Jasinski Technical Wiki

Navigation

Home Page
Index
All Pages

Quick Search
»
Advanced Search »

Contributor Links

Create a new Page
Administration
File Management
Login/Logout
Your Profile

Other Wiki Sections

Software

PoweredBy

Changing Password without the Old Password - ASP.NET Membership API

RSS
Modified on Tue, Apr 24, 2012, 8:11 AM by Administrator Categorized as ASP·NET MVC, ASP·NET Web Forms

Overview

It's common for a system administrator to be able to change a user's password without knowing the old password. However, the ASP.NET Membership API doesn't have a method for doing this directly. This article explains a work-around, which proceeds in the following steps.

  1. In our web.config file, we configure a second, administrative membership provider that doesn't require the question/answer combination.
  2. Using this administrative membership provider, we call the MembershipUser.ResetPassword method to have the system generate a new password for the user
  3. Using this system-generated password as the "old" password, we change the user's password to whatever we need.

Solution

Web.Config

You will need to have a second membership providers configured for administrative purposes. Note that requiresQuestionAndAnswer is false for the admin provider.

<membership defaultProvider="MyMembershipProvider">
  <providers>
    <clear/>
    <add
        name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider" applicationName="/"
        connectionStringName="MySqlClient" enablePasswordRetrieval="false" enablePasswordReset="true"
        requiresQuestionAndAnswer="true" requiresUniqueEmail="false" maxInvalidPasswordAttempts="1000"
        minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
        />
    <add
        name="MyMembershipProviderAdmin" type="System.Web.Security.SqlMembershipProvider" applicationName="/"
        connectionStringName="MySqlClient" enablePasswordRetrieval="false" enablePasswordReset="true"
        requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5"
        minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
        />
  

Application Code

System.Web.Security.MembershipUser user 
    = Membership.Providers["MyMembershipProviderAdmin"].GetUser(userName, false);

//If the admin does not supply a password then
//the system will reset password to system defined password
//and we will change that to the specified password
if (currentPassword == "")
    currentPassword = user.ResetPassword();

bool IsUpdated = user.ChangePassword(currentPassword, password);

ScrewTurn Wiki version 3.0.1.400. Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2018, Patrick Jasinski.