I am a beginner of asp.net. I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing.
How do I retrieve my password from the user list?
You don't want to store or retrieve the original password for security reasons - asp.net should be storing a hash of the original password in your data store. When a user enters their password again, the configured hashing algorithm should hash it to the same value as before and it matches the stored hash on the backend to authenticate.
See also Asp.net MVC - How to hash password for more background.
Related
1.I am having a web app in which a user can register by providing new user id and password and i am encrypting the password using AES and storing it in my postgres database
For user welcome page I want to use form based authentication using tomcat
But for that i first need the user to login in my login page then i decrpyt the password in my database and check it with the user entering password
But from my understanding so far about tomcat authentication i need to use password="j_password" for password validation
but my database contains only encrypted password so hope you get my question
please help!! Thanks in advance.....
I used membership API to create users and hashed the password in database. Because of the hashed password the Login control cannot authenticate as I'm now unable to set up the login control to convert the user password entered to "Hash" value before referencing the database.
I have tried exploring the Login control "Logging_in" event handler but I seem very confused on how to use it.
I will appreciate any help
I use ASP.NET Form Authentication method in my project to keep login information as user id in user's cookie like the below code. It works well without any problem.
FormsAuthentication.SetAuthCookie(userInfo.id.ToString(), model.AutoLogin);
But the problem occurs when user use automatic login and then he change his password. In some site, I see it will force you to re-login when you change password. It's quite easy for forcing current page to log out and re-login again.
But I don't find any nice idea for forcing other auto-login cookie in other browser to login again. I have some quite ugly idea for doing that but I don't like it.
Keep latest change password date in user data.
Put it in authentication cookie like the following code.
FormsAuthentication.SetAuthCookie(userInfo.id.ToString() + '|' + userInfo.ChangePasswordDate, model.AutoLogin);
Do you have any better idea for solving this question that work with ASP.NET and ASP.NET MVC?
Thanks,
The authentication cookie contains only the encrypted username. So either you really force the user to re-login by signing him out (FormsAuthentication.SignOut) or you do nothing in which case the old cookie is still valid, still authenticated but his password was changed in the datastore so that next time him tries to login he will need to use this new password.
I've a code to persist information in cookies about users like UserName and password.
Question is:
Its not secure to store information like that plain text in cookies.My DB store hashed passwords,so i could save those hashs in cookies and retrieve them later,but if i do that i wouldnt be able to fill password's textbox cause the hash string would be too long for it.
Is there any solutions?
You never should store Passwords in plain text, and even a hashed password can be vulnerable to reverse-lookup unless it is salted correctly. ASP.NET Forms Authentication already lets you create a Persistent authentication cookie that will allow the user to stay logged in, so you should use that instead. See the Timeout, expires, and IsPersistant properties when Creating the Forms Authentication Cookies.
Alternatively you could setup a token based authentication system, by which users get a security token after they enter their login information and this token is valid for a specified amount of time. This is how Live ID and Google Accounts work, and they usually store the tolken in a cookie that is valid for weeks at a time.
I am having an ASP.net page with userid and question and answer
I need to verify the userid, answer is correct or not
I no need to enablepasswordretrival
and my password is hashed
how to do
Are you using the ASP.NET membership provider? If so then the system will do that authentication for you, you just need to set the appropriate permissions in each folder's web.config in your web site. Just make sure that the folder containing the login form, registration form, etc (all the content that anonymous users can get to, and yes, login needs that as they are anonymous until they have actually logged in) is set to allow anonymous users.
You can't have password retrieval with hashed passwords as it's a trapdoor (i.e. one way) encryption and can't be reversed. The only option with hashed passwords is to issue a new password.