See Also: ChangePassword Members
In this topic:
Use the System.Web.UI.WebControls.ChangePassword control on a page to enable your Web site users to change the passwords they use to log on to your Web site.
If you are not familiar with the set of login controls available in ASP.NET, read ASP.NET Login Controls Overview before continuing. For a list of other topics related to login controls and membership, see Managing Users By Using Membership.
Transmitting passwords over HTTP is a potential security threat. HTTP transmissions can be viewed or compromised by malicious users. To improve security when using login controls, you should use HTTPS protocol with secure sockets layer (SSL) encryption to ensure that the user's password cannot be read during postback. For more information, see Securing Login Controls.
The System.Web.UI.WebControls.ChangePassword control uses the membership provider defined in the ChangePassword.MembershipProvider property to change the password stored in the membership provider data store for the Web site. If you do not assign a membership provider, the System.Web.UI.WebControls.ChangePassword control uses the default membership provider defined in the membership section of the Web.config file. The System.Web.UI.WebControls.ChangePassword control enables users to perform the following actions:
Change their password if they are logged on.
Change their password if they are not logged on, as long as the page that contains the System.Web.UI.WebControls.ChangePassword control allows anonymous access and the ChangePassword.DisplayUserName property is true.
Change the password for a user account, even if they are logged on as a different user. This requires the ChangePassword.DisplayUserName property to be true.
Setting the ChangePassword.DisplayUserName property to true displays the User Name text box, which allows the user to type in a user name. If the user is logged on, the ChangePassword.UserName control is populated with the name of the logged-on user. After the password for the given user name is changed, the user is logged on to the account associated with the changed password, even if the user was not logged on to that account previously.
Accepting user input is a potential security threat. Malicious users can send data that is intended to expose vulnerabilities or run programs that try generated passwords. To improve security when working with user input, you should use the validation features of your control and secure any data providers that are configured for your control. For more information, see Securing Login Controls, Basic Security Practices for Web Applications, and Securing Membership.
The System.Web.UI.WebControls.ChangePassword control can be configured to use e-mail services to send the new password to the user. To send e-mail messages to users from any of ASP.NET Web server controls, you must configure an e-mail server in the Web.config file for your application. For more information, see How to: Configure an SMTP Virtual Server.
Sending user account names or passwords in e-mail is a potential security threat. E-mail messages are typically sent in plain text and can be read by special network "sniffing" applications. To improve security, use the mitigations that are described in Securing Login Controls.
It is not possible to guarantee that a user will receive or view an e-mail message. To verify that a user has received a message, provide a confirmation link in the e-mail message that lets the user confirm that the notification was received.
The System.Web.UI.WebControls.ChangePassword control has two states, or views:
Change Password view Requests the current password, and requires the user to type the new password twice for confirmation. If you allow users who are not logged on to change their passwords, set the ChangePassword.DisplayUserName property to true to display the ChangePassword.UserName control in Change Password view. The ChangePassword.UserName control allows the user to provide their registered user name. If there is an error when changing the password, an error message is displayed in the Change Password view, allowing the user to try again.
Success view Provides confirmation that the password has been changed.
You can use an extensive set of style properties to customize the appearance of the System.Web.UI.WebControls.ChangePassword control. Alternatively, you can apply custom templates to the two views if you need complete control over the appearance of the System.Web.UI.WebControls.ChangePassword control. If you define a template for a view, the WebControl.ControlStyle properties are applied. For a list of the controls that you must set in the view templates, see the ChangePassword.ChangePasswordTemplate and ChangePassword.SuccessTemplate properties. The System.Web.UI.WebControls.ChangePassword control examines the content in the template and throws an exception if a required control is not found, is not named correctly, or is of the wrong type. For example, if you use the content in the template and set the ChangePassword.DisplayUserName property to true, the System.Web.UI.WebControls.ChangePassword will throw an exception if a System.Web.UI.WebControls.TextBox or some other System.Web.UI.IEditableTextControl control is not found for the user name.
The following table lists the System.Web.UI.WebControls.ChangePassword control style properties and describes which UI element they affect. For a list of the properties to which each style applies, see the individual style property.
Cancel button on the Change Password view.
Change Password button on the Change Password view.
Continue button on the Success view.
Error text displayed to the user.
Hyperlinks to other pages.
Instructional text on the page that describes how to use the System.Web.UI.WebControls.ChangePassword control.
Labels for all input fields, such as text boxes.
Hints for providing an acceptable password for the Web site.
Text displayed to the user when the password has been successfully changed.
Text entry input fields.
Titles for the Change Password and Success views.
The System.Web.UI.WebControls.ChangePassword control lets you specify CSS style rules in markup. If you use templates to customize the appearance of the System.Web.UI.WebControls.ChangePassword control, you can specify CSS styles in the markup in the templates. In that case, no extra outer table is required. You can prevent the table from being rendered by setting the ChangePassword.RenderOuterTable property to false.
The System.Web.UI.WebControls.ChangePassword control uses a validation group so that other fields on the same page as the System.Web.UI.WebControls.ChangePassword control can be validated separately. By default, the System.Web.UI.Control.ID property of the System.Web.UI.WebControls.ChangePassword control is used as the name of the validation group. For example, a System.Web.UI.WebControls.ChangePassword control with the ID "ChangePassword1" will use a validation group name of ChangePassword1 as well. To set the validation group that the System.Web.UI.WebControls.ChangePassword control is part of, you must create a template with the control, and then change the validation group name.
To show error messages if a user leaves a System.Web.UI.WebControls.TextBox control empty, add a System.Web.UI.WebControls.ValidationSummary control to the page. Set the ValidationSummary.ValidationGroup property of the System.Web.UI.WebControls.ValidationSummary control to the System.Web.UI.Control.ID property of the System.Web.UI.WebControls.ChangePassword control.
For information about how to use the WebControl.AccessKey property and the WebControl.TabIndex property of a System.Web.UI.WebControls.ChangePassword control, see ASP.NET 4 and ASP.NET Controls and Accessibility.
For information about how to configure this control so that it generates markup that conforms to accessibility standards, see Accessibility in Visual Studio 2010 and ASP.NET 4 and ASP.NET Controls and Accessibility.
System.Web.UI.WebControls.ChangePassword control properties represented by text boxes, such as ChangePassword.UserName and ChangePassword.CurrentPassword, are accessible during all phases of the page life cycle. In particular, during the Page_Init and Page_Load phases, these properties have the same value they had when the System.Web.UI.WebControls.ChangePassword control was rendered. If the user changes the value of the ChangePassword.UserName property by modifying the ChangePassword.UserName text box, the new value will be available when the changed event is raised, which occurs after the Page_Load phase. Therefore, if you set the value of the ChangePassword.UserName property in the Page_Init phase or Page_Load phase and provide a custom handler for a System.Web.UI.WebControls.ChangePassword event, any change that the user makes in the ChangePassword.UserName text box overrides the value set in the Page_Init or Page_Load phase.
<asp:ChangePassword AccessKey="string" BackColor="color name|#dddddd" BorderColor="color name|#dddddd" BorderPadding="integer" BorderStyle="