Security :: Inccorect Custom Membership Provider Behaviour?
		
			Nov 18, 2010
				I've implemented a custom membership provider (as the user credentials are stored in a legacy application), however, the website is exhibiting two behaviours which it shouldn't. Firstly,  it's not tracking invalid password attempts. My website does not use questions and answers, but according to MSDN (http://msdn.microsoft.com/en-us/library/f1kyba5e(v=VS.90).aspx) the "ValidateUser" method should still track them. When I put a breakpoint on the MaxInvalidPasswordAttempts property it is never even accessed.
Secondly, when I manually lock out a user, I can still log in with those credentials (I have confirmed that the MembershipUser object returned by the GetUser method during the login has the "IsLockedOut" property set correctly).The config file lists only the provider name and type - at the moment I'm hard-coding the provider's properties. (For this reason I'm not overriding the Initialize method.)Either I'm doing something wrong, or I have to track these invalid attempts myself, and fail authentication when the user is locked out - which would seem a little silly, since itappears like the membership provider infrastructure should handle that for you...
	
	View 9 Replies
  
    
		
Similar Messages:
	
    	
    	
        Dec 1, 2010
        i have implemented  custom  role provider and membership provider .
login page   :   SignIn.aspx
on successful login  it redirects to  (index-Homepage.aspx) 
 now  PROBLEM is  when it successfully logged in ,and redirects to 'index-Homepage.aspx'  it gives  Anornymoustemplate  ..while its verifying the role correctly in index-Homepage.aspx.cs
	View 1 Replies
   
  
    
	
    	
    	
        Mar 27, 2010
        i'm building an application and i need to manage roles, users and more things so i tought to use the membership provider but i have some questions about it: can i full extend it and can i override the functions to use a database table to store infos about config or i need to build my own provider?
	View 4 Replies
   
  
    
	
    	
    	
        Jan 5, 2011
        This is my first membership provider; I converted the sample provider [URL] to SQL. I created a vb class provider and put it into the App_Code folder. After it was created I tried to modify my webconfig but the error pops up. I don't know what else to try, I don't know if I have missed something
webconfig:
[code]....
	View 1 Replies
   
  
    
	
    	
    	
        Oct 13, 2010
        I create custom principal for implement logic for users. In identity I store Id, Name. But it abnormally - this classes must use for authenticate and authorize. 
I can implement custom MembershipUser, custom Roles and Membership provider. 
How to do it? What best practices are?
	View 5 Replies
   
  
    
	
    	
    	
        Mar 21, 2010
        I'm new to ASP.NET and I don't exactly understand some features.
I have a custom  membership provider TestMembershipProvider which inherits from MembershipProvider. It has the following CreateUser method:
[Code]....
It's absolutely simple code.Then I have two text boxes (login, password) and the button to register a new user. I thas a following code:
[Code]....
 
[Code]....
Authentication in web.config is set like this:
[Code]....
No matter what I write into textboxes, following error is being returned:
The password retrieval question provided is invalid. 
I don't know why. Either in web.config or in get RequiresQuestionAndAnswer I have false value. When I instantiate my TestMembershipProvider and call CreateUser directly instead of using static Membership.CreateUser, it works fine. Do I have to use instance of my TestMembershipProvider or did I missed anything?
	View 1 Replies
   
  
    
	
    	
    	
        Oct 27, 2010
        i'm new to the mvc framework but i used forms authentification in an asp.net webapplication. Because im forced to use Sybase SQL Anywhere server i use membership / profile / role provider from sybase.Why i can't login in the MVC Application? When i create a user via mvc web control i'm logged in. But when i logout and try to login i get a error that username or password is not correct.Maybe someone has an idea? Could it be a problem with the application name? Both have the applicationname " / " ?Both applications has these web.config entries:
[Code]....
	View 3 Replies
   
  
    
	
    	
    	
        Mar 29, 2010
        My question relates to membership providers. I have two websites that run on two different servers. One website is a community website that uses Telligent community server 2007. The other is a website that contains information. I have a form where users can request more information. What I would like to do is when a user requests more information, automatically create a user account in my community website. I was told that I can create a custom asp.net membership provider that will create a new user account in my community website. I have read some info at msdn and asp.net websites, but I am still unclear as to how I can create a custom membership provider that will work across different websites running on different servers.
	View 1 Replies
   
  
    
	
    	
    	
        Sep 9, 2010
        I've implemented my custom membership provider. I use third server for authentication (call web method that validates user/password). I need this user/password for retrieve some additional data from this server. Asp.net MVC uses FormsAuthentication and cookie for keep 'login state' by default. It works well when I login on site first time. But when I close and open site again sometime after, cookie keeps it 'login'but I don't have credential for access to server data. I can change cookieless attribute (to 'UseUri' for example) in configure file but in this case I should login again if I open second tab with this app in same browser.My questions:
Is way to call SingOut of FormsAuthentication (remove authentication ticket from browser) when user closes asp.net mvc app?Is secure way to pass user/password data through session? Because server is unstable and interrupt connection often and app should have possibility for silent reconnect.
	View 3 Replies
   
  
    
	
    	
    	
        Jul 27, 2010
        For three days now I have been going from one tutorial/video/sourcecode to the other about how to create the membership-part of my website, but I am still none the wiser :S
I have been looking through this video and these tutorials on the subject, but either they are not what I am looking for or they are too advanced, that I would just write my own user-procedures like I would in classic ASP..
The standard sql membership provider is nice and all, but I really favor using my own database-logic and not drown the website/database with tables, views, stores procedures and highly custimizable features that I'll never use.. That's why I'm trying to build my own custom membership provider
I think I'm on the right track with building a class that inherits from System.Web.Security.MembershipProvider, but when I tell VS to "Implement abstract class" I already have a problem with what I'm seeing: public override string ApplicationName
I know what the applicationname is for, but I am fairly certain that I will never be using the same database for several websites for this project, so why do I need to implement that functionality?
I guess what my problem is, is that although a method like Create-/DeleteUser is handy, I would like to determine whether or notI want to implement that.. Of course the CreateUser is of need to the CreateUserWizard control, but is the ApplicationName really neccesary?
Maybe I just need a little adwise from people that have had a need of custom database-structure - that's actually all I need, I don't think I will see a need for extra functionality codewise..
	View 5 Replies
   
  
    
	
    	
    	
        Apr 20, 2010
        We are trying to implement Custom Role membership provider for our web app. For authorization we want to check for one more field like  Facilityid  for the logged on user along with role he has. eg. my User1 having Role1 with Facility1 can access some option  and same user role for Facility2 have different option. So is there a way we can extend the existing role/profile provider to authorize user with this additional field along with role assigned.
	View 1 Replies
   
  
    
	
    	
    	
        Jul 28, 2010
        I have a  custom SQL membership provider (NOT using aspdb files but our own 'People' table) that was working fine under development but doesn't even connect when it is deployed on web server. DB connection string has been changed to point to db server (checked against another web site & is fine there). The membership code (in VB) is in App_code directory so am I correct in thinking I don't need a separate DLL ? No error messages nothing just reports failed to login when I type some user credentials.
Web config file as follows 
[Code]....
	View 2 Replies
   
  
    
	
    	
    	
        Oct 12, 2010
        I am using a custom membership provider with a custom ValidateUser method.  The ValidateUser sends and additional parameter to authenticate my users (Username, Password, and Dealer).  I created a custom stored procedure for ValidateUser to call.  I copied over all my users from another table and encrypted all the passwords in the aspnet_membership table using the code below.  My question is, how do I take the password the user enters in the login form and validate that against what is in my aspnet_membership Here is the code I used to encrypt the passwords (not even sure this was the right way to encrypt. Please tell me if I did this wrong):
public static string EncodePasswordNow(string originalPassword)
{        
Byte[] originalBytes;
[code]...
	View 1 Replies
   
  
    
	
    	
    	
        Apr 18, 2010
        so after a short talk with some people around ASP.NET MVC forum I took a huge step and chose to create my own Custom Membership Data provider.. so I logged into sweet google and started searching , it doesnt look that hard and seems totally possible for me , that's what i thought...
So now I opened visual studio , and started to think on few things .. So before I would start typing code , I would like to ask those questionsSo i would know better
1. when I build an SQL object , or XML or w.e object, how do I know which fields I need for my table ? should i just copy them from aspnetdb or is there somewhere it is written?
2. how the heck do I copy lines from webconfig ? and should I get those lines like "reset password" from web config or not?
3. I saw some parameters in "create User" called providerKey or something like that, and also MembershipState ? what exacly are those ?
4. last question: the functions get username , and password and stuff like that , but what If i want to create my own User Entity , is there a way to change what the function gets ? or should i just make another class that get my custom UserEntity and let the first class to send her the userentity as repository ?
	View 1 Replies
   
  
    
	
    	
    	
        Feb 2, 2010
        I just created a custom membership provider I would like to know if I can make calls to my data access layer and not put my data access code inside  the membership methods will that prevent my custom membership provider from being thread safe, for example:
public override [Code]....
CreateUser(string username,   string password, string email,   out MembershipCreateStatus status){    // DB calls to my data layer}v.s.public override [Code]....
CreateUser(string username,   string password, string email,   out MembershipCreateStatus status){    // data access }
	View 2 Replies
   
  
    
	
    	
    	
        Oct 11, 2010
        I am working on implementing a custom membership provider that works against an existing schema in my database and have a few thoughts/question.The login control will automatically call the ValidateUser method of the membership provider, so no matter how I implement the provider the only thing the login control cares about the bool value returned by this method.  What I am confused about is there could be numerous reasons why a login attempt failed; user is locked out, too many tries in a period of time, etc.  There is no way that I see to convey that to the control so it could display the proper message.  Other properties of the membership provider such as PasswordStrengthRegularExpression have absolutely no effect on the login control as well (out of the box), I would have hoped that it would automatically somehow translate into regular expression validators, but that doesn't seem to be the case.  So it seems that I need to initialize the login control properties with these settings out of the provider configuration if I want them to take on the control itself.
If the only thing that the Login control does out of the box (without manually handling events and doing the initialization as described above) is call the ValidateUser method on the membership provider, I see no way to convey back to the Login control why the validation failed or even doing things like throttling the validation requests based on a certain time window.  Ultimately my question is why would I even use the membership provider then in conjunction with the login control?  It seems like it was only designed for a Yes/No type response, which is very restrictive.  If I want to build in logic with different messages back to the user I need to handle the login control events and call my own authentication classes that will handle all of my business requirements as well as return a custom error message back to the Login control to display to the user so they know why their attempt is invalid.
Unless I am wrong in my assumptions, it seems that the interface between the Login control as the membership API is too restrictive to be useful.  Perhaps the API works better for other auth controls like ChangePassword better but for the actual Login control I don't see the point.
	View 1 Replies
   
  
    
	
    	
    	
        Feb 19, 2011
        I am trying to build my own custom Membership Provider in an MVC 3 Web Application using C#.
Here is my code:
[Code]....
 
As you can see, I am just starting with it, and yet I've encountered problems.  According to
this tutorial when I right click on MembershipProvider, I should get the option to [ Implement Abstract Class ], but I don't get that ! I am using Visual Studio 2010.
	View 9 Replies
   
  
    
	
    	
    	
        Jul 23, 2010
        I've been able to create it. Now I'm confused where  to the type from in the video at 21.39
This is the video:http://www.asp.net/general/videos/how-do-i-create-a-custom-membership-provider
	View 4 Replies
   
  
    
	
    	
    	
        Nov 12, 2010
        i have a custom membership provider and do manual validation of the user when they log in and set a persistent cookie with this bit of code:
FormsAuthentication.RedirectFromLoginPage(this.txtEmail.Text,
this.cbRememberMe.Checked);
The cookie gets set fine. I can tell it has all the data it needs by looking at it in Fiddler once im validated.  However coming back to the site im always getting prompted to log in again.  I am starting to think the problem isn't how im saving the cookie but that maybe my custom membership isn't acutally looking for this auth cookie again.  Or im naming it wrong or something.
Two things
1) My membership provider is custom and NOT added to web.config - it's a .cs file that connects to a CMS back end for the validation and it works fine logging people in and such it just never keeps (or uses) the persistent cookie.
NOTE: the persistence doesn't work anywhere (on my local machine / staging server or live server - Application name is simply "/")
NOTE 2: as an aside we have a google search applicance. Which we baked a 10 year cookie for on this site - we opened up the cookie and used the encrypted string in the google search appliance (this is how you get it to get past logins, etc) and this thing works great-  it logs itself in no problem all the time.  SO i am a bit lost as to why a user with an almost identical cookie is not getting logged in.
	View 1 Replies
   
  
    
	
    	
    	
        Jul 20, 2010
        I want to create a custom membership provider which doesnot has Password Question and Password Answer fields. But has some other extra fields.Is it possible? I am asking this because if I inherit MembershipProvider class then I get forced to use default CreateUser Method which has password question and password answer parameters. I don't want these parameters.
	View 1 Replies
   
  
    
	
    	
    	
        Sep 19, 2010
        I created a custom membership provider in my ASP.NET 4.0 web site, stored  in App_Code, and referenced in my web.config.
However, it doesn't appear to be pulling values out of web.config during initialization.
The code was taken from [URL] , and the only modifications were changing "connectionStringName" here to the name of my connection string:
[Code]....
The connection string always comes back as nothing in this line:
[Code]....
No matter what I change the password format to in web.config, the default value here is always used:
[Code]....
So to me it's pretty clear it's not pulling out values for some reason. Here is the reference to the membership provider in web.config.
[Code]....
	View 6 Replies
   
  
    
	
    	
    	
        Mar 11, 2010
        I've create a custom membership provider
[Code]....
and on web.cofig file
[Code]....
and I tried also
[Code]....
	View 4 Replies
   
  
    
	
    	
    	
        Jan 29, 2010
        Writing a custom membership / role provider and have to validate user with extra parameter to Membership.Validate.  So, instead of Membership.Validate(username, password) I need Membership.Validate(username, password, client).
Is this possible with the existing MembershipProvider?  I would have liked to pass a new MembershipUser to the Validate method but didn't see anything that would work for that.
	View 1 Replies
   
  
    
	
    	
    	
        Sep 16, 2010
        In asp.net mvc project I am using MYSQlMemberShipProvider. Now I want that instead of reading the connection string from web.config file, it will read the connection string from external file every time. So that I am implementing the cutsom mebership provider class, this class inherits the MemberShipProvider class. But the problem is that if I inherits the MemberShipProvider class then I have to impelment all of its method in my cutsom membership provider class, But I want to use all other inbuilt methods of MemeberShip. What can i do. I only want to add the code like below:
public class CustomSqlMembershipProvider :MembershipProvider
{
public override void Initialize(string name, NameValueCollection configs)
{
base.Initialize(name, configs);
Connectionstring objProducts = // redaing the connection string.
}
}
But on compiltaion it is giving me the error does not implement inherit abstract member.
	View 2 Replies
   
  
    
	
    	
    	
        May 26, 2010
        I am trying to create a Forms Authenticated site and have already used the aspnet_regsql tool to create the necessary logic in my SQL Server DB to hold my data. Now, I am looking to create a custom Membership, User and Role provider for my DB model. I was looking at the following video: [URL]
Now, I get the concept on how to go about it but I notice that this guy uses custom DB Procedures as to the ones that are generated by the aspnet_regsql tool. Can anyone direct me on where I can find info on how to go about building the Membership, User and Role provider class using the DB structure that aspnet_regsql generates? So much junk on google that I am having a hard time finding good guidance.
	View 1 Replies