Creating the secret answer is just a matter of adding two new fields to your users table (one for the questionID and one for the answer), and a new table for the secrete questions.the new Table would be:
secretquestions:
questionID - Primary Key
questionText - varchar
populate the secretquestions table with the questions that they should be al;lowed to choose from.
On the registration page, create a recorsdset to return the questions from the secretquestions table.
Add a select list to the registration form, set the select list to be dynamic, pull the values for the select list from the secretquestions recordset. set the Value to the questionID column and the label to the questionText column.
Add a new text box also for the user to type their answer.
in the insert record behavior, bind the questionID column of the user table to the select list, and the answer column to the answer text box.
Now on the New Password page, Create a recordset again to pull all the question from the secretquestions table. Create the select list again, make it dynamic, get the values from the secretquestions recordset, set the value to use the questionID column and the label to the questionText column.
add the answer text box as well.
create another recordset that filters the user table on the entered email address, the selected question and the answer.
Set the email password behavior trigger to only send if the lookup recordset is not empty. You can use the show region behavior to show an error message if the recordset is empty, you will need to modify the show region if statement so that it only shows the message if the recordset is empty and the form was submitted.
Thanks for the info Jason. Your approach to setting up the table of questions is exactly what we've done. The problem comes in with me not understanding clearly how to use the tools (I think).
Regarding the email password behavior, the SA email password shows two options. One for Microsoft mail and the other for Linux. In our case we need to provide authentication (TLS) to send the email. Does this mean using Universal Email instead of SA's email password behavior? If yes, where in UE do we choose to only send the email if the recordset is not empty?
Do you recommend a tool for handling the show region functionality? I assume this would be to display a message that the answer was incorrect.
Currently I have a page that is displayed when the user clicks the forgot password link. This is a page I coded myself and is not from SA. The user enters their email address and clicks submit. I save the email address they entered as a session variable and use it with the SA authenticate user behavior to see if it's an email address that exists or not. If it's OK, I route them to a page that displays their secret question and a field for entering their secret answer. Once they enter their answer and click submit, I check to see if it matches our records. If not, I'd like to display an error message, if so, I display a page that says an email was sent with instructions on what to do next. It's at this time that I would send an email with the non-encrypted password (because I saved it using the SA Random Password entry in the bindings tab) and I would also encrypt the password and store it in the database for the userID (email address that was submitted OK).
Does this sound OK or am I creating too many pages to handle all of this? Right now there's the page where they enter their email address, a page that says we can't find their email address in our records with a "try again" link back to the previous page so they can enter a different email address, the page for displaying the secret Q/A, a page that says their secret answer didn't match our records, and a success page telling them an email was sent when all goes well.
thanks for your help,
steve
