I've change it to passwordStrengthRegularExpression="^(?=.{8,15}$)(?=.*[0-9])(?=.*[A-Z]).*" however it still keeps coming up telling me that I need at least 7 characters and one nonAlphaNumberic... I looked at my machine config and made some adjustments there so that
minRequiredPasswordLength="" minRequiredNonalphanumericCharacters="" were blank
I have this code for changing a user's password when they click the password reset button (with extra code to log to ELMAH so I can try to figure out what is going wrong).
This is in ASP.NET MVC 2, using the standard aspnet membership provider, with a simple View like this:
New Password: ______ Confirm Password: ______ [Reset] [Cancel]
The route to this view is `/Account/Reset/guid`, where guid is the user's id in the aspnet membership database.
The key portion of the code is where it calls `user.ChangePassword()`. You can see that it logs a message when successful. The problem is that for some users, the success message is logged, but they can not log in with the new password. For other users it logs the success message and they can log in.
if (user.ChangePassword(pwd, confirmPassword)) { ErrorSignal.FromCurrentContext().Raise( new Exception("ResetPassword - changed successfully!")); return Json(new { Msg = "You have reset your password successfully." }, JsonRequestBehavior.AllowGet); }
The full code listing is:
[Code]....
Edit: Adding a bounty to try to get this solved. This is one of the most annoying problems on my issue list, and I have no idea how to proceed.
I have a custom security module which is retrieving the applicationName of the defalut Membership Provider. I am using this value for convenience only. I mean, sometimes, I will authenticate the user as per "Windows Authentication" where there is no Login Form, and yet, I need to access the "applicationName" of the membership provider.So, in some of my applications, I am not using a memberhsip, and I leave it empty. And I found out that if the <membership> is not defined in web.config, it will default to "AspNetSqlMembershipProvider" type "System.web.Security.SqlMembershipProvider".I can add an key in <appSettings>, but I like to using the applicationName of the default membership provider, becuase in other applications I am using Forms Authentication, with a custom membership provider.If try to setup a dummy memberyship provider, I will get error that the connection string is empty.How I can set the "applicationName" property in web.config if I am using "Windows" authentication, and I have no membership provider ?
Does anyone has a solution (sample code) for the following features:
Create a randomGuid/Cryptographically strong random number Send a unique URL containing the random number to the user's email address When confirmed, the user is asked to change password
My provider is currently parametrized this way:
[code]....
The security issues with this type of procedure have been discussed here before.
I'm having a problem with a custom Membership implementation for ASP.NET using EF. The thing is, my web.config features the default values for the provider but at runtime those default are only being read in Initialize() the first time provider is instantiated (that happens for instance when I request the Register view via GET but when I fill in the form and POST to the controller the Initialize() on the provider class doesn't get called and all the provider settings are null or default value types value.
This is my web.config section:
[Code]....
Since my provider class is quite huge I am not posting it here but will post some parts of it if requested.
Am using ASP.NET membership authentication in a small website and i just noticed some thing funny during testing. Am trying to enable user to change their login password any time they wish, i dragged a change password control to the form, i changed the password for my test account, but now all passwords are still working.
I can login with the old password as well as the new password with this particular test account. If i try with any other random characters as the new password, i cant successfully login (which OK). But if type the old password, am able to login, if i type the new password, am still able to login, am finding this very strange.
I had been trying to solve this but there is a hidden key i wish someone point me to.
I had a simple membership database with users in first the Membership Provider configured for clear password to retrieve the original password .
Now a new requirement say that the password must be hashed and reset .
I configure the Membership password to hash , and Implemented the Reset Password Module.
My problem is as follow.
If the user is new registered user with the new configuration the password and the security answer is hashed.
also when I go and reset the password it continue to be hashed.
Now I thought that with new configuration if any previous user with clear text configuration , If he use the password Reset module , because my configuration now is hashed , I expected that the new password and security answer will be hashed . what happen is old user continue in clear text even if the configuration is hashed. so If I had new users everything is fine.
old users Membership Provider somehow know they had been stored in clear text and it keep change password and security answer in clear text . If I delete this user and create it , Membership Provider understand that everything will be hashed. I need to know how it know this , I need to migrate users not to delete and recreate users .
Also if there are no solution for that , I wish Microsoft Consider it in future cause it is a real user scenario, that can happen imagine a business system that related to membership user Id , deleting users and recreate them is not a solution .
I am working in a Silverlight 4 + RIA Services application. On the server side I am using Entity Framework and SQL Server. The user authentication is performed in the application using the default ASP.NET Membership Provider.
I am also using some profile properties to store some user preferences. Unfortunately I came across a situation where I have to change one of this properties in all users.
Altought I am using EF to manage data persistence, the ASP Membership provider tables are not in my entities diagram, since everything I must do regarding membership is performed using the objects available on the provider.
So I was thinking to use this objects to change the user prefrences, but my question is about what happens if something fails? Is there any transaction object I could use on the Membership objects to perform an atomic operation?
I know EF supports transactions, but in this case I would have to add the asp.net membership tables to my diagram.. only for that operation.
I'm using Membership but allow to change UserName of specified user. I had user named Customer bound to role Customer, and then his username was changed to 123. Then i try to do something to get Roles of this user and get an error or empty result.
I am developing a shopping cart with asp.net and sqlexpress. I am using aspnet authentication components to create a backend page. I designed the site to let in only authorized users in.
Yesterday, I forget my password to login to backend and asked system recover my password. with recover password of the asp.net I was able to receive the temp password. I took that and logged in, of course asp.net forward me to password change component which I am having problem with.
Every time I change my password , password change shows that I was successfull but after clicking on the continiue button password change component comes back. I went to properties of password change component and entered the main default page as destination but it is not helping.
I close the IE clear the cache , even restart the machine. When I login always taking me to the password change page.
I am using the Membership provider that is included in Framework 3.5. I need to be able to add properties to the user such as country and birth date. I have read about the alternative provider that microsoft distibutes called TableProvider where you can define extra properties in the webconfig. I hesitate a bit about using it as there where some stuff about adding rules to the database to allow access. Since i use a hosted server and i am almost clueless about database administration it got me enough worried to think out my own solution. A. any feedback about using table provider from people that have experience of it?
I have developed a Silverlight app using forms authentication and the asp net membership, aspnetdb, the whole enchilada.The bug I see is that the password for my users change by them self every bow and then, the way I fix them is by deleting the user and creating them again, this has been I problem all the time.In a post I read the problem was manifesting because I didn't have a machineKey in my web.config, I now do, so I dunno what the problem is this time...Is there a definitive fix to this? can you please provide assistance?
I have a new VS2010 .NET 4.0 Web project and the Properties Folder has gone wierd on me. It has lost teh "Open" under the right click. There is no way to get a Settings file created now.
I am unable to get to the Settings grid and no Settings file is created. I tried the help and it has the normal trip of select Properties, Open (right click), Settings Tab, etc. etc.
I am trying to update the enablePasswordReset from false to true programmatically but am struggling.. This is as far as I got!
ConfigurationManager.OpenWebConfiguration(Request.ApplicationPath); var section = (MembershipSection)config.GetSection("system.web/membership"); var defaultProvider = section.DefaultProvider; var providerSettings = section.Providers[defaultProvider]; // Now what?
I have a question about the encryption key/keys the standard ASP.NET Membership provider uses for creating the password hashes.Although we haven't deployed this new system we are working on yet, we might switch servers in the future. So I thought it might be a good idea to specify the encryption key/keys in the web.config file to avoid any problems with mismatched hashes if we do switch servers.We use the standard ASP.NET Membership provider ("AspNetSqlMembershipProvider"), passwordFormat is set to "Hashed" and we use Forms authentication.The current web.config file initially did not have any machineKey element. I used the web application and had registered and thus created an account and the hash of my password is stored in one of the aspnet_* tables.Then I created a machineKey element in the web.config file, and specified validationKey, decryptionKey, validation and decryption attributes. I had expected not to be able to log in with my password anymore, but I was surprised that I could still do so with the existence of the new machineKey specifying new encryption keys.So - why can I still log in?Does the AspNetSqlMembershipProvider not use the encryption keys specified in machineKey?
I am using Membership provider.. I integrated the aspnet member tables into my database.
I need the user to enter password on a data entry form and validate it against the membership tables.
How can I do this. This is the set up. I have few fields and user enters those fields and also enters the password, and submits the form. It is kind of like signature... i am looking for something like..
I am using a custom membership provider with a custom ValidateUser method. The ValidateUser sends and additional parameter to authenticate my users (Username, Password, and Dealer). I created a custom stored procedure for ValidateUser to call. I copied over all my users from another table and encrypted all the passwords in the aspnet_membership table using the code below. My question is, how do I take the password the user enters in the login form and validate that against what is in my aspnet_membership Here is the code I used to encrypt the passwords (not even sure this was the right way to encrypt. Please tell me if I did this wrong):
public static string EncodePasswordNow(string originalPassword) { Byte[] originalBytes;