|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here. ArchiveDisclaimer|
How to: Enable User Password Recovery Using the ASP.NET PasswordRecovery Control
If your application uses ASP.NET membership for authentication, you can enable password recovery in your application using the PasswordRecovery control. Your application will send users either their current password or a new password, depending on how your membership provider is configured. By default, ASP.NET hashes passwords using a non-reversible encryption scheme, so a new password is sent to the user. If your membership provider is configured to encrypt passwords or store passwords in clear text (which is not recommended), then the user's current password is sent.
To recover a password, your application must be able to send an e-mail message to the user. Your application must therefore be configured with the name of an SMTP server to which it can forward e-mail messages. For more information, see the SmtpClient class and How to: Install and Configure SMTP Virtual Servers in IIS 6.0.
To enable password recovery
Create or edit an ASP.NET Web page on your site that is accessible to anonymous users (for example, RecoverPassword.aspx). In an authenticated Web site, you can use the location configuration element to specify that a page can be accessed anonymously, as shown in the following example:
<configuration> <location path="RecoverPassword.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> <system.web> <authentication mode="Forms" > <forms loginUrl="UserLogin.aspx" /> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> </configuration>
Place a PasswordRecovery control on the page as shown in the following example:
<asp:PasswordRecovery ID="PasswordRecovery1" Runat="server"> </asp:PasswordRecovery>