26

I've implemented ASP.NET Identity in my MVC application by copying the code from the VS 2013 templates. The basic thing is working, but I couldn't get the Reset Password to work. When I show the "forgot password" page an email is generated which contains the token. This token is returned by the method:

UserManager.GeneratePasswordResetTokenAsync(user.Id)

When I click the link the reset password forms open and lets the user input their email address and a new password. Then the call to the change password functionality is made:

UserManager.ResetPasswordAsync(user.Id, model.Code, model.Password);

This looks good to me, but the result is always a "Invalid Token" and I don't get why that is.

Does anybody have an idea why it isn't working? And where the hell is the token stored? I thought it must be in the database somewhere around the AspNetUsers table...

Improve this question

5 Answers 5

Reset to default
47

The token generated by UserManager in ASP.NET Identity usually contains "+" characters which when passed as a query string get changed into "" (a space) in the URL. In your ResetPassword ActionResult replace "" with "+" like this:

var code = model.Code.Replace(" ", "+"); //And then change the following line UserManager.ResetPasswordAsync(user.Id, model.Code, model.Password); //To this one so it uses the code(spaces replaced with "+") instead of model.Code UserManager.ResetPasswordAsync(user.Id, code, model.Password);

That should do the trick. I had the same problem and found the answer here.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

For me, this worked when the UrlEncode/Decode as described in other answers didn't.
i also the same issue i can't getting '==' in the last end from code so how can handle this i am code send via query string in the mail and i m also try this WebUtility.UrlEncode(code) in the mail send and getting time WebUtility.UrDecode(Model.code) using this but still getting issue and end of getting invalid token.
This save me two times
@Mansoor Would you have any suggestion for my this post. I tried your above suggestion but it did not work.
Really curious why Decode didn't work for me either. This answer does work and saved me a lot of headache since the Token isn't always generated with that symbol.
34

Just wanted to add that the most common issue outside of HTML encoding/decoding is that your user entry in the database may be missing a SecurityStamp. There is a bug in ASP.NET Identity where one function sets it to null when creating the token, whereas another when validating the token checks for an empty string.

If your SecurityStamp is null or an empty string, this will cause the invalid token issue.

Improve this answer

4 Comments

This was also my problem. I just updated the nulls with a random string and it seemed happy with that! Lots of swearing and rage diffused. I'm in your debt.
Thanks this solved my problem which appears to be the same due to adding SecurityToken after most of our users, but what about when new users are added? Will they be given a valid security token initially?
This fixed my issue - just ran UPDATE [AspNetUsers] SET [SecurityStamp] = NEWID() WHERE [SecurityStamp] IS NULL to fill in the NULLs then worked fine.
But how do we prevent it from happening again?
2

If your SecurityStamp changes after generating your token the token is also invalid.

So for example you Generate your Token using

UserManager.GeneratePasswordResetTokenAsync(user.Id);

and afterwards call 

UserManager.RemovePasswordAsync(user.Id);

Your SecurityStamp gets renewed and so the Token is now invalid

Improve this answer

1 Comment

When i add RemovePasswordAsync before GeneratePasswordResetTokenAsync. It worked for me
2

For me security stamp was okay. Inline with accepted answer, I used encode method to encode the code attached with reset link using HttpContext.Current.Server.UrlEncode, like so:

string code = await UserManager.GeneratePasswordResetTokenAsync(user.Id); string callbackUrl = ConfigurationManager.AppSettings["baseurl"] + "/resetpassword?email=" + user.Email + "&code=" + HttpContext.Current.Server.UrlEncode(code);
Improve this answer

Comments

0

In my case this was because data in database were imported from another database incorrectly. SecurityStamp field was null so I got invalid token error.

Improve this answer

3 Comments

removed data import for that specific table and instead used UserManager to create users from old database.
@TylerJamesHarden I do not remember, maybe I have posted my answer without reading your answer first. BTW sorry for any inconvenience.
I had this issue, to create correct valid tokens I put new GUID in the security stamp field for the user. Once I did that it started working

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.