How to not use ASP.Net Membership Security Question and Answer for custom password recovery?

Question

I don't want to have the security question and answer feature that ASP.Net Membership Provider gives, but I DO want to enable a lost/forgotten password page.

This page would be where a user would enter his/her email address and an email would be sent to that address if the user was registered for them to reset their password via a link sent to that registered email address

I've created the custom table to track such requests, the random key assigned to the request as well as an expiry date on the request. However in writing the code to actually reset the password, I realised that there doesn't seem to be a method that does something like ResetPassword(email, newPassword) without needing to use the Security Q&A bit (which I don't have).

Is there any way to simply reset a user's password via a built in Membership function?

If not, how would I need to get this done?

Thanks in advance for any help given. -Nissan

Answer 1

What I ended up doing was the following

public string ResetPassword(string email)
        {
            var m_userName = Membership.GetUserNameByEmail(email);
            var m_user = Membership.GetUser(m_userName);
            return m_user.ResetPassword();
        }

then I added a new method to use this value to change the password

public bool ChangeLostPassword(string email, string newPassword)
    {
        var resetPassword = ResetPassword(email);
        var currentUser = Membership.GetUser(Membership.GetUserNameByEmail(email), true);
        return currentUser.ChangePassword(resetPassword, newPassword);

    }

Answer 2

Why don't you change this options in web.config?

         enablePasswordRetrieval="false"
         enablePasswordReset="true"
         requiresQuestionAndAnswer="false"

in

<membership>
   <providers>
      <clear/>
      <add name="AspNetSqlMembershipProvider" ...
      ..........