web.config in the Admin subfolder. You basically need to add a second MembershipProvider to your root level web.config, with a different name of course, and set requiresQuestionAndAnswer to false for it. In the <membership> node, you can set defaultProvider="NAME_OF_YOUR_FIRST_PROVIDER" to ensure security.

    Then in your code, you can do the following to reset user's password without requiring question/answer thing.

     MembershipUser mu = Membership.Providers["NAME_OF_YOUR_SECOND_PROVIDER"].GetUser(<USERNAME>, false);
     if (mu != null)
         string NewPwd = mu.ResetPassword();