For our new project we want to leverage as much of the asp.net mvc 5 as we can. This includes making use of the AspNet.Identity toolset for our user administration.
We are using the following version(s):
"Microsoft.AspNet.Identity.Core" version="2.2.1" targetFramework="net46"
"Microsoft.AspNet.Identity.EntityFramework" version="2.2.1" targetFramework="net46"
In our previous roll-your-own applications we made sure that reset links can be used only once, and that they expire within a day or so.
Does does AspNet.Identiy support something similar? I could not find it in the documentation.
To pass our security checks the link should at least expire.
How to make this happen?
ASP.NET Identity by default generates reset tokens based on existing user properties. This means that when those properties change, the reset token is automatically invalidated. This will meet your one time use requirement (when they use the token and reset their password, the token will no longer be valid).
Reset token expiration can be set when you assign an IUserTokenProvider to the UserTokenProvider property of your UserManager.
A good example of IUserTokenProvider is DataProtectorTokenProvider found in the Microsoft.AspNet.Identity.Owin package. This class uses the previously mentioned security stamp based tokens and allows for expiration times to be set using the TokenLifespan property. For info on how to implement this check out this answer.