For our new project we want to leverage as much of the asp.net mvc 5 as we can. This includes making use of the AspNet.Identity toolset for our user administration.
We are using the following version(s):
  "Microsoft.AspNet.Identity.Core" version="2.2.1" targetFramework="net46" 
  "Microsoft.AspNet.Identity.EntityFramework" version="2.2.1" targetFramework="net46"
In our previous roll-your-own applications we made sure that reset links can be used only once, and that they expire within a day or so.
Does does AspNet.Identiy support something similar? I could not find it in the documentation.
To pass our security checks the link should at least expire.
How to make this happen?
A good password reset link should last for 1 hour at most, this gives enough time for users with different browsers or devices to be able to access it. However, there are some instances when it may be beneficial to have a link that lasts longer or shorter than an hour.
Once user answer the security correctly, user will get an email with a link in the email to reset password, this link will expire after 24 hours and it will active only for once, meaning user click the link then ignore it, and later user click the link again, it has been expired.
The typical password reset link is emailed to the user and contains a unique token that in some manner identifies the user. By clicking the link, the user proves they have access to the email associated to the account, and has now authenticated using a second factor.
to control the lifetime of the token, go to IdentityConfig.cs, next, and the end of the Create function, within the last if related to dataProtectionProvider you can set the time, look:
 if (dataProtectionProvider != null)
            {
                manager.UserTokenProvider = 
                    new DataProtectorTokenProvider<ApplicationUser>(
                        dataProtectionProvider.Create("ASP.NET Identity")){
                        **TokenLifespan = TimeSpan.FromMinutes(1)**
                    };
            }
Use the TokenLifespan = TimeSpan.FromMinutes(1) (or the time that you need)
ASP.NET Identity by default generates reset tokens based on existing user properties. This means that when those properties change, the reset token is automatically invalidated. This will meet your one time use requirement (when they use the token and reset their password, the token will no longer be valid).
Reset token expiration can be set when you assign an IUserTokenProvider to the  UserTokenProvider property of your UserManager. 
A good example of IUserTokenProvider is DataProtectorTokenProvider found in the Microsoft.AspNet.Identity.Owin package. This class uses the previously mentioned security stamp based tokens and allows for expiration times to be set using the TokenLifespan property. For info on how to implement this check out this answer.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With