Password Security reset in ASP.NET Application

Question

Password Security reset in ASP.NET Application

I have an ASP.NET that allows users to reset passwords.

Process

The user clicks on the reset link via email. The link contains a security token.
The user is taken to page 1 of security questions and answers to questions and answers.
If the questions are correct, go to page 2 passwords and reset.

All data is stored safely in a database, etc. My main problem is the interaction between pages 1 and 2 and ensuring that people cannot go directly to page 2 to change their password .

To protect against this, I plan.

Always check the link page on page 1 when on page 2 and bounce, if not
Place the security token that is included in the email link in the session on page 1, and allow the use of page 2 if it is still in the session.
You have a low session timeout, so the password entry time is limited. You can also write to the database the time at which they completed page 1.

My question is. Is this a cunning plan, or can anyone see a flaw in it?

+3

security c # asp.net session-state

Ajm Feb 01 '11 at 16:55

source share

3 answers

, , :

+2

Jakub Konecki 01 . '11 17:00

? WizardControl.

, , . 2 , , → 1.

+2

santiagoIT 01 . '11 17:01

JMason · Accepted Answer · 2011-02-01T17:04:05+0000

Step 1 of your plan probably will not work very well, relying on the available referrer values is not recommended, since it a) is easily replaced, b) it is often disabled by paranoid users.

Step 2 sounds like you want to implement a CSRF type approach, this is a good idea.

, - , , , . , .

Password Security reset in ASP.NET Application

More articles: