Edit

Share via


SqlMembershipProvider.GetPassword(String, String) Method

Definition

Returns the password for the specified user name from the SQL Server membership database.

public:
 override System::String ^ GetPassword(System::String ^ username, System::String ^ passwordAnswer);
public override string GetPassword (string username, string passwordAnswer);
override this.GetPassword : string * string -> string
Public Overrides Function GetPassword (username As String, passwordAnswer As String) As String

Parameters

username
String

The user to retrieve the password for.

passwordAnswer
String

The password answer for the user.

Returns

The password for the specified user name.

Exceptions

passwordAnswer is invalid.

-or-

The membership user identified by username is locked out.

username is not found in the membership database.

-or-

An error occurred while retrieving the password from the database.

One of the parameter values exceeds the maximum allowed length.

-or-

username is an empty string (""), contains a comma, or is longer than 256 characters.

-or-

passwordAnswer is an empty string and RequiresQuestionAndAnswer is true.

-or-

passwordAnswer is greater than 128 characters.

-or-

The encoded version of passwordAnswer is greater than 128 characters.

username is null.

-or-

passwordAnswer is null and RequiresQuestionAndAnswer is true.

Examples

The following code example retrieves the password for a specified user name and sends it to the user in an email message.

Note

Returning a password in clear text using email is not recommended for sites that require a high level of security. For high-security sites, we recommend that you return passwords using encryption, such as SSL.

Note

This sample calls the SqlMembershipProvider specified as the defaultProvider in the Web.config file by using the Membership class. If you need to access the default provider as the type SqlMembershipProvider, you can cast the Provider property of the Membership class. To access other configured providers as a specific provider type, you can access them by their configured name with the Providers property of the Membership class and cast them as the specific provider type.

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Web.Security" %>
<%@ Import Namespace="System.Net.Mail" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

public void Page_Load(object sender, EventArgs args)
{
  if (!Membership.EnablePasswordRetrieval)
  {
    FormsAuthentication.RedirectToLoginPage();
  }

  Msg.Text = "";

  if (!IsPostBack)
  {
    Msg.Text = "Please enter a user name.";
  }
  else
  {
    VerifyUsername();
  }
}


public void VerifyUsername()
{
    MembershipUser user = Membership.GetUser(UsernameTextBox.Text, false);

    if (user == null)
    {
      Msg.Text = "The user name " + Server.HtmlEncode(UsernameTextBox.Text) + " was not found. Please check the value and re-enter.";

      QuestionLabel.Text = "";
      QuestionLabel.Enabled = false;
      AnswerTextBox.Enabled = false;
      EmailPasswordButton.Enabled = false;
    }
    else
    {
      QuestionLabel.Text = user.PasswordQuestion;
      QuestionLabel.Enabled = true;
      AnswerTextBox.Enabled = true;
      EmailPasswordButton.Enabled = true;
    }
}


public void EmailPassword_OnClick(object sender, EventArgs args)
{
  // Note: Returning a password in clear text using email is not recommended for
  // sites that require a high level of security.

  try
  {
    string password = Membership.Provider.GetPassword(UsernameTextBox.Text, AnswerTextBox.Text);
    MembershipUser u = Membership.GetUser(UsernameTextBox.Text);
    EmailPassword(u.Email, password);
    Msg.Text = "Your password was sent via email.";
  }
  catch (MembershipPasswordException e)
  {
    Msg.Text = "The password answer is incorrect. Please check the value and try again.";
  }
  catch (System.Configuration.Provider.ProviderException e)
  {
    Msg.Text = "An error occurred retrieving your password. Please check your values " +
               "and try again.";
  }
}


private void EmailPassword(string email, string password)
{
  try
  {
    MailMessage Message = new MailMessage("administrator", email);
    Message.Subject = "Your Password";
    Message.Body = "Your password is: " + Server.HtmlEncode(password);

    SmtpClient SmtpMail = new SmtpClient("SMTPSERVER");
    SmtpMail.Send(Message);
  }
  catch 
  {
    Msg.Text = "An exception occurred while sending your password. Please try again.";
  }
}

</script>
<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
<title>Sample: Retrieve Password</title>
</head>
<body>

<form id="form1" runat="server">
  <h3>Retrieve Password</h3>

  <asp:Label id="Msg" runat="server" ForeColor="maroon" /><br />

  Username: <asp:Textbox id="UsernameTextBox" Columns="30" runat="server" AutoPostBack="true" />
            <asp:RequiredFieldValidator id="UsernameRequiredValidator" runat="server"
                                        ControlToValidate="UsernameTextBox" ForeColor="red"
                                        Display="Static" ErrorMessage="Required" /><br />

  Password Question: <b><asp:Label id="QuestionLabel" runat="server" /></b><br />

  Answer: <asp:TextBox id="AnswerTextBox" Columns="60" runat="server" Enabled="false" />
          <asp:RequiredFieldValidator id="AnswerRequiredValidator" runat="server"
                                      ControlToValidate="AnswerTextBox" ForeColor="red"
                                      Display="Static" ErrorMessage="Required" Enabled="false" /><br />

  <asp:Button id="EmailPasswordButton" Text="Email My Password" 
              OnClick="EmailPassword_OnClick" runat="server" Enabled="false" />

</form>

</body>
</html>

<%@ Page Language="VB" %>

<%@ Import Namespace="System.Web.Security" %>
<%@ Import Namespace="System.Net.Mail" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">

  Public Sub Page_Load(ByVal sender As Object, ByVal args As EventArgs)

    If Not Membership.EnablePasswordRetrieval Then
      FormsAuthentication.RedirectToLoginPage()
    End If

    Msg.Text = ""

    If Not IsPostBack Then
      Msg.Text = "Please enter a user name."
    Else
      VerifyUsername()
    End If

  End Sub


  Private Sub VerifyUsername()

    Dim user As MembershipUser = Membership.GetUser(UsernameTextBox.Text, False)

    If user Is Nothing Then
      Msg.Text = "The user name " & Server.HtmlEncode(UsernameTextBox.Text) & " was not found. Please check the value and re-enter."

      QuestionLabel.Text = ""
      QuestionLabel.Enabled = False
      AnswerTextBox.Enabled = False
      EmailPasswordButton.Enabled = False
    Else
      QuestionLabel.Text = user.PasswordQuestion
      QuestionLabel.Enabled = True
      AnswerTextBox.Enabled = True
      EmailPasswordButton.Enabled = True
    End If

  End Sub


  Public Sub EmailPassword_OnClick(ByVal sender As Object, ByVal args As EventArgs)

    ' Note: Returning a password in clear text using email is not recommended for
    ' sites that require a high level of security.

    Try
      Dim password As String = Membership.Provider.GetPassword(UsernameTextBox.Text, AnswerTextBox.Text)
      Dim u As MembershipUser = Membership.GetUser(UsernameTextBox.Text)
      EmailPassword(u.Email, password)
      Msg.Text = "Your password was sent via email."
    Catch e As MembershipPasswordException
      Msg.Text = "The password answer is incorrect. Please check the value and try again."
    Catch e As System.Configuration.Provider.ProviderException
      Msg.Text = "An error occurred retrieving your password. Please check your values " & _
                 "and try again."
    End Try

  End Sub


  Private Sub EmailPassword(ByVal email As String, ByVal password As String)

    Try
      Dim Message As MailMessage = New MailMessage("administrator", email)
      Message.Subject = "Your Password"
      Message.Body = "Your password is: " & Server.HtmlEncode(password)
      
      Dim SmtpMail As SmtpClient = New SmtpClient("SMTPSERVER")
      SmtpMail.Send(Message)
    Catch
      Msg.Text = "An exception occurred while sending your password. Please try again."
    End Try

  End Sub

</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head>
  <title>Sample: Retrieve Password</title>
</head>
<body>
  <form id="form1" runat="server">
    <h3>
      Retrieve Password</h3>
    <asp:Label ID="Msg" runat="server" ForeColor="maroon" /><br />
    Username:
    <asp:TextBox ID="UsernameTextBox" Columns="30" runat="server" AutoPostBack="True" />
    <asp:RequiredFieldValidator ID="UsernameRequiredValidator" runat="server" ControlToValidate="UsernameTextBox"
      ForeColor="red" Display="Static" ErrorMessage="Required" /><br />
    Password Question: <b>
      <asp:Label ID="QuestionLabel" runat="server" /></b><br />
    Answer:
    <asp:TextBox ID="AnswerTextBox" Columns="60" runat="server" Enabled="False" />
    <asp:RequiredFieldValidator ID="AnswerRequiredValidator" runat="server" ControlToValidate="AnswerTextBox"
      ForeColor="red" Display="Static" ErrorMessage="Required" Enabled="False" /><br />
    <asp:Button ID="EmailPasswordButton" Text="Email My Password" OnClick="EmailPassword_OnClick"
      runat="server" Enabled="False" />
  </form>
</body>
</html>

Remarks

This method is called by the MembershipUser class to retrieve the password for a user from the SQL Server database specified in the ASP.NET application's configuration file (Web.config).

If an incorrect password answer is supplied to the GetPassword method, the internal counter that tracks invalid password-answer attempts is incremented by one. This can result in the user being locked out and unable to log on until the lock status is cleared by a call to the UnlockUser method. If the correct password answer is supplied and the user is not currently locked out, then the internal counter that tracks invalid password-answer attempts is reset to zero. For more information, see the MaxInvalidPasswordAttempts and PasswordAttemptWindow properties.

You can call the GetPassword method directly by first obtaining a reference to the SqlMembershipProvider instance through the Provider property of the Membership class.

If the PasswordFormat property is set to Hashed, the GetPassword method cannot retrieve the password. Hashed passwords are encrypted one-way and cannot be decrypted. If the PasswordFormat property is set to Hashed, and EnablePasswordRetrieval is set to true, a ProviderException is thrown when the provider is initialized.

Leading and trailing spaces are trimmed from all parameter values.

Applies to

See also