Description:
The if criteria is opposite. Compare to the Microsoft's implementation WebMatrix.WebData.SimpleMembershipProvider.GeneratePasswordResetToken, you will see it should be if (str == null)
-- MySql.Web.MySqlSimpleMembershipProvider
using (MySqlDatabaseWrapper wrapper = new MySqlDatabaseWrapper(this.GetConnectionString()))
{
string str = wrapper.ExecuteScalar(string.Format("select PasswordVerificationToken from {0} where userid=? and PasswordVerificationTokenExpirationDate > ?;", this._membershipTable), new object[] { userId, DateTime.Now }) as string;
if (str != null)
{
str = this.GenerateToken();
if (wrapper.ExecuteNonQuery(string.Format("update {0} set PasswordVerificationToken=?, PasswordVerificationTokenExpirationDate=? where userid=?;", this._membershipTable), new object[] { str, DateTime.Now.AddMinutes((double) tokenExpirationInMinutesFromNow), userId }) <= 0)
{
throw new System.Configuration.Provider.ProviderException(Resources.GeneratePassVerificationTokenFailed);
}
}
return str;
}
-- WebMatrix.WebData.SimpleMembershipProvider
using (IDatabase database = this.ConnectToDatabase())
{
bool throwException = true;
int num = this.VerifyUserNameHasConfirmedAccount(database, userName, throwException);
string str = (string) database.QueryValue("SELECT PasswordVerificationToken FROM " + MembershipTableName + " WHERE (UserId = @0 AND PasswordVerificationTokenExpirationDate > @1)", new object[] { num, DateTime.UtcNow });
if (str == null)
{
str = GenerateToken();
if (database.Execute("UPDATE " + MembershipTableName + " SET PasswordVerificationToken = @0, PasswordVerificationTokenExpirationDate = @1 WHERE (UserId = @2)", new object[] { str, DateTime.UtcNow.AddMinutes((double) tokenExpirationInMinutesFromNow), num }) != 1)
{
throw new ProviderException(WebDataResources.Security_DbFailure);
}
}
return str;
}
How to repeat:
Try to generate password reset token
Suggested fix:
Change if (str != null) to if (str == null)
Description: The if criteria is opposite. Compare to the Microsoft's implementation WebMatrix.WebData.SimpleMembershipProvider.GeneratePasswordResetToken, you will see it should be if (str == null) -- MySql.Web.MySqlSimpleMembershipProvider using (MySqlDatabaseWrapper wrapper = new MySqlDatabaseWrapper(this.GetConnectionString())) { string str = wrapper.ExecuteScalar(string.Format("select PasswordVerificationToken from {0} where userid=? and PasswordVerificationTokenExpirationDate > ?;", this._membershipTable), new object[] { userId, DateTime.Now }) as string; if (str != null) { str = this.GenerateToken(); if (wrapper.ExecuteNonQuery(string.Format("update {0} set PasswordVerificationToken=?, PasswordVerificationTokenExpirationDate=? where userid=?;", this._membershipTable), new object[] { str, DateTime.Now.AddMinutes((double) tokenExpirationInMinutesFromNow), userId }) <= 0) { throw new System.Configuration.Provider.ProviderException(Resources.GeneratePassVerificationTokenFailed); } } return str; } -- WebMatrix.WebData.SimpleMembershipProvider using (IDatabase database = this.ConnectToDatabase()) { bool throwException = true; int num = this.VerifyUserNameHasConfirmedAccount(database, userName, throwException); string str = (string) database.QueryValue("SELECT PasswordVerificationToken FROM " + MembershipTableName + " WHERE (UserId = @0 AND PasswordVerificationTokenExpirationDate > @1)", new object[] { num, DateTime.UtcNow }); if (str == null) { str = GenerateToken(); if (database.Execute("UPDATE " + MembershipTableName + " SET PasswordVerificationToken = @0, PasswordVerificationTokenExpirationDate = @1 WHERE (UserId = @2)", new object[] { str, DateTime.UtcNow.AddMinutes((double) tokenExpirationInMinutesFromNow), num }) != 1) { throw new ProviderException(WebDataResources.Security_DbFailure); } } return str; } How to repeat: Try to generate password reset token Suggested fix: Change if (str != null) to if (str == null)