I'm afraid they are -let me give some background.

Originally (since dnn 3.0 when we introduced Microsofts memberrole component that the web.config settings apply to) we used encryption as the default. As encryption is a reversible (decryption) operation it meant that an encrypted password could be retrieved. As such Microsoft decided to support retrieving your password i.e an email with your password would be sent out. They realised that this is not very secure as emails are plain text and can be intercepted/read, so added the option to send out a new (reset) password. Realistically that isn't much more secure as it also goes over email but it was slightly better.

With the 7.0.0 release DNN changed to using hashed passwords -hashing is a one way operation so password emails are not possible (in fact if you set hashing and password retrieval the Microsoft component throws an exception). As such we could have simply gone with password reset - but we wanted to improve on Microsoft's poor design, so we introduced password reset tokens. By doing this the token is 1-time use only (and short lived) and no password is ever emailed.

Our product team considered running with both systems (ie allowing password retrieval for encryption, but password reset link for hashing), but that is not ideal due to the additional code and checking - and doesn't address Microsofts original poor design. As such we decided that all passwords will only be able to use password reset links - this does mean that some of the settings such as passwordretrieval no longer really apply, but it means that the overall system is better, no passwords are ever sent my email and it meant we could integrate with other subsystems such as password history (you can't really integrate password history/banned passwords when you generate random passwords on reset)

---

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US

Using Using 7.1.2 version of DNN and with these settings:

 

<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SiteSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" requiresUniqueEmail="false" passwordFormat="Hashed" applicationName="DotNetNuke" description="Stores and retrieves membership data from the local Microsoft SQL Server database" />

 

I get the error "Reset password option not available" when I click on the Reset Password button on the login control.

Does requires UniqueEmail need to be true?  That would need to be in the aspnet_membership columns related to email?

I had a user set up that way, but when I switched that requiresUniqueEmail attribute to true, I could not login and I got an error saying the email was invalid.

 

 

 

 

 

password reset links were announced in various 7.1.0 blogs (such as http://www.dnnsoftware.com/community-... ), as well as on the wiki (http://www.dnnsoftware.com/wiki/page/...). For releases such as 7.1.0 where a few hundred items were tackled the release notes are just a short synopsis, I would always recommend checking jira to see the full changelog. As to the resource key, it wasn't intentional - initially password reset links were going to be for hashed only passwords, but it became problematic (as dnn supports different password formats for different users), plus having two different paths to 2 different pieces of functionality based on passwordformat was felt to be confusing. As such we harmonised and changed all password reminders to password resets, hence the reuse of the key -on reflection a new key would have been better and covered the cases where people had customising that key - it's logged as a possible 7.3.0 issue AFAIR so we could well add a new key and amend the code

---

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US