Generate a PasswordHash and SecurityStamp - asp.net

I have a Registrations table which new users get put into. A later process creates a database for that user, and inserts an ASP.NET Identity User record from the data in the registration table (email & name).
I'd like to extend this so that at the point of registration, users can enter their password, which will then be set up in the new database.
To do this properly, I'd need to create a SecurityStamp value and then encrypt the password using that to get the PasswordHash, I believe. So then I would store these values in the registrations table, and then I could copy them into the user's new database when that is set up, and they would be able to log in with the password they registered.
How would I do this - generate the SecurityStamp and then hash the password?

SecurityStamp can be anything random, non-repeatable - Guid.NewGuid().ToString() does the job nicely.
For password hashing UserManager has property PasswordHasher that does password hashing for you:
var userManager = new UserManager(context);
var passwordHash = userManager.PasswordHasher.HashPassword("mySecurePassword");

Use this namespace
using Microsoft.AspNetCore.Identity;
to generate a hash use
var pass = new PasswordHasher<object>().HashPassword(null, "your password");
to test your password hash
var passCheck = new PasswordHasher<object>().VerifyHashedPassword(null, hashedpassword, "your test password");
return ((int)passCheck) == 1 ? "correct password" : "invalid password";

Related

How to get IdentityUser by Username

I have previously worked with Membership through "System.Web.Security.Membership"
Here, you can do the following:
var currentUser = Membership.GetUser();
var otherUser = Membership.GetUser(username);
...giving you a MembershipUser.
Now, with Identity, I can find a load of ways to get the current logged in user.
But no way to get another user.
I can use:
var userStore = new UserStore<IdentityUser>();
var userManager = new UserManager<IdentityUser>(userStore);
var user = userManager.Find(username, password);
But that takes both username and password, with no overload for just username.
How do i get the IdentityUser from only a username?
Almost every answer I find is connected to MVC.
This is for a WCF service, where authorization is made using Identity. And in some cases the user is getting to the site from an other site with a generated "token" - an encrypted string, containing the username. From here, user is logged in and a session-cookie is set, depending on users settings.
Also, is there a shorter way to get UserInformation?
"var currentUser = Membership.GetUser(username);"
is much more convenient than
"var user2 = (new UserManager((new UserStore()))).Find(username, password);"
UserManager has UserManager<TUser>.FindByNameAsync method. You can try using it to find user by name.

MVC 5 - change password on demo accounts

I have an MVC 5 demo application that uses asp.net security. Within that application I have 75+ user accounts.
The person who gives the demos left, so I'd like to be able to reset all of the passwords for all of the accounts without having to change the email on each account to my personal email and do them individually where a link would be sent to my personal email.
Is there a way I can type in the user name and new password and use built in IdentityUser functionality to reset the password?
Assuming your app is in standard MVC5 format, put this ViewResult into the Account controller:
[AllowAnonymous]
public async Task<ViewResult> ResetAllPasswords()
{
// Get a list of all Users
List<ApplicationUser> allUsers = await db.Users.ToListAsync();
// NOTE: make sure this password complies with the password requirements set up in Identity.Config
string newPassword = "YourNewPassword!";
int passwordChangeSuccess = 0;
int countUsers = 0;
// Loop through the list of Users
foreach (var user in allUsers)
{
// Get the User
ApplicationUser thisUser = await UserManager.FindByNameAsync(user.UserName);
// Generate a password reset token
string token = await UserManager.GeneratePasswordResetTokenAsync(thisUser.Id);
// Change the password, using the reset token
IdentityResult result = await UserManager.ResetPasswordAsync(thisUser.Id, token, newPassword);
// Record results (extend to taste)
if (result.Succeeded)
{
passwordChangeSuccess++;
}
countUsers++;
}
ViewBag.CountUsers = countUsers;
ViewBag.PasswordSuccess = passwordChangeSuccess;
return View();
}
and set up a new View with ViewBag.CountUsers and ViewBag.PasswordSuccess to check the results.
Then set up an ActionLink pointing to ResetAllPasswords in Account controller and press to go.
Obviously the formatting can be changed (maybe a form with a confirm instead, maybe with an input field to specify the password .. ), but the basic controller code should hopefully be good. And note the [AllowAnonymous] attribute is there just for one-off access - not a good idea to leave it there for anything more than testing!
This should reset all Users to the same password specified in the code.
yes in Account Controller just go to the forget Password function and change that code a little where first of all user search the email id and after that system send a mail to that user .
There just write down a code where user send mail to your specific email id then you can get that link in your account click that link and reset the Password

logging in to ableCommerce via commerceBuilder api

i am trying to log in and authenticate with able Commerce?
i am using their DLLs (commerceBuilder)
i have tried
dim user as new commerceBuilder.users.user
user.username = "ABC"
user.password = "PASS"
user.adress = "www.websider.com"
does anyone know how to do this?
AbleCommerce makes use of ASP.NET Forms Authentication with custom membership provider. First validate the user and then if credentials are passed switch context user and set authentication cookie
if (Membership.ValidateUser(username, password))
{
var user = UserDataSource.LoadForUserName(username);
AbleContext.Current.User = user;
FormsAuthentication.SetAuthCookie(user.UserName, false)
}

Migrating users to Universal Membership Provider

I'm trying to migrate to the new Universal Membership providers (from a home brew solution). I've migrated our old User table to the Users/Memberships table.
When I run Membership.ValidateUser(txtUsername.Text.Trim(), txtPassword.Text.Trim()), it always returns false, even though I know the username/password is correct.
Here is how I generated the password, hash, and salt:
var salt = Crypto.GenerateSalt();
var hashedPassword = this.GenerateHashWithSalt(password, salt);
This is the GenerateHashWithSalt method I'm using
private string GenerateHashWithSalt(string password, string salt)
{
string hashWithSalt = password + salt;
byte[] saltedHashBytes = Encoding.UTF8.GetBytes(hashWithSalt);
HashAlgorithm algo = HashAlgorithm.Create(Membership.HashAlgorithmType);
byte[] hash = algo.ComputeHash(saltedHashBytes);
return Convert.ToBase64String(hash);
}
I've also gone with:
var salt = Crypto.GenerateSalt();
var saltedPassword = password + salt;
var hashedPassword = Crypto.HashPassword(saltedPassword);
Neither of these seem to work. What am I missing?
Scott
Bah, answered it.
So step 1 of all of this was migrating users from our 2-way encrypted passwords to 1 way hash.
Every example I saw of doing that included hashing the password manually. Turns out Membership.CreateUser(username,password); hashes the password (and salts), so I was hashing a hashed password, which is why auth was failing.
I simply had to call Membership.CreateUser, passing in the username & plain text pass, and it worked. Weee!

ASP.NET Membership: Where is Current User ID Stored?

Using ASP.NET membership, if I want to get information for the current user, I can call MembershipUser.GetUser()
So, somehow the system must know the ID of the current user.
If this is correct, and all I want is the ID of the current user, is there a way to get it without returning all the user information from the database?
I know I can get the username of the current user using User.Identity.Name, but I need the ID.
The short answer is no you can't get only userID without retrieve whole user info when you use built-in membership provider, only by this
MembershipUser user = Membership.GetUser();
string UserID = user.ProviderUserKey.ToString();
But if you want to have method or property which retrieve only userID, you must re-implement your own membership provider or(it's simply) to implement IPrincipal interface
To return the UserId, use the command bellow in your controller:
User.Identity.GetUserId();
To return the UserName, use:
User.Identity.Name;
To return the user:
var user = db.Users.Find(User.Identity.GetUserId());
Please refer to the post: How to get current user, and how to use User class in MVC5?
As you've guessed, the Membership API doesn't support what you want out of the box. In the past, I've used a helper class instead of creating my own provider. In this case it's pretty simple, maybe something like this:
public static object GetUserId() {
return GetUserId(HttpContext.Current.User.Identity.Name, true);
}
public static object GetUserId(string userName) {
return GetUserId(userName, true);
}
public static object GetUserId(string userName, bool UpdateLastActivity) {
using (SqlConnection c = new SqlConnection(CONNECTION_STRING)) {
string sql = #"
DECLARE #UserId uniqueidentifier
SELECT #UserId=u.UserId
FROM dbo.aspnet_Applications AS a
,dbo.aspnet_Users AS u
,dbo.aspnet_Membership AS m
WHERE
a.LoweredApplicationName=LOWER(#ApplicationName)
AND u.ApplicationId=a.ApplicationId
AND u.LoweredUserName=LOWER(#UserName)
AND u.UserId=m.UserId;
IF #UserId IS NOT NULL AND #UpdateLastActivity=1
UPDATE dbo.aspnet_Users
SET LastActivityDate=#CurrentTimeUtc
WHERE UserId=#UserId;
SELECT #UserId
";
using (SqlCommand cmd = new SqlCommand(sql, c)) {
cmd.Parameters.AddWithValue("#ApplicationName", Roles.ApplicationName);
cmd.Parameters.AddWithValue("#UserName", userName);
cmd.Parameters.AddWithValue("#UpdateLastActivity", UpdateLastActivity);
cmd.Parameters.AddWithValue("#CurrentTimeUtc", DateTime.UtcNow);
object id = null;
c.Open();
id = cmd.ExecuteScalar();
return id != DBNull.Value ? id : null;
}
}
}
Above is pretty similar to what's done in the Membership API when calling GetUser()
You can use MembershipUser.UserName to get the user id or try calling Membership.GetUser(User.Identity.Name) and see if that works for you.
After looking into this further, it seems that the ASP.NET Membership API does not track the user ID after all. It must track just the user name (User.Identity.Name). The ID is not required because Membership.GetUser() can find a user from an ID or user name.
In fact, Membership.GetUser() must simply translate to Membership.GetUser(User.Identity.Name). Since it can obtain the current user from the user name, there is no longer any reason to assume that the current user ID is cached anywhere.
So it appears the ID is not loaded into memory, and the only way to obtain the ID is to load the data from the database (which means loading the entire user record when using the ASP.NET Membership API).
Consider
int userId = WebSecurity.CurrentUserId;
Credit: https://stackoverflow.com/a/15382691/1268910

Resources