Bug #41408 PasswordReset not possible when requiresQuestionAndAnswer="false"
Submitted: 11 Dec 2008 18:41 Modified: 5 Mar 12:13
Reporter: jim jones
Status: Closed
Category:Connector/Net Severity:S2 (Serious)
Version:5.2.5 OS:Any
Assigned to: Target Version:

[11 Dec 2008 18:41] jim jones 
Description:
when you use the asp.net membership and configure it to NOT require password question and
answer (requiresQuestionAndAnswer="false") you are not able to reset the user password via
MembershipUser.ResetPassword(). you will get an SqlNullValueException.

How to repeat:
in the web.config add the parameter  requiresQuestionAndAnswer="false" to the
membershipprovider part.

try to reset a password from an existing user like this:

     MembershipUser user = Membership.GetUser("bob");
                    user.ResetPassword()

you will receive an SqlNullValueException

Suggested fix:
quoted a posting from this thread by user "Ujn Ujn":
http://forums.mysql.com/read.php?38,221499,228248#msg-228248

-----------
I found this in the MembershipProvider.cs source for MySql.Web

if (answer == null && RequiresQuestionAndAnswer)
{
UpdateFailureCount(userId, "PasswordAnswer", connection);
throw new ProviderException(Resources.PasswordRequiredForReset);
}

I would say that the answer == null should NOT be there.

So when you create a new user, just add a DUMMY to the password answer
-----------
[12 Dec 2008 10:41] Tonci Grgin 
Hi Jim and thanks for your report.

It is my opinion that what you're presenting in here is misuse of
RequiresQuestionAndAnswer property as described in manual:
/// <summary>
/// Gets a value indicating whether the membership provider is 
/// configured to require the user to answer a password question 
/// for password reset and retrieval.
/// </summary>
/// <value>true if a password answer is required for password 
/// reset and retrieval; otherwise, false. The default is false.</value>
/// <example>
/// The following example shows the membership element being used in an applications
web.config file.
/// <code source="CodeExamples/MembershipCodeExample1.xml"/>
/// </example>
        public override bool RequiresQuestionAndAnswer
        {
            get { return requiresQuestionAndAnswer; }
        }

So, your example should not work as you requested RequiresQuestionAndAnswer to be
false...

Anyway, I'll set report to "Verified" and see what c/NET team lead, Mr. Reggie Burnett,
has to say.
[4 Mar 21:18] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/68281
[4 Mar 21:19] Reggie Burnett 
fixed in 5.2.6
[5 Mar 12:13] Tony Bedford 
An entry was added to the 5.2.6 changelog:

When ASP.NET membership was configured to not require password question and answer using
requiresQuestionAndAnswer="false", a SqlNullValueException was generated when using
MembershipUser.ResetPassword() to reset the user password.