Page Purpose: Password recovery request - Sends password reset email. User Context: User who cannot remember their password. Next Steps: Email sent → User clicks link → Reset Password Page
Password Recovery Form
What Happens Next?
We verify your email exists in our system
A password reset link is sent to your email
The link expires after 24 hours for security
Click the link to set a new password
You can then login with your new password
Form Validation
Client-side validation:
Email: Required, valid email format
Server-side validation:
Email exists in database
Account is not locked or disabled
Email is verified
Rate limiting (prevent abuse)
Security notes:
Always show success message even if email not found (prevents email enumeration)
Generate secure random token
Store token hash in database with expiration
Limit reset requests per email per hour
Success State
After submission, display:
"If an account exists with that email address, you will receive a password reset link within a few minutes.
Please check your email and follow the instructions.
If you don't receive an email, please check your spam folder or contact support."
Data Model
AspNetUsers Table Fields Used:
Email (lookup user)
EmailConfirmed (must be true)
LockoutEnabled (must not be locked)
Password Reset Token:
Token (generated by ASP.NET Identity)
UserId
ExpirationDate (24 hours from generation)
IsUsed (boolean flag)
Email Template
Subject: Password Reset Request for Remarx
Body:
"Hello [FirstName],
We received a request to reset your password. Click the link below to create a new password:
[Reset Password Link]
This link will expire in 24 hours.
If you didn't request this, please ignore this email or contact support if you have concerns.
- Remarx Team"
Security Features
Rate Limiting: Max 3 requests per email per hour
Token Security: Cryptographically secure random token
Time-Limited: Links expire after 24 hours
Single Use: Token invalidated after successful reset
No Email Enumeration: Same message whether email exists or not