Customizing ChangePassword control to work without Membership Provider in ASPNet

In this article I will explain how to customize ChangePassword control to work without Membership Provider in ASP.Net using C# and VB.Net.

Database

For this article I have created a new database named LoginDB which contains the following table named Users in it.

Customizing ChangePassword control to work without Membership Provider in ASP.Net

I have already inserted few records in the table.

Note: The SQL for creating the database is provided in the attached sample code.

HTML Markup

The HTML Markup consists of an ASP.Net ChangePassword control and a Label control. For the ChangePassword control I have specified:-

1. OnChangingPassword event – This event will handle the Password changing process.

2. CancelDestinationPageUrl - URL of the page where the user must be redirected when Cancel Button is pressed.

3. NewPasswordRegularExpression – Regular Expression to enforce the Password Policy. Currently I have enforced a policy to allow passwords with minimum length of 5 characters.

4. NewPasswordRegularExpressionErrorMessage – The message to be displayed when the Password does not match the policy requirements.

The Label control is used to display the success and the error messages.

<asp:ChangePassword ID="ChangePassword1" runat="server" OnChangingPassword="OnChangingPassword"

RenderOuterTable="false" NewPasswordRegularExpression="^[\s\S]{5,}$" NewPasswordRegularExpressionErrorMessage="Password must be of minimum 5 characters." CancelDestinationPageUrl = "~/Home.aspx">

</asp:ChangePassword>

<br />

<asp:Label ID="lblMessage" runat="server" />

Namespaces

You will need to import the following namespaces.

using System.Drawing;

using System.Configuration;

using System.Data.SqlClient;

VB.Net

Imports System.Drawing

Imports System.Configuration

Imports System.Data.SqlClient

Customizing ChangePassword control to work without Membership Provider in ASP.Net

When the Change Password button is clicked the following event handler is triggered.

Here first a check is made to ensure that the Old Password and the New Password are not equal, in a case it is equal then an error message is displayed using the Label control.

Once the first check is passed then a Query is executed over the database in order to update the Logged in User’s password based on its Username.

Note: In Forms Authentication, Logged in User’s Username can be fetched using the User.Indentity.Name property of the Page class.

Once the query is executed, the count number of rows affected in the database is fetched and if the count is greater than zero then it proves that the UPDATE operation was successful and a message is displayed to the user.

But if the count is zero, then it means that the Username and the Password combination does not match with any record in the database and hence an error message is displayed to the user.

protected void OnChangingPassword(object sender, LoginCancelEventArgs e)

{

if (!ChangePassword1.CurrentPassword.Equals(ChangePassword1.NewPassword, StringComparison.CurrentCultureIgnoreCase))

{

int rowsAffected = 0;

string query = "UPDATE [Users] SET [Password] = @NewPassword WHERE [Username] = @Username AND [Password] = @CurrentPassword";

string constr = ConfigurationManager.ConnectionStrings["constr"].ConnectionString;

using (SqlConnection con = new SqlConnection(constr))

{

using (SqlCommand cmd = new SqlCommand(query))

{

using (SqlDataAdapter sda = new SqlDataAdapter())

{

cmd.Parameters.AddWithValue("@Username", this.Page.User.Identity.Name);

cmd.Parameters.AddWithValue("@CurrentPassword", ChangePassword1.CurrentPassword);

cmd.Parameters.AddWithValue("@NewPassword", ChangePassword1.NewPassword);

cmd.Connection = con;

con.Open();

rowsAffected = cmd.ExecuteNonQuery();

con.Close();

}

if (rowsAffected > 0)

{

lblMessage.ForeColor = Color.Green;

lblMessage.Text = "Password has been changed successfully.";

}

else

{

lblMessage.ForeColor = Color.Red;

lblMessage.Text = "Password does not match with our database records.";

}

else

{

lblMessage.ForeColor = Color.Red;

lblMessage.Text = "Old Password and New Password must not be equal.";

}

e.Cancel = true;

}

VB.Net

Protected Sub OnChangingPassword(sender As Object, e As LoginCancelEventArgs)

If Not ChangePassword1.CurrentPassword.Equals(ChangePassword1.NewPassword, StringComparison.CurrentCultureIgnoreCase) Then

Dim rowsAffected As Integer = 0

Dim query As String = "UPDATE [Users] SET [Password] = @NewPassword WHERE [Username] = @Username AND [Password] = @CurrentPassword"

Dim constr As String = ConfigurationManager.ConnectionStrings("constr").ConnectionString

Using con As New SqlConnection(constr)

Using cmd As New SqlCommand(query)

Using sda As New SqlDataAdapter()

cmd.Parameters.AddWithValue("@Username", Me.Page.User.Identity.Name)

cmd.Parameters.AddWithValue("@CurrentPassword", ChangePassword1.CurrentPassword)

cmd.Parameters.AddWithValue("@NewPassword", ChangePassword1.NewPassword)

cmd.Connection = con

con.Open()

rowsAffected = cmd.ExecuteNonQuery()

con.Close()

End Using

If rowsAffected > 0 Then

lblMessage.ForeColor = Color.Green

lblMessage.Text = "Password has been changed successfully."

Else

lblMessage.ForeColor = Color.Red

lblMessage.Text = "Password does not match with our database records."

End If

End Using

Else

lblMessage.ForeColor = Color.Red

lblMessage.Text = "Old Password and New Password must not be equal."

End If

e.Cancel = True

End Sub

Web.Config Configuration

If the ChangePassword control is used with .Net Framework 4.0 or higher then you will see the Validation error messages in Black color instead of Red.

To solve this issue, you will need to add the following configuration setting in the system.web section of the Web.Config file.