Bug #41408 PasswordReset not possible when requiresQuestionAndAnswer="false"
Submitted: 11 Dec 2008 17:41 Modified: 5 Mar 2009 11:13
Reporter: jim jones Email Updates:
Status: Closed Impact on me:
Category:Connector / NET Severity:S2 (Serious)
Version:5.2.5 OS:Any
Assigned to: CPU Architecture:Any

[11 Dec 2008 17:41] jim jones
when you use the asp.net membership and configure it to NOT require password question and answer (requiresQuestionAndAnswer="false") you are not able to reset the user password via MembershipUser.ResetPassword(). you will get an SqlNullValueException.

How to repeat:
in the web.config add the parameter  requiresQuestionAndAnswer="false" to the membershipprovider part.

try to reset a password from an existing user like this:

     MembershipUser user = Membership.GetUser("bob");

you will receive an SqlNullValueException

Suggested fix:
quoted a posting from this thread by user "Ujn Ujn": http://forums.mysql.com/read.php?38,221499,228248#msg-228248

I found this in the MembershipProvider.cs source for MySql.Web

if (answer == null && RequiresQuestionAndAnswer)
UpdateFailureCount(userId, "PasswordAnswer", connection);
throw new ProviderException(Resources.PasswordRequiredForReset);

I would say that the answer == null should NOT be there.

So when you create a new user, just add a DUMMY to the password answer
[12 Dec 2008 9:41] Tonci Grgin
Hi Jim and thanks for your report.

It is my opinion that what you're presenting in here is misuse of RequiresQuestionAndAnswer property as described in manual:
/// <summary>
/// Gets a value indicating whether the membership provider is 
/// configured to require the user to answer a password question 
/// for password reset and retrieval.
/// </summary>
/// <value>true if a password answer is required for password 
/// reset and retrieval; otherwise, false. The default is false.</value>
/// <example>
/// The following example shows the membership element being used in an applications web.config file.
/// <code source="CodeExamples/MembershipCodeExample1.xml"/>
/// </example>
        public override bool RequiresQuestionAndAnswer
            get { return requiresQuestionAndAnswer; }

So, your example should not work as you requested RequiresQuestionAndAnswer to be false...

Anyway, I'll set report to "Verified" and see what c/NET team lead, Mr. Reggie Burnett, has to say.
[4 Mar 2009 20:18] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

[4 Mar 2009 20:19] Reggie Burnett
fixed in 5.2.6
[5 Mar 2009 11:13] Tony Bedford
An entry was added to the 5.2.6 changelog:

When ASP.NET membership was configured to not require password question and answer using requiresQuestionAndAnswer="false", a SqlNullValueException was generated when using MembershipUser.ResetPassword() to reset the user password.