I want to change the password of Membership table ,i can change directly in database but that is in encrypted format.how to retrieve original password in front end and How to update that .Please send me the logic.
You cannot directory change it in database and should use Membership provided methods.
using System.Web.Security;
u = Membership.GetUser("username1");
u.ChangePassword("OldPassword","NewPass");
If you don't know old pass, use MembershipUser.ResetPassword instead
If you want a ready-made solution, I use this tool to manage my users and roles.
You just fire it up and point it to the web.config of your web app and away you go.
http://aspnetmemberman.codeplex.com/
Features
Initialize membership databases
Create and delete users
Create and delete roles
Assign and un-assign users to roles
Reset user passwords
Unlock, activate and de-activate users
Works with System.Web and custom providers
Attempts to handle custom profiles
Related
I have 2 projects. One of them is using ASP.Net authentication, the other uses Windows authentication, which is the administration side. I want the Admin project to be able to manage the users of the other. I can modify everything except the password.
If I use UserManager.PasswordHasher to create a new hash and update the AspNetUser, I cannot login with the new password (I can see the update has occurred). I tried to incorporate Asp.Net users in the admin project but it's messing with the Windows authentication.
Is this a salting issue? Is there a way to do a simple model update that will update the password hash correctly without re-implementing the entire Identity model?
Something like should work:
user.PasswordHash = UserManager.PasswordHasher.HashPassword(newPassword);
UserManager.Update(User);
Tech - asp.net 3.5, Sql server 2005
I have integrate aspnet membership for my webapplication.
I am adding some users (member) from importing excel file.
So how can I add that user and role of that user in aspnet membership tables?
NOTE - I have SP which is used to add member in DB from uploaded excel file, I have wrote insert trriger on membertable.
Do not insert DB records manually. Use .NET's Membership Provider's stored procedures to do that, for example aspnet_Membership_CreateUser and aspnet_Roles_CreateRole.
But better off, use .NET's classes/methods to do that. They encapsulate the whole mechanism for you:
Membership Provider
Role Provider
First you create a user, then you (optionally) attach role(s) to.
UPDATE December 2015
Folks keep reading this. It's important to know that for a few years now, there is a totally different paradigm, ASP.NET Identity. please use it instead of the old Membership Provider.
Abhi you should use
//to create a user
MembershipUser newUser = Membership.CreateUser(UserName, Password, Email);
//to attach created user some role
Roles.AddUserToRole(newUser.UserName, role);
Update
For that you can for for membership stored procedure aspnet_Membership_CreateUser to create a user or you can create one for you to insert data into user and userinroles table.
I would encourage you to refer link
You can simply do INSERT in the AspNetUsers table with empty PasswordHash and SecurityStamp. Then we have a "forgot password" flow that establishes credentials using ASP.NET Membership.
I use .net membership but everything what i work i want to be custom.
What i want to do is:
Create custom data table [Users] with custom fields
Import current data into new table
Create custom classes and functions about everything what i need for [Users]
I`m not sure how .net membership works, but maybe it send encrypted cookie then when i use
var user = Membership.GetUser();
.Net decrypt user cookie and know which user is.
Here is a screenshot how .net create user AUTH cookie http://prntscr.com/97043
But everytime user logout-login, this value is different.
So what i want to know is:
Lets say i want to make 100% custom website, how i can make custom login?
Can you tell me all security issues about going for custom membership?
None of this is necessary. You can create your own users table without the need to alter anything related to Membership or authentication. You just make sure that your users table has a column called AspNetUserID or similar of type uniqueidentifier (a guid) . You put the ProviderUserKey from the MembershipUser in this table and lookup any user in your Users table simply by getting the ProviderUserKey from Membership.
So, for example, you might do this:
var userid = Membership.GetUser().ProviderUserKey;
// lookup your record in users based on userid above
Implementing a custom backend isn't difficult. You simply implement a custom MembershipProvider that stores and retrieves the data from your users table as you see fit. see MSDN. Also, you don't have to entirely rewrite SqlMembershipProvider, you can subclass it and add the functionality you're looking for.
If you really want to start from scratch on the backend, here are some issues to note:
Don't store passwords in plaintext anywhere; hash them.
Salt your passwords
Log & monitor password resets
Also, you don't have to entirely rewrite SqlMembershipProvider, you can subclass it and add the functionality you're looking for, and most of the issues you might run into will be covered by the default implementation. You'd probably just have slightly modify the data access calls or stored procedures to map to your table structure. You can also subclass the SqlRoleProvider to provide role-based authorization for your site with little additional effort.
As for the front-end component, MSDN also describes how forms authentication works, but personally, I wouldn't mess with your own cookie scheme. Even big custom implementations like Oauth for asp.net still use forms. Check out http://msdn.microsoft.com/en-us/library/system.web.security.sqlroleprovider.aspx
I have these roles:Admin, Doctor and Patient. But login information is stored in different table. Admin's username and password are stored in User_TABle(They are two items). Patient's Login information is stored in Patient_TABLE: PatientID, Year and DocumentID(They are three items). I want to use SQLRoleProvider and SQLProfileProvider. How can I design different login page with loginView?
Sincerely yours
I think a better setup would be this:
Use the standard MembershipProvider shipped with ASP.NET to use in conjunction with RoleProvider. Once this is setup and you have the roles you can store personal information for each either by:
Using ProfileProvider (not a bad method but requires a bit of work as you have polymorphic data (you would store it using XML in text field of the provider or write your own custom profile provider)
OR
Add a table similar to your schema but with a foreign key to the aspnet_Users PK. In code then you could do Roles.IsUserInRole("Whatever") and change the loginView appropriately. It would also mean you could just drag and drop the remaining LoginControl etc and have it just work with the standard membership provider
SqlRoleProvider, SqlProfileProvider and SqlMembershipProvider come with default Aspnetdb.
To create the database used by these providers, run the aspnet_regsql.exe executable found in the C:\WINDOWS\Microsoft.NET\Framework\ versionNumber folder. Otherwise, you have to create CustomRoleProvider, CustomProfileProvider and CustomMembershipProvider.
http://msdn.microsoft.com/en-us/library/system.web.security.sqlroleprovider.aspx
How do I migrate users from a existing users table to Forms Authentication?
There seems to be three options:
T-SQL - Iterate through the existing users table and insert into Forms Authentication tables using the stored procedure aspnet_Membership_CreateUser
Code - create a utility that will iterate through the existing users table and insert into Forms Authentication tables using Membership.CreateUser()
Code - as users login verify credentials against existing users table and insert into Forms Authentication tables using Membership.CreateUser()
Which is the most practical?
I have been currently trying option 1 but I am running into difficulties using the password salt to create the encrypted password from a plain text password
With regard to #1, what exactly is the problem? You don't need to worry about the hashing if you've got plaintext passwords already. Just call CreateUser(username, password). Simple as that.
Have you considered implementing your own MembershipProvider class that hits only your user table?
Trying to synchronise data between two tables may seem trivial now, but may cause you a whole world of hurt in the future as your software evolves.
Just to confirm are you saying you've got an existing users table in your database and you want to use asp.net membership and the membership tables generated?
If that is the case you don't necessarily need to migrate your data. You could extend the membership provider and create your own membership that links into the existing table you already have.
Here's a couple of link if it helps:
Asp.net video
Writing A Custom Membership Provider