I have a custom membership user class and custom MembershipProvider working against database. Due to security reasons the user passwords are stored in the database as hashed values. So my procedure
public override bool ValidateUser(string username, string password) is
{
//select hashed password from db
return (EncodePassword(password) == dbpassword)
}
[code]....
i have implemented asp. net membership authentication and one of my users has forgotten his password.
The passwords are hashed and when i try retrieveing his password i get the error that password retrieval is not available for hashed passwords.
Should i reset the password?
I am working on membership concepts in asp.net. Now i want to reset new password and getpassword for specific user.
this is my web.config code:
<add name="MySqlMembershipProvider" connectionStringName="SQL2005DB380ConnectionString" applicationName="MyAppName" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" passwordFormat="Encrypted" enablePasswordReset="true" minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
How can I get old password and reset new password.
I am using Membership provider.. I integrated the aspnet member tables into my database.
I need the user to enter password on a data entry form and validate it against the membership tables.
How can I do this. This is the set up. I have few fields and user enters those fields and also enters the password, and submits the form. It is kind of like signature... i am looking for something like..
If txtPassword.text = membershipprovider password
{
//do this...
}
I am evaluating ASP.NET Membership for an intranet Silverlight app. I want users to be automatically authenticated for my application with their windows logon. Thus I configured Windows Authentication. I would like to store user settings like email-address in using the SqlMembershipProvider and not AD. It seems that storing user settings using the SqlMembershipProvider is not supported with Windows Authentication. Is this really so (using .NET 4)?
If so: What is the rationale behind this? IMHO authentication, user settings and authorization are distinct aspects. User settings could easily be stored (identified by user name) using the SqlMembershipProvider with authentication and password management being supplied by Windows. What is the recommended solution for my scenario?
There seems to be something wrong with the create user wizard?I am using hashed password storage. When I change it to clear storage I see the user's password is being stored as something completly different than what they typed in.Example: changeme1 now equates to something like: 4W*KQQ4%=SIf I use 4W*KQQ4%=S as the password to login with it works but changeme1 does not.When I use the reset password wizard it updates the password just fine and it works when I login next.Any clues what could be causing this?
View 1 RepliesI am trying to create a Forms Authenticated site and have already used the aspnet_regsql tool to create the necessary logic in my SQL Server DB to hold my data. Now, I am looking to create a custom Membership, User and Role provider for my DB model. I was looking at the following video: [URL]
Now, I get the concept on how to go about it but I notice that this guy uses custom DB Procedures as to the ones that are generated by the aspnet_regsql tool. Can anyone direct me on where I can find info on how to go about building the Membership, User and Role provider class using the DB structure that aspnet_regsql generates? So much junk on google that I am having a hard time finding good guidance.
I am using a custom membership provider with a custom ValidateUser method. The ValidateUser sends and additional parameter to authenticate my users (Username, Password, and Dealer). I created a custom stored procedure for ValidateUser to call. I copied over all my users from another table and encrypted all the passwords in the aspnet_membership table using the code below. My question is, how do I take the password the user enters in the login form and validate that against what is in my aspnet_membership Here is the code I used to encrypt the passwords (not even sure this was the right way to encrypt. Please tell me if I did this wrong):
public static string EncodePasswordNow(string originalPassword)
{
Byte[] originalBytes;
[code]...
I am createing user dynamially with the below code; string MyPassword = Membership.GeneratePassword(8,0).ToString(); Membership.CreateUser(TextBox7.Text, MyPassword, TextBox8.Text); but before I start creating, I would like to check if the user name is used before or not.
View 2 RepliesOur application lets the administrator create new users. Since the administrator is logged in, I have set Logincreateduser = false so that the administrator is not logged out even after creating the new user.
The problem is :I need the userid of the newly created user to store additional details of the user in another database table. I see that i can get the username using Createuserwizard1.username; but how do I get the userID?
i am working on membership concepts in asp.net. Now i want to reset new password and getpassword for specific user.
this is my web.config code:
[code]....
I'm using the ASP.NET SQL Membership Provider. So, there's an aspnet_Users table that has details of each of my users. (Actually, the aspnet_Membership table seems to contain most of the actual data). I now want to store some per-user information in my database, so I thought I'd just create a new table with a UserId (GUID) column and an FK relationship to aspnet_Users. However, I then discovered that I can't easily get access to the UserId since it's not exposed via the membership API. (I know I can access it via the ProviderUserKey, but it seems like the API is abstracting away the internal UserID in favor of the UserName, and I don't want to go too far against the grain).
So, I thought I should instead put a LoweredUserName column in my table, and create an FK relationship to aspnet_Users using that. Bzzzt. Wrong again, because while there is a unique index in aspnet_Users that includes the LoweredUserName, it also includes the ApplicationId - so in order to create my FK relationship, I'd need to have an ApplicationId column in my table too. At first I thought: fine, I'm only dealing with a single application, so I'll just add such a column and give it a default value. Then I realised that the ApplicationId is a GUID, so it'd be a pain to do this. Not hard exactly, but until I roll out my DB I can't predict what the GUID is going to be. I feel like I'm missing something, or going about things the wrong way. What am I supposed to do?
On registration user provides an email, the password must be mailed to the email ...
View 1 RepliesI just begin creating a website for an organization. First page to be displayed in the login page. I dont have any knowledge in ASP.NET Security. On Login page, i want to display UserName field as disabled with the useralias of the user who currently logged into Windows. Password user has to provide and it should be that user's windows password.
How do i validate that password that user has entered is his windows password?
I simply want to know how to manually check if the value a user has provided for the answer to their security question matches their current answer on record. I want to use the build in support of the ASP.Net membership and membershipuser objects.
I see that via the passwordrecovery control that the actual answer can be returned. However I am currently not using this control and it would take a good bit to integrate it as it does not meet our user's requirements.
In a worst case scenario, getting the actual answer (like the passwordrecovery control does) and manually checking it in our application would be acceptable.
A best case scenario is some sort of API where I can pass in the user name and the answer to their security question that was provided and simply get an indication of whether answer was correct or not.
I've wrote a custom membership provider and a custom membership user. So far so good, I can create users / login etc, but when I try to access the custom membership user in code like this;
Code:
Public Function GetOpportunities() As IQueryable(Of Opportunity)
'Dim p As CiseroMembershipProvider = System.Web.Security.Membership.Provider
'Dim _User = p.GetUser(System.Web.HttpContext.Current.User.Identity, True), CiseroMembershipUser
Dim _User As Curve.CiseroMembershipUser = Nothing
_User = System.Web.Security.Membership.GetUser() 'Dim _CurveUser As New CiseroMembershipUser
'Return From o In Me.ObjectContext.Opportunities Where o.ClientID = User.ClientID
Return From o In Me.ObjectContext.Opportunities Where o.ClientID = _
_User.ClientID Order By o.ModifiedDate Descending
End Function
I get this error:
Unable to cast object of type 'CustomMembershipUser' to type 'Curve.CustomMembershipUser'. When I put a quickwatch on the object System.Web.Security.Membership.GetUser() it is of type CustomMembershipUser. The quickwatch window generates the text DirectCast(System.Web.Security.Membership.GetUser(), CustomMembershipUser) when I click onto the properties, but reevaluating the expression raises the error.
For that, I made my own users and passwords tables and hashed the passwords myself. Now, I would much rather move to Microsoft's built in membership provider with asp.net in sql server. Does anybody know a good way to migrate over?
The only real idea I've had so far is to make both systems run simultaneously, then when a user logs in, validate them in my old system, then ask them to re-enter their password and save their new stuff in the microsoft's system... then clear the record out of my old system. Eventually, I would hope that would move everybody into the new system. But that seems annoying and messy. Is there some better way?
I'm using DotNetOpenAuth as my membership system, and the way I have it working now seems to be working quite well. What I'd like to do however is build into my website the ability to check user credentials against the AuthCookie rather than a session. In the membership provider, I can check for the username like this
string UserName = System.Web.HttpContext.Current.User.Identity.Name;
''# which returns the OpenId ClaimedIdentifier
What I'm wondering is if there is a way to extend this so that I can retrieve custom properties from the AuthCookie rather than having to create my own session object. Currently I have this setup.
UserSessionModal
Namespace Domain
Public Class UserSessionModel
Public Property ID As Integer
Public Property RegionID As Integer
Public Property Username As String
Public Property Slug As String
Public Sub New(ByVal user As User)
_ID = user.ID
_RegionID = user.RegionID
_Username = user.UserName
_Slug = Replace(user.UserName, " ", "-")
End Sub
End Class
End Namespace
BaseController (inherited by all controllers)
Protected Overrides Function CreateActionInvoker() As System.Web.Mvc.IActionInvoker
''# Create a UserInfo object for the logged in user
''# and store it in a session state.
If Session("UserInfo") Is Nothing AndAlso User.Identity.IsAuthenticated Then
Dim user As Domain.UserSessionModel = New Domain.UserSessionModel(OpenIdService.GetOpenId(HttpContext.User.Identity.Name).User)
Session("UserInfo") = user
End If
Return MyBase.CreateActionInvoker()
End Function
Then in my views I do something like this
<%
Dim user As MyApp.Core.Domain.UserSessionModel = DirectCast(Session("UserInfo"), MyApp.Core.Domain.UserSessionModel)
%>
<%: Html.ActionLink(user.UserName, "Details", "Users", New With {.id = user.ID, .slug = user.Slug}, Nothing)%>
What I really need to be able to do is remove the Session stuff all together and just simply check the AuthCookie for my custom properties ID, RegionID, Username, and Slug. I can already get the "ClaimedIdentifier" out of the AuthCookie using HttpContext.User.Identity.Name... I just need to be able to extend it.
I using change password control, how can i change the password without enter the current password?
View 8 RepliesI had been trying to solve this but there is a hidden key i wish someone point me to.
I had a simple membership database with users in first the Membership Provider configured for clear password to retrieve the original password .
Now a new requirement say that the password must be hashed and reset .
I configure the Membership password to hash , and Implemented the Reset Password Module.
My problem is as follow.
If the user is new registered user with the new configuration the password and the security answer is hashed.
also when I go and reset the password it continue to be hashed.
Now I thought that with new configuration if any previous user with clear text configuration , If he use the password Reset module , because my configuration now is hashed , I expected that the new password and security answer will be hashed . what happen is old user continue in clear text even if the configuration is hashed. so If I had new users everything is fine.
old users Membership Provider somehow know they had been stored in clear text and it keep change password and security answer in clear text . If I delete this user and create it , Membership Provider understand that everything will be hashed. I need to know how it know this , I need to migrate users not to delete and recreate users .
Also if there are no solution for that , I wish Microsoft Consider it in future cause it is a real user scenario, that can happen imagine a business system that related to membership user Id , deleting users and recreate them is not a solution .
I´m building a home page where logged in users shall buy products. To be able to get to the buy page the user already has to be logged in. But when he shall execute the buy he has to reenter his password again to check the user a second time. How do I check if his entered password matches his user password? I´m using the ASP Membership library and I have passwordFormat="Hashed".
View 3 RepliesI'm using the ChangePassword method of membership provider to change the password and one of the requirement before calling the changepassword is to retrieve the current password. But I'm getting error:padding is invalid and cannot be removedbelow is my web.config:
< system.web> < machineKey validationKey="4FD671E39167DFB91A918018007D095E50B7D2971B01AEDE26A7233FD9CC4A470F80689997EC2C7BB515F9D82C8B4D1F3A8495193630B11E8401C96BD0A5A133" decryptionKey="ED1555E75C7B91738172E0086456C70B9CAA4C44214FC2B1907123993EA4FA53" validation="SHA1"
decryption="AES"/>....< /system.web>
I have an ASP.Net 4.0 application that is using Forms Authentication and ActiveDirectoryMembershipProvider. It authenticates against Active Directory running on Windows Server 2008 R2.I use ChangePassword control for changing passwords.When the user changes the password he can log on for some time with the old password. My client feels this is a security problem with the application. Is there any way to make sure the old password does not work after the user changes it?Also, if I do iisreset on the web server, the old password stops working. The password must be cached somewhere in the web app.
View 3 RepliesIn the site I am building we have standard users and superusers. A superuser can delete another user from the system and this should result in that user being logged out (if he/she is currently logged in). We use the Membership provider. Or actually the superuser doesn´t delete the other user completely but instead sets his/her as inActive by following code:
[code]...
But, that should not matter... What I want to know is how to make the affected user being logged out. I don´t need a popup or anything to be shown to the other user that he/she is just logged out, it is enough to check if that user is logged in when he/she tries to move to another page on my site.
I'm trying to get the comments section for a user, to populate a text box which can be updated. I'm getting the "Object reference not set to an instance of an object" error. Why is this occurring?
[Code]....