I need to provide functionality to reset a users password on our asp.net web site.
For this to be accomplished the user must provide the email address they registered with and the functionality should reset the password they have forgotten, which is easy enough.
The tricky part is taking into consideration the membership model of the site (does not use standard AspnetMembershipProviders) the site uses its own system of handling users.
The fulcrum of this question about the requirements I have been provided with and which I must follow, which are:
1) User can enter email address to reset password
2) the password that is sent to the email address provided
3) the temporary password must be valid for no more than 24 hours
4) the email will provide the link to allow them to enter the temporary password
5) when they log in they must be prompted to reset to a permanent password
6) the temporary password must be single use
For point 3. a colleague suggested using an SQL Job to automate the time restriction but I am not entirely sure how that would work or if it is the best approach.
For point 6 I was thinking of using a trigger to invalidate the temporary password when it was used to log in, so that if they try again they would have to go through the entire process again.
3 and 6 are the parts I would like ideas on, also when explaining your answer can you try to state why it should be done using the methods prescribed so I can better adjudge which answer is the most appropriate to my requirements.
3) the temporary password must be valid for no more than 24 hours
This is what I would do. When the person asks to reset the password, the system generated password would updated into the database table. This table has a LastModified column as well as a IsSystemGeneratedPassword column both of which would be set to the then datetime and true respectively. Next, when a user tries to log in, if the IsSystemGeneratedPassword is true, then i would compare the LastModified with the current date and find the time elapsed. If it exceeds the limit (in your case 24 hours) the login is not allowed. User is told about his expiry of temporary pwd and redirected to Reset Password page again.
6) the temporary password must be single use
When the user logs in via step 3 above and is able to successfully log in, because IsSystemGeneratedPassword is true, the user must be redirected to change password page where they change it to one of their choice. No option. When changed by user, the IsSystemGeneratedPassword will be set to false.
This approach involves no batch jobs to invalidate values.