Thread: Issues resetting password

Currently we are using Storefront version 9.0.1.2 and are experiencing the following problem. When customers forget the password and they request a new one, then going back to the login page they are asked to enter the temporary password and confirm their new password. Upon hitting the Submit button nothing really happens as the user is asked once again to enter their current (temporary) password and confirm the new password. So they are being redirected over and over again to the same page and the password never gets reset. We have discovered that clearing the temporary ASP.Net files and doing iisreset clears the issue for some time but then at some point (for no apparent reason) it just comes back.
Any advice on this issue will be very much appreciated as obviously customers are having troubles logging to the website. Thank you in advance!

Has anybody experienced that issue? Could you please let me know if this is a bug and if there is an available fix for it? I would appreciate any information as this is very urgent.

Thank you!

I have this issue. It is quite painful and I can't find a solution. The only thing that I found seems to be reasonably consistent is that it happens when the user is an Admin or Super Admin. If the user is a regular user trying to change from a temporary password then it doesn't happen as often, but still happens.

I haven't reported it yet because I usually wait until I find the offending code before I report bugs. However, if you hear of an answer to this one please let me know.

Originally Posted by cjbarth

I have this issue. It is quite painful and I can't find a solution. The only thing that I found seems to be reasonably consistent is that it happens when the user is an Admin or Super Admin. If the user is a regular user trying to change from a temporary password then it doesn't happen as often, but still happens.

I haven't reported it yet because I usually wait until I find the offending code before I report bugs. However, if you hear of an answer to this one please let me know.

We have constant issue with password resets both in V8.x and V9.x. Ive just given up on a real solution.

That's a known issue in early 9.x versions that'll only happen if the random new password that is generated contains an asterisk (*). It's something to do with a .NET problem with hashed passwords that contained that character I believe, I don't have all the details.

It's fixed in the latest release (9.1.0.1), and you can also easily work around it in older versions by just putting a little check in the signin.aspx.cs logic where we reset the password. If the new password contains a *, generate another one, otherwise go ahead and send the customer the new password.

Thank you all for replying! I just tested to make sure but it really does not matter in my case if the password contains '*' or not. The temp password I got was 'svNWtOB6' but the behavior was still the same and I got stuck on the reset screen. Currently we cannot upgrade to the latest version of the Store but since this is fixed in the latest version then can you please provide the code sample/fix that can be applied in the version we use? That is a significant problem if users cannot login to the website and essentially access the Store and complete a purchase! Any help will be greatly appreciated as on multiple occasions we have had very angry customers.

Thank you!

soooooo, what about AspDotNetStorefront ML 8.0.1.2/8.0.1.2? Is there going to be a fix or am I pissing off customers who might buy something off my site since they can't reset their password?

We had this same problem

Installing SP1 seemed to solve the issue.

We too have this problem and this is the way I get around it

1.Reset the password to a temporary one for the customer
2. Go into the SQL table dbo.Customer
3.On the row of the customer having the problem change the value of

Locked Until to NULL
PwdChangeRequired to 0

That should work

We too had this same issue. If you look into the code of signin.aspx page where it sends the email, if the randomly generated password contains & symbol, then for some reason the replace it with *

This is how the email is send.
p.ClearPassword.Replace("&", "*")

SO if you get a password with * then there is 50% chance that it is correct or you should try with an & instead of *.

You can very well fix this with the code.
So when generating a random password in the singin.aspx page, i used the code below, to avoid having "&" in the generated password.
for (int i = 0; i < 1; i++ )
{
p = new RandomPassword();
if (p.ClearPassword.Contains("&"))
i = -1;
else
i = 1;
}

Thanks
Suresh Kumar Narayanasamy

Originally Posted by deanfp

We too have this problem and this is the way I get around it

1.Reset the password to a temporary one for the customer
2. Go into the SQL table dbo.Customer
3.On the row of the customer having the problem change the value of

Locked Until to NULL
PwdChangeRequired to 0

That should work

Originally Posted by svetlanad

Currently we are using Storefront version 9.0.1.2 and are experiencing the following problem. When customers forget the password and they request a new one, then going back to the login page they are asked to enter the temporary password and confirm their new password. Upon hitting the Submit button nothing really happens as the user is asked once again to enter their current (temporary) password and confirm the new password. So they are being redirected over and over again to the same page and the password never gets reset. We have discovered that clearing the temporary ASP.Net files and doing iisreset clears the issue for some time but then at some point (for no apparent reason) it just comes back.
Any advice on this issue will be very much appreciated as obviously customers are having troubles logging to the website. Thank you in advance!

I got this problem too. After a detailed debug i found that the Memebership.ValidatePassword ( or the delegate under it) is not clearing the previous instances of Membeship_ValidatePassword function. when ever a user tries the reset password thing, all the previous tried combinations on the site were still alive and validated by the Membership.ValidatePassword. if any of them resulted invalid then the current result also invalid so user cannot go further even he has given valid values.

so i tried to clear/remove the instance of Membership_ValidatePassword function once validation is done.

1. add the following line of code at the end of Memership_ValidatePassword function in signin.ascx.vb
RemoveHandler Membership.ValidatingPassword, AddressOf Membership_ValidatingPassword
2. restart the website/IIS (restarting website worked in my case)

let me know if this fixed the issue.

I am using 9.0.1.3 and am seeing this issue. Any ideas for a fix?

Did the fix earlier in the thread not fix the issue?

The one about p.ClearPassword.Replace("&", "*") isn't usable because that is not in signin.ascx.cs. I am not sure how to implement the second suggestion (membership) because i'm not sure how to convert that to c#.

Originally Posted by AspDotNetStorefront Staff - Scott

It's fixed in the latest release (9.1.0.1), and you can also easily work around it in older versions by just putting a little check in the signin.aspx.cs logic where we reset the password. If the new password contains a *, generate another one, otherwise go ahead and send the customer the new password.

Did you try adding this logic in?

I have applied the * fix to our site but I can't tell if it's working or not due to previous passwords that have been generated with a *. Just touching web.config lets the user change their password. Is that still because of the * though.

I think this happens when one person has a * in their password. Then all users are locked out. Is this right?

Originally Posted by eswar.net

I got this problem too. After a detailed debug i found that the Memebership.ValidatePassword ( or the delegate under it) is not clearing the previous instances of Membeship_ValidatePassword function. when ever a user tries the reset password thing, all the previous tried combinations on the site were still alive and validated by the Membership.ValidatePassword. if any of them resulted invalid then the current result also invalid so user cannot go further even he has given valid values.

so i tried to clear/remove the instance of Membership_ValidatePassword function once validation is done.

1. add the following line of code at the end of Memership_ValidatePassword function in signin.ascx.vb
RemoveHandler Membership.ValidatingPassword, AddressOf Membership_ValidatingPassword
2. restart the website/IIS (restarting website worked in my case)

let me know if this fixed the issue.

I don't believe the * issue is fixing the issue. I have compared the database values on a user before and after "touching" the web.config file. How can I apply the fix quoted above to c# code to see if this fixes my issue?

Since you say you say you can't tell if the fix you applied is working, why not reset the password from the admin console, which will email the user the new password. That should 'unstuck' them. Or you can go to the database and type in the new password and erase the salt value (I believe there is a FAQ on this) which will then set the password to a plain-text value.

Most issues are from customers who I generate the password for through our reward card script. This script uses built in functions of aspdnsf.

I am testing further, but it seems to be when an error occurs for the user when changing their password, it seems to lock them out from being able to change their password. I am waiting to hear that someone is locked out so I can try logging in with a user I created to make sure it isn't effecting everyone.

When you look at the customers table in the database when someone is locked out, do you see the LockedUntil date set?