our current web application is built using Classic ASP. Most of the asp pages in the source code has the database username and password hard-coded. Now we are required to make them in centralized and access that function for DB connections.
we are using
db = CreateObject("adodb.connection")
db.open connectionString, username, password
My questions are
1. Can i use registry's to store and access username and Password (encrypted) in classic ASP ? is it possible without any third part libraries ?
2. can we implement the reading username & password function in a dll and make use of that function in my asp page.
3. is there any other approach to handle this?
Note, not to store the username & password in flat files
You can centralise the connection string, just store the credentials in the connectionstring and store the connectionstring in an application variable.
I have answered a very similar question here.
You don't need to open connections using connectionstring, username and password, you can embed the username and password in the connectionstring. Below is an example of a SQL server connection string:
connectionString = "Provider=SQLOLEDB; Data Source=YOUR_DATABASE_SERVER; Initial Catalog=YOUR_DATABASE; User ID=YOUR_USERNAME; Password=YOUR_PASSWORD"
Related
I have asp.net application that have a connection string using windows authentication.my system work in network domain.
When I try to open application connection string use this domain\Machin Name for login.
But I want change it to this domain\MyUserName,
how I can do it?
You need to pass IP address of server in the Server, database name, and credentials mainly username and password, here is sample to do like this:
data source=ServerIp;Initial Catalog=DatabaseName;user Id=Username;
Password=Password;
if it doesn't have a default server connection then need to change server as (serverip)(sql instance). like 192.16.3.1\SQLEXPRESS
there will have default sa username and password, if u don't know it create new user in sql mananagement studio => security => Logins
You have to create a new User for this problem as below:
Create new user with Administrator privilege with same username and password.
On SQL Server database create new user by expanding DatabaseNode->Security->Login->Create New User and add this new user with Windows Authentication radio button selected. This user can be only added by selected Windows Authentication it is Operating system’s User Login.
Linked: https://blog.sqlauthority.com/2008/11/02/sql-server-fix-error-login-failed-for-user-username-the-user-is-not-associated-with-a-trusted-sql-server-connection/
I am using ASP.NET and MVC4 to develop a system. The authentication/authorization is done by simpleMembership.
My team(we belong at a company) needs to retrieve data from an api of some other team of the same company (the user has the same username/passwords at both systems).
The api has a function getUserID(username,password).
The passwords at the databases are encrypted.
How I am able to get the encrypted password of a user, in order to call that function of an API?
I am trying to do it like that
SimpleMembershipProvider provider = new SimpleMembershipProvider();
string name = provider.GetPassword("testUser1");
But the above needs a String Answer as well.
I do not want to find the user's plaintext password, just to get the hashed password of a user.
Thanks
If you call MembershipUser.GetPassword you will get a not implemented exception since MembershipUser applies to the old ASP.NET provider. Just some of the frustrations you typically see when using the membership provider model.
In SimpleMembership the password is stored in a different table/entity than the user profile information, and it is called webpages_Membership. SimpleMembership uses EF code-first but it does not give you direct access to the other entities it uses, besides the UserProfile. Everything else is hidden behind the WebSecurity class. So if this class does not provide you with what you need the only way I know to get access is to go directly to the database. Here is a way to do this that I verified works.
var context = new UsersContext();
var username = User.Identity.Name;
int userId = WebSecurity.GetUserId(username);
string sqlCmd = "select Password from webpages_Membership where UserId = " + userId.ToString();
string password = context.Database.SqlQuery<string>(sqlCmd).FirstOrDefault();
I am reading on form authentication in ASP.NET and cannot understand some moment:
James enters a username-password, they are saved in the db. A cookie from username is created, encrypted and attached to a response. As I understand then, when we get a request we need to recognise that cookie received are from James and so we can show his customised page.
What I would like to understand is how system will retrieve username form cookie and then load his info from db?
Forms Auth is storage agnostic. It doesn't have to use a database, indeed you can use it with usernames and passwords in web.config.
So what happens is
A user logs in.
The user is authenticated against the membership provider (which can use SQL, Active DIrectory, web.config, Oracle, MySQL, whatever)
A forms authentication token is created for the user, and is placed on the user machine via a cookie.
Each subsequent request reads the forms authentication token, and queries the provider to get the user details.
The user details are used to populate the user identity in the HttpContext and current thread for the request which is then available to your code to use.
In your code you can check the User property in the Page class (WebForms) or the User property in the controller class (MVC).
While you can get at it via the current thread, or the current context it's not advised, especially once you start using background tasks, where the identity may not propagate to the thread, or the context may change.
You'll note that nothing is stored in a database when the user logs in. It's all in the forms authentication token, and the work of retrieving the user from it's store on each request is done for you.
Afaik Forms Authentication does not store or load anything in any database. You can use a database to store the username and password, or you can put them in the web.config. How you store user credentials and validate them is up to you, and can happen separately from Forms Authentication.
Once you have validated a user (against database or some other logical storage), you use FormsAuthentication to write the authentication cookie. You do not need to worry about decrypting the cookie.
You can get the username from System.Threading.Thread.CurrentPrincipal.Identity.Name. To retrieve user's info from the database, you would query the database using the value if the principal identity name.
Response to comments
Right, you can use forms authentication with the membership provider, active directory, or your own custom user database. FormsAuth doesn't care about the password at all, unless it is stored in web.config (as noted in blowdart's more complete answer). It just writes the cookie, which is decrypted and used to create the thread identity automatically.
Additional Info
Even though this was marked as the answer, blowdart's response is much more complete. You really should not get the identity from the thread if you need it in an ASPX page or MVC controller, use the properties he referenced.
You get the username in your web form by calling User.Identity.Name, e.g. like this:
protected void Page_Load(object sender, EventArgs e)
{
string userName = User.Identity.Name;
}
ASP.NET interprets the cookie for you, you don't have to read it yourself. Or is your question how to store the user and password in the DB?
Please consider this two ways of login in ASP.NET page:
Connect with windows authentification:
_con = new SqlConnection(#"Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=True");
_con.Open();
After that we may check if Username provided by cusromer exists in Users table, so that login was successful.
Or connect using username and password:
_con = new SqlConnection(#"Data Source=myServerAddress;Initial Catalog=myDataBase;User Id=myUsername;Password=myPassword;");
_con.Open();
After that only users which provided valid username and password can connect to DB and fetch data, that involves creating a user in DB for every customer.
Questions:
Are these ways of implementing login in ASP.NET page correct?
If yes, what way you'd prefer, first one or second one?
Any better ways of implementing login in ASP.NET page?
Personally I wouldn't use a connection string for each user. Otherwise you'll have the extra headache of maintaining logins in both your app and sql server.
Use one login for your application, and use either your own login check or use ASP.NET membership provider: http://msdn.microsoft.com/en-us/library/ff648345.aspx
In particular method 2 is really bad news, as you would have to create a SQL login for each and every user of your website.
I'm not sure if I you really want to give each and every user access to your database, so really be careful with that.
If you can use Windows Authentication that solves most of your (authentication) problems in one go, and you really won't have to do much to get that running.
I have a webapp that uses Forms Authentication using ActiveDirectoryMembershipProvider.
That works fine... users can do login successfully.
Once the user do login, he can change the password.
We use a ChangePassword control that retrieve the Membership information and uses the OLD and new password to change the user's password. THAT Doesn't work.
The Exception message thrown is that the password doesn't fits the password policies (Not the message of the provider, but the underlying COM object. But this is not the case, as going to the ActiveDirectory console and changing the password there do works. When using the ActiveDirectory console we used a quite simple password: "Password01".
The user in ActiveDirectory is set to Allow changing password. All our users are stored in a certain OU and the connection string to AD points to this OU also. Again, the connection is successfull as we can do Login.
Any other thing that can prevent us to change Password?
Exception information
System.Web.Security.MembershipPasswordException: The password supplied is invalid.
Passwords must conform to the password strength requirements configured for the default provider.
---> System.Runtime.InteropServices.COMException (0x800708C5): The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)
--- End of inner exception stack trace ---
at System.Web.Security.ActiveDirectoryMembershipProvider.ChangePassword(String username, String oldPassword, String newPassword)
at System.Web.Security.MembershipUser.ChangePassword(String oldPassword, String newPassword)
Well, sorry for the inconvenience...
The problem was that the Active Directory Administrator had set that you can wait a day before changing the password.
So, if we create a user... the USER must wait 1 day to change his password.
The Administrator can reset a password without this restriction.
Thanks for your comments.
When you configure the membership provider in the web.config there are several password related values that can be set, namely:
MinRequiredNonAlphanumericCharacters
MinRequiredPasswordLength
PasswordStrengthRegularExpression
I would first make sure that all of these are set to values which will match up with ActiveDirectory.
Next, make sure that the connectionProtection attribute is set to SignAndSeal, you cannot change passwords otherwise:
connectionProtection="SignAndSeal"
Besides those suggestions, I looked in Reflector and all the COM errors (except 0x7FF8FAD2) are being thrown straight up to the client. Error 0x800708C5 appears in the MSDN in several places but always with the text that password complexity is not sufficient.