FBA: Invalid Characters in temporary passwords

Topics: Internet/Extranet Edition
Jan 13, 2009 at 1:59 PM
I'm currently running build 18292 of the FBA project. I'm experiencing a problem where new users will be assigned passwords with characters that make it so the user cannot use the password. For example, I recently had a user get assigned a password with a colon in it. The user wasn't able to login or change their password until I manually reset the password to something else. I seem to remember that there are some parameters that can be tweaked when generating temporary passwords. I've tried searching the discussions on here but I'm having trouble finding the information.
Developer
Jan 13, 2009 at 2:22 PM
Looking at the code, I see that there are, unfortunately, two ways a password gets set.  One is in the MembershipRequestControl.cs, which uses a random string of upper and lower case alpha characters, plus numerals.  These are assigned to _randCharacters but there are no special characters there

Unfortunately, the underlying membership provider ResetPassword method is called in two places that I can find; in UserEdit.cs and PasswordRecoveryWebPart.cs

I don't know if there's some way to modify/configure the ASP.NET membership provider to change the corpus of allowable characters, but you could modify both those pages to mimic the approach we used in the MemberShipRequestContol.   That is, get a random sequence of characters, and set the password rather than calling ResetPassword.


Regards,
Mike Sharp
Jan 15, 2009 at 12:23 PM
You'll have to excuse me as I'm more of a systems admin than a programmer. I'll have to edit these files and then recompile the solution to see if it works? Is there anyone else out there using FBA that is experiencing this? I find it hard to believe that I'm the only one, especially with the frequency this is happening.

I'm not really concerned about this happening with the reset password pages, my main concern is that this is happening fairly often for new users.
Developer
Jan 15, 2009 at 4:42 PM
Hmmm...now when I look again, I see the temporary password is generated with:

tempPassword = System.Web.Security.Membership.GeneratePassword(passwordLength, System.Web.Security.Membership.MinRequiredNonAlphanumericCharacters);
               
I guess I'm not seeing this issue myself because I have this:

minRequiredNonalphanumericCharacters="0"

set in my web.config under the Membership provider.  You might fix this by changing your web.config too.  If you've already set that, then the only solution I see would be to modify that line in MembershipRequest.cs to generate a random password using the method defined in MembershipRequestContol:

private string GenerateRandomString(int NumAlphs, CharMix Mix)

I'm really swamped at the moment, but if I can spare some time over the weekend, I'll make the change (along with a couple other minor fixes that need to be done) and create a new release.  Unfortunately, I have to rebuild my dev environment to do that...so it will take a few hours which I don't have at the moment.  The most recent production WSP I have is too old.

Let me know if changing minRequiredNonalphanumericCharacters="0" fixes it though.

Regards,
Mike Sharp
Jan 15, 2009 at 5:26 PM
The plot thickens: my web.config also has minRequiredNonalphanumericCharacters="0" so even though it isn't necessary for the membership provider to put special characters into a temp password it seems to do it anyway. I'll try to edit the .cs files tomorrow and see how it goes. Thanks for all of your help so far.
Developer
Jan 15, 2009 at 5:37 PM
Glad to help if I can.  It's odd that the password field doesn't allow those characters, though.  That aspect may bear closer inspection.  You should be able to enter any printable character in that field.  I wonder if this be an encoding problem after all...

Regards,
Mike Sharp