Why so many unimplemented methods?

Apr 2, 2012 at 10:41 PM

I find it curious that you would have left so many unsupported methods in the CodeFirstMembershipProvider class. Seems to me it wouldn't have been hard to implement those.

Not a criticism, really just a question.

Coordinator
Apr 3, 2012 at 7:02 AM

There are really only two unsupported methods

  • EnablePasswordRetrieval/GetPassword

Password retrieval will not be supported because of security reasons, passwords are stored in hashed format which is also the only PasswordFormat supported. Neither System nor the User should be able to fetch passwords. Passwords should be reset uppon User request.

  • EnablePasswordReset/ResetPassword - RequiresQuestionAndAnswer/ChangePasswordQuestionAndAnswer

In standard membership provider implementation PasswordReset is implemented through Question & Answer method, which is no longer preffered. Placeholders have been set for token based password resets and should be implemented in WebSecurity class.

Im open for suggestions in what specific way to implement this.

Considering UpdateUser i really dont see the use of that method, am i missing something?

Did this answer your question? Have you any specific need for theese unsupported methods?

Aug 20, 2012 at 5:33 PM

Hi.

I have problem with unimplemented ResetPassword() method.

I need it, because i want to change password of user from Admin role, and i dont (want to) know old password.

Solution is here: http://stackoverflow.com/questions/5013901/asp-net-membership-change-password-without-knowing-old-one , 

but in that solution i need to use ReserPassword() method.

What should i do?

Thnx u for answer and your membershipProvider.

Coordinator
Aug 22, 2012 at 9:27 AM

1. Neither System nor the User should be able to fetch passwords.

  • This is pretty self explanatory passwords should not be fetched from DB in any case.

2. Admin should not be able to assign a password.

  • Super user, Admin, or any role person/user should not be able to assign a password, only the user which needs a password reset should write his own password.

3. System should not be able to generate password.

  • Best way is to also not let System generate password, because its vulnerable to phishing. If you do it from admin side hidden style, ie. admin clicks a button and the user in question gets an email with new generated password from system. This is kind of ok but still leaves bad user experience. User should do it himself.

If you for any reason need any of these I suggest you just implement them like you do any method in webforms or any action in mvc.