The amazing password recovery experience in Sitecore 8

Along with the new login screen in Sitecore 8 there is also a new implementation of password recovery for editors.

In the old versions of Sitecore the /sitecore/login/default.aspx page redirected the user to a page called passwordrecovery.aspx. This page used an asp:PasswordRecovery asp.net standard webcontrol.

Personally I never became fond of all of these standard but rather complex asp.net webcontrols back when they were released with .NET 2.0. They allowed you to really quickly get a demo site up and running with standard functionality but changing any behavior just a tiny bit to fit your domain specific needs or even design took much more effort than just to use simple webcontrols to build up the same functionality. I only know about most of these webcontrols due to old Microsoft certifications where you were forced to answer all questions like you used them all the time even though you always chose not to because of their inflexible design.

Anyway, for some reason Sitecore has used the asp:PasswordRecovery control back in the days and it has worked quite fine, password recovery mails were sent and we have all been very happy or maybe rather haven’t really cared, it worked.

old_pw_recovery

But there were no way of changing the text in the mails that were sent out with new passwords, not without modifying the passwordrecovery.aspx page itself and overriding its code behind where the texts were hardcoded.

This would then break each time Sitecore were upgraded and so on. I guess no one ever changed the password recovery mails due to this and no one really cared about it.

In Sitecore 8 this has changed

To enable password recovery you need to ensure that you have defined an SMTP server in configuration and that password recovery is not disabled:

sitecore_8_password_recovery

To change the text in the password recovery email you can now simply edit the item /sitecore/system/Settings/Security/Password recovery/Password Recovery Email in the core database.

passwordrecoveryitem

The item field names and what they are used for are quite obvious. The token %Password% is replaced with a generated password and %UserName% with the username (for some solutions it can be considered insecure to include the username along with the password).

When requesting a new password the typed in email address is now sent through a pipeline that out-of-the-box contain the following processors.

  • VerifyUsername – Verifies that a user exists with the provided user name and that the user has an email defined.
  • GeneratePassword – Resets the user password with a new random one.
  • PopulateMail – Populates the pipeline arguments with mail content using the item shown above.
  • SendPasswordRecoveryMail – Instantiates a MailMessage and sends it to the user using MainUtil.SendMail(..)

Finally it is here, what we all have been waiting for, it is now possible to change the password recovery behavior in Sitecore 8. Who need machine learning and Skynet now?

Sitecore sends the mail as plain text and not as html in the standard implementation, but they actually left a small property in the pipeline arguments called HtmlEmailContent.

If you assign this property with a value then the SendMail processor will use this property instead of the plain text.

Below you see an example of a new PopulateMail processor that uses (hardcoded) html as mail content.

It is a very bad idea to hardcode html like this, it is just an example, please do not use it.

Then we patch the new processor into the pipeline instead of the PopulateMail processor. Notice that the pipeline is defined within the configuration element <processors> along with the ui pipelines and not within the <pipelines> element.

And now the password recovery mail look like this:

html_recovery_mail

Instead of this:

default_pw_recovery_mail

It would be nice to have a standard ECM implementation that sends a one-time message for password recovery when ECM is installed. Please feel free to implement this and share the code :)

Now to a much better example

You might want to provide some extra service for your editors and also tighten security so each time a password is reset the editor also receives a text message on his/hers phone.

To do this we first need to add a custom property to the user profile for phone number:

custom_user_profile_phone

We then need a (free or cheap) SMS service with a REST api. I found a completely random one called called textlocal that promise you 10 texts when you sign up. I never got any free credits and ended up purchasing 100 credits for 5£ which is almost double the price of some of their competitors. Their banner got me tricked and that is why I picked them. Their API is simple and really easy to use though.

Now we’ll write a quick and dirty processor for the passwordRecovery pipeline that sends a text message when a user recover their password information:

And then we patch it into the configuration after the mail has been send.

When we recover our password we receive a text message on our phone as shown below:

password recovery text message

That was it for this post.

Anders Laub

Anders Laub Christoffersen

Anders has been working with Sitecore for over a decade and has in this time been the lead developer and architect on several large scale enterprise solutions all around the world. Anders has been nominated a Sitecore Technical MVP three years in a row for 2014, 2015 and 2016. Anders is now working as a Sr. Solutions Architect at Sitecore in Copenhagen.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website