3  

A user entering their username and reset code should log them into the site just as their username and password would. The difference is you then immediately force them to change their password. With this password reset method you're implicitly trusting that the user is the owner of the email account where the code was sent.

用户输入用户名和重置代码时，应该像登录用户名和密码一样登录网站。不同的是，你会立即强迫他们更改密码。使用这个密码重置方法，您可以隐式地信任用户是发送代码的电子邮件帐户的所有者。

Edit:

Ok, so I don't know the first thing about ASP.net.

好吧，我不知道关于ASP.net的第一件事。

However, I've handled this problem many times before. Here is a solution of mine in PHP:

然而，我以前已经处理过这个问题很多次了。下面是我的PHP解决方案:

<?php
class AuthController extends Zend_Controller_Action
{
    public function identifyAction()
    {
        if ($this->_request->isPost()) {
            $username = $this->_getParam('username');
            $password = $this->_getParam('password');

            if (empty($username) || empty($password)) {
                $this->_flashError('Username or password cannot be blank.');
            } else {
                $user = new User();
                $result = $user->login($username, $password);

                if ($result->isValid()) {
                    $user->fromArray((array) $this->_auth->getIdentity());

                    if ($this->_getParam('changepass') || $user->is_password_expired) {
                        $this->_redirect('auth/change-password');
                        return;
                    }
                    $this->_doRedirect($user);
                    return;
                } else {
                    $this->_doFailure($result->getIdentity());
                }
            }
        }
        $this->_redirect('/');
    }

    public function forgotPasswordAction()
    {
        if ($this->_request->isPost()) {
            // Pseudo-random uppercase 6 digit hex value
            $resetCode = strtoupper(substr(sha1(uniqid(rand(),true)),0,6));

            Doctrine_Query::create()
                ->update('dUser u')
                ->set('u.reset_code', '?', array($resetCode))
                ->where('u.username = ?', array($this->_getParam('username')))
                ->execute();

            $mail = new Zend_Mail();
            $mail->setBodyText($this->_resetEmailBody($this->_getParam('username'), $resetCode));
            $mail->setFrom('no-reply@example.com', 'Example');
            $mail->addTo($this->_getParam('username'));
            $mail->setSubject('Forgotten Password Request');
            $mail->send();


            $this->_flashNotice("Password reset request received.");
            $this->_flashNotice("An email with further instructions, including your <em>Reset Code</em>, has been sent to {$this->_getParam('username')}.");
            $this->_redirect("auth/reset-password/username/{$this->_getParam('username')}");
        }
    }

    public function resetPasswordAction()
    {
        $this->view->username = $this->_getParam('username');
        $this->view->reset_code = $this->_getParam('reset_code');

        if ($this->_request->isPost()) {
            $formData = $this->_request->getParams();
            if (empty($formData['username']) || empty($formData['reset_code'])) {
                $this->_flashError('Username or reset code cannot be blank.');
                $this->_redirect('auth/reset-password');
            } elseif ($formData['new_password'] !== $formData['confirm_password']) {
                $this->_flashError('Password and confirmation do not match.');
                $this->_redirect('auth/reset-password');
            } else {
                $user = new User();
                $result = $user->loginWithResetCode($formData['username'], $formData['reset_code']);

                if ($result->isValid()) {
                    $user->updatePassword($result->getIdentity(), $formData['new_password']);

                    $user->fromArray((array) $this->_auth->getIdentity());
                    $this->_setLegacySessionData($user);

                    $this->_flashNotice('Password updated successfully!');
                    $this->_doRedirect($user);
                } else {
                    $this->_doFailure($result->getIdentity());
                    $this->_redirect('auth/reset-password');
                }
            }
        }
    }

    protected function _doFailure($username)
    {
        $user = Query::create()
            ->from('User u')
            ->select('u.is_locked')
            ->where('u.username = ?', array($username))
            ->fetchOne();

        if ($user->is_locked) {
            $lockedMessage = Config::get('auth.lock_message');
            if (!$lockedMessage) {
                $lockedMessage = 'This account has been locked.';
            }
            $this->_flashError($lockedMessage);
        } else {
            $this->_flashError('Invalid username or password');
        }
    }
}

If you can follow this, it should give you a good idea of what to do. I'll try to summarize:

如果你能做到这一点，它会让你知道该怎么做。我将试着总结:

This is the regular "login" using username and password. It logs the user in and stores their identity in the session.

这是使用用户名和密码的常规“登录”。它记录用户并将其标识存储在会话中。

This presents the user with a form requesting their username. After entering their username a reset code is generated, stored in their entry in the user table, and they are emailed as well as redirected to the reset password page. This page is unauthenticated, the user is not logged in.

这将向用户提供一个请求用户名的表单。输入用户名后，将生成一个重置代码，存储在用户表的条目中，并通过电子邮件将其发送到重置密码页面。此页面未经身份验证，用户未登录。

This is where the user is presented with the "resetPassword" form. They must provide their username and the reset code they received via email. This authenticates the user with the given username and reset code, just as if the reset code were a password. If the credentials are valid the user is then redirected to the changePassword action where they are permitted to change their password. The changePasswordAction (not shown) requires the user be authenticated (logged in) either via username/password or username/resetCode

在这里，用户将看到“resetPassword”表单。他们必须提供他们的用户名和他们通过电子邮件收到的重置代码。这将使用给定的用户名和重置代码对用户进行身份验证，就像重置代码是密码一样。如果凭证是有效的，那么用户将被重定向到changePassword操作，在那里他们可以修改密码。changePasswordAction(未显示)要求用户通过用户名/密码或用户名/resetCode进行身份验证(登录)

Hope this helps.

希望这个有帮助。

0  

If your code that you're emailing is a GUID or some such ID, there is a statistically low chance that someone can guess that code. If you additionally had the link include a hashed version of their email or some other way of linking the code to the user, I think you'd be pretty well safe from malicious input.

如果你正在发送电子邮件的代码是GUID或类似的ID，那么从统计学上讲，人们猜测代码的可能性很小。如果你有另外的链接，包括一个哈希版本的他们的电子邮件或一些其他方式连接代码到用户，我认为你是相当安全的恶意输入。

I'd be more worried about people being spammed from step c/d, unless you're doing some sort of verification of the email existing currently in your database.

我更担心的是人们会被来自步骤c/d的垃圾邮件所困扰，除非您正在对数据库中现有的电子邮件进行某种验证。

0  

Search for other questions on * with the forgot-password tag. There are already several well written answers on good algorithms and techniques to use.

使用忘记密码标签搜索*上的其他问题。关于好的算法和使用的技术，已经有了几个很好的答案。