Since you have an email address, you can do the whole send an email, click a link in the email and create your pin. You'd use the pin as their password, and generate them a username. Set a persistent cookie with their username (encrypted would be good).
Upon returning to the login page, you'd see that they had the cookie and show them only the password textbox (calling it PIN entry or something). When they filled that out, you'd verify their username (from cookie) and password (PIN) manually via the FormsAuthentication class. You do have an issue, though, if they don't have the cookie (deleted it, another PC, etc.). You'd have to get their email address and look up their username. Or search for their PIN in the Users/Contacts table...but that'd depend on each of them having a unique PIN which is pretty unlikely (unless there's only 10 or so contacts, I guess). --MB > -----Original Message----- > From: Discussion of advanced .NET topics. [mailto:ADVANCED- > [EMAIL PROTECTED] On Behalf Of Paul Cowan > Sent: Thursday, January 03, 2008 10:54 AM > To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM > Subject: [ADVANCED-DOTNET] non authenticated security > > Hi all,I am migrating an ASP app. to an ASP.NET and have spotted a > potential security hole. > Most of the app. I am securing with Forms authentication but as stands > they have another requirement where by users who are just contacts who > exist in the system without a username or password can access certain > parts of the site which are sensitive. They have been entered in the > system by importing an excel or SAP feed. They have not been created > via the system and as such do not have usernames or passwords. > The way things stand at the minute, the user gets redirected to a page > where they create a 4 digit pin number which allows them to access the > system via another page. > This seems terrible to me. > Can anyone think of a better way of handling this situation? > Cheers > [EMAIL PROTECTED] > _________________________________________________________________ > Telly addicts unite! > http://www.searchgamesbox.com/tvtown.shtml > =================================== > This list is hosted by DevelopMentor(r) http://www.develop.com > > View archives and manage your subscription(s) at > http://discuss.develop.com =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
