Use GetPassword () Method But Not Property Of Password In Build-in Asp.net2.0 Membership?
Oct 20, 2010
I find that the password can only retrieved by method GetPassword() in asp.net2.0 Membership.In fact, we can get the password when we get the user infomation from database and set it as a property of user(object of MemberhsipUser) just as user.Email, user.UserName, etc.
It's clear that adopting the second resolution(property) can reduce one trip between server and database and more convenient. But why Microsoft don't do like this? For secruity reason? Then why is it less secure to set the password as property?
suppose i have one button and i want that when user click this button and then a method will be called asynchronously.how to do it in asp.net 2.0. please help me with sample code.
Does anyone has a solution (sample code) for the following features:
Create a randomGuid/Cryptographically strong random number Send a unique URL containing the random number to the user's email address When confirmed, the user is asked to change password
My provider is currently parametrized this way:
[code]....
The security issues with this type of procedure have been discussed here before.
I had been trying to solve this but there is a hidden key i wish someone point me to.
I had a simple membership database with users in first the Membership Provider configured for clear password to retrieve the original password .
Now a new requirement say that the password must be hashed and reset .
I configure the Membership password to hash , and Implemented the Reset Password Module.
My problem is as follow.
If the user is new registered user with the new configuration the password and the security answer is hashed.
also when I go and reset the password it continue to be hashed.
Now I thought that with new configuration if any previous user with clear text configuration , If he use the password Reset module , because my configuration now is hashed , I expected that the new password and security answer will be hashed . what happen is old user continue in clear text even if the configuration is hashed. so If I had new users everything is fine.
old users Membership Provider somehow know they had been stored in clear text and it keep change password and security answer in clear text . If I delete this user and create it , Membership Provider understand that everything will be hashed. I need to know how it know this , I need to migrate users not to delete and recreate users .
Also if there are no solution for that , I wish Microsoft Consider it in future cause it is a real user scenario, that can happen imagine a business system that related to membership user Id , deleting users and recreate them is not a solution .
How can I use Membership.GeneratePassword to return a password that ONLY contains alpha or numeric characters? The default method will only guarantee a minimum and not a maximum number of non alphanumeric passwords.
Am using ASP.NET membership authentication in a small website and i just noticed some thing funny during testing. Am trying to enable user to change their login password any time they wish, i dragged a change password control to the form, i changed the password for my test account, but now all passwords are still working.
I can login with the old password as well as the new password with this particular test account. If i try with any other random characters as the new password, i cant successfully login (which OK). But if type the old password, am able to login, if i type the new password, am still able to login, am finding this very strange.
For three days now I have been going from one tutorial/video/sourcecode to the other about how to create the membership-part of my website, but I am still none the wiser :S
I have been looking through this video and these tutorials on the subject, but either they are not what I am looking for or they are too advanced, that I would just write my own user-procedures like I would in classic ASP..
The standard sql membership provider is nice and all, but I really favor using my own database-logic and not drown the website/database with tables, views, stores procedures and highly custimizable features that I'll never use.. That's why I'm trying to build my own custom membership provider
I think I'm on the right track with building a class that inherits from System.Web.Security.MembershipProvider, but when I tell VS to "Implement abstract class" I already have a problem with what I'm seeing: public override string ApplicationName
I know what the applicationname is for, but I am fairly certain that I will never be using the same database for several websites for this project, so why do I need to implement that functionality?
I guess what my problem is, is that although a method like Create-/DeleteUser is handy, I would like to determine whether or notI want to implement that.. Of course the CreateUser is of need to the CreateUserWizard control, but is the ApplicationName really neccesary?
Maybe I just need a little adwise from people that have had a need of custom database-structure - that's actually all I need, I don't think I will see a need for extra functionality codewise..
I am trying to build my own custom Membership Provider in an MVC 3 Web Application using C#.
Here is my code:
[Code]....
As you can see, I am just starting with it, and yet I've encountered problems. According to this tutorial when I right click on MembershipProvider, I should get the option to [ Implement Abstract Class ], but I don't get that ! I am using Visual Studio 2010.
I am using membership control in my webapplication.On reseting password, i want control should generate password such that i can define the length of the password.
Do I need to make a Custom Membership Provider or is there another way?
I have a project using ASP.NET Forms Authentication and the Microsoft SQL Membership Provider. The website is DONE. I use this provider everywhere. (Register, Login, Forgot Password, etc...) Until now, my website users have not needed complex passwords. The users' passwords were really just pins. The user could select anything for a password in the past. I had almost no restrictions for this website because none of the data is private or personal. However I have received new requirements.
Here are the new password requirements:
Passwords must be at least 8 characters in length. Passwords must be created using 3 of the following 4 character types:
Uppercase Lowercase Numeric Punctuation
Do not use your name or User ID in the password. Do not use old passwords again later. Passwords must be changed at least every 60 days. Passwords may not contain your User ID or any part of your full name. Password history retention will prohibit use of the last 24 passwords. Passwords may be changed by users only once in any 6-day period.
I realize I am going to have to modify all of the following pages: Register, Login, Forgot Password, etc... fortunately I stopped using the default controls a long time ago.
My first thought was that I need to write a Custom Membership Provider. I don't know how to make the standard provider to do most of this. I could write code to do.
Do I modify the aspnet_membership table? Should I add my own table aspnet_something? Can the user profile table be used for this problem? Do I need my own MembershipUser class?
I have developed a Silverlight app using forms authentication and the asp net membership, aspnetdb, the whole enchilada.The bug I see is that the password for my users change by them self every bow and then, the way I fix them is by deleting the user and creating them again, this has been I problem all the time.In a post I read the problem was manifesting because I didn't have a machineKey in my web.config, I now do, so I dunno what the problem is this time...Is there a definitive fix to this? can you please provide assistance?
We are converting an ASP site (using DotNetNuke) to a new PHP site. The only thing we have right now is a full export of the existing database. One of the tables is called "aspnet_Membership" and contains the following fields:
Password (looks like base64) PasswordFormat (always value 2) PasswordSalt (looks like base64) PasswordQuestion (always empty) PasswordAnswer (always empty)
We would like to decode these passwords and hash them to fit our own framework. From what I understand from the .NET documentation these kind of passwords can be decrypted. Is there an algorithm available that can do this or is it more complicated than that? Will it be possible if we create an ASP script on the current server?
building a site and the client wants an admin page, so that he can login and change passwords, delete users or create users.I have 3 subs, one for creating, one for deleting and one for changing passwords. The create user works fine. The delete user works fine but on the changing password is where I have the trouble. Here is the code:
1. I want to use membership functionality without username/password
instead I want to use this functionality based on tracked IP's. Is it possible
Is it a good idea? I want to use my application on all famous mobile platforms and desktops mac/win
2. Is it hard (or is it good idea) to have user info stored into database for specific amount of time based on IP instead of persistent cookies? (I mean user can close browser, etc. Usually this time will be 1 hour)
I have a question about the encryption key/keys the standard ASP.NET Membership provider uses for creating the password hashes.Although we haven't deployed this new system we are working on yet, we might switch servers in the future. So I thought it might be a good idea to specify the encryption key/keys in the web.config file to avoid any problems with mismatched hashes if we do switch servers.We use the standard ASP.NET Membership provider ("AspNetSqlMembershipProvider"), passwordFormat is set to "Hashed" and we use Forms authentication.The current web.config file initially did not have any machineKey element. I used the web application and had registered and thus created an account and the hash of my password is stored in one of the aspnet_* tables.Then I created a machineKey element in the web.config file, and specified validationKey, decryptionKey, validation and decryption attributes. I had expected not to be able to log in with my password anymore, but I was surprised that I could still do so with the existence of the new machineKey specifying new encryption keys.So - why can I still log in?Does the AspNetSqlMembershipProvider not use the encryption keys specified in machineKey?