i have application that uses asp.net membership. Unfortunately users password are stored using PasswordFormat clear. I want to change password to hashed format without asking user to setting theirs again. Another restriction is that UserId in Membership table can't be changed. Does anyone have any idea how to do it ?
In your web.config go to
<membership defaultProvider="MyMembershipProvider">
<providers>
<clear/>
<add name="MyMembershipProvider"
type="MyProviders.SqlMembershipProvider"
connectionStringName="MyConnectionString"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
minRequiredNonalphanumericCharacters="0"
minRequiredPasswordLength="4"
passwordStrengthRegularExpression=""
passwordFormat="Hashed"
enablePasswordReset="true"
enablePasswordRetrieval="false"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true" />
</providers>
</membership>
And there's a "key generator" snippet in this MSDN article, run it twice and shove them in your web.config as:
<system.web>
<machineKey
validationKey="<blah>"
decryptionKey="<blah>"
validation="SHA1"
decryption="AES"
/>
</system.web>
You can encrypt the passwords by configuring the membership provider setting & keys in web.config
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
minRequiredPasswordLength="1"
minRequiredNonalphanumericCharacters="0"
passwordStrengthRegularExpression="^([1-zA-Z0-1#.\s]{1,255})$"
applicationName="NitinJS" />
</providers>
</membership>
Related
So the critical parts of my web config looks like:
<connectionStrings>
<add name="AppConnection" connectionString="Server=100.100.100.100;Database=AppDB;User Id=user;Password=password;" providerName="System.Data.SqlClient"/>
<add name="MemberConnection" connectionString="Server=100.100.100.100;Database=aspnetdb;User Id=user;Password=password;" providerName="System.Data.SqlClient"/>
</connectionStrings>
and within the membership providers section:
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MemberConnection"
applicationName="Consulate"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression="" />
</providers>
</membership>
As written, when I register, it connects to the incorrect database.
However, if I change all instances of "MemberConnection" to "DefaultConnection" it works.
Why does it have to use "Default" as part of the connection string name?
Within IdentityModels.cs, there the constructor for ApplicationDbContext inherited a hard-coded "DefaultConnection" string.
Changed that to the connection string that correlates to the aspnetdb (membership) and it worked.
I want to use custom membership and role provider in MVC4 .
So i added some code to my config file as you can see here:
<membership defaultProvider="AspNetSqlMembershipProvider">
<providers> <clear />
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="authentication" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="CustomRoleProvider">
<providers>
<clear/>
<add name="CustomRoleProvider"
connectionStringName="authentication"
enablePasswordRetrieval="false" enablePasswordReset="true"
requiresQuestionAndAnswer="false" writeExceptionsToEventLog="false" />
</providers>
</roleManager>
But when i go to ** Web Site Administration Too** for adding role i got this error:
The following message may help in diagnosing the problem: Sections must only appear once per config file. See the help topic for exceptions. (C:\Users\ehsan\Desktop\EducationModel\EducationMVC\web.config line 46)
You have multiple membership providers defined separately:
Removing one of them should get rid of that error. But if you need to have both providers then update as follows:
<membership defaultProvider="MembershipProvider2">
<providers>
<add name="MembershipProvider1" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData" />
<add name="MembershipProvider2" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
Here MembershipProvider2 is set as defaultProvider just for example. You would update this with whichever providers you need to use as default.
I'm using Membership provider configured in Web.config like this to use SQL CE:
<connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=|DataDirectory|\Users.sdf" providerName="System.Data.SqlServerCe.4.0" />
</connectionStrings>
and:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<clear />
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordFormat="Hashed" applicationName="/" />
</providers>
</membership>
This works correctly if I have no machinekey specified.
If I add a machinekey to the Web.config as follows, then existing users can no longer login. However I can create new users and they can log-in.
<machineKey validationKey="D829F10BE92767EC2F9E9FC53B2CF3952AAD386483D6E81E74B4BD84DBE66F71CA121581598FEA669892DBDE46507DF3C8028BBD8FD4E678557621141945171C" decryptionKey="D14678D1FB1777E10316163F6D97071CDF2A447FA15C172DC9525BA397BB0610" validation="SHA1" decryption="AES" />
<pages enableViewStateMac="true"/>
If I remove the machinekey then originally-created users can log-in again, and newly-created users cannot.
Why does adding a machinekey change whether existing users can log-in, given that the password is hashed not encrypted?
By default, .Net Framework 4 use SHA256. Please make sure algorithm is same in both places, and try either SHA1 or SHA256.
<membership ... hashAlgorithmType="SHA1">
<providers>
...
</providers>
</membership>
<machineKey ... validation="SHA1" decryption="AES" />
I am getting membership error in my application.
This is my web.config section that is creating error.
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
Like all other same questions like this one I have read, are telling me about adding defaultProvider and name to this config file.
But I already have defaultProvider and name set to by default in there.
What other customization needs to be done?
You can see this error here-
http://funranger.com
I suspect there is already a membership provider registered before your configuration file is loaded.
You'll need to remove the first membership provider, and this can be done by clearing all providers before you add one, just as you are doing with your connectionstrings.
In the configuration section, inside the membership/providers section, add a element before the element(s).
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="WorkI" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
</providers>
</membership>
And also add the below line in your web.config file.
<connectionStrings><add name="DefaultConnection" connectionString="Data Source=YourServername;Initial Catalog=YourDBname;Integrated Security=True;MultipleActiveResultSets=True" providerName="System.Data.SqlClient" /></connectionStrings>
Here is how your membership provider's declaration should look like in the web.config under the system.web element
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
I am using the default SQLMembershipProvider in my ASP.NET 2.0 website, and expect the Membership.ValidateUser to lock-out the user after entering a number of wrong passwords (5, in my case) but ValidateUser doesn't seem to be caring about keeping count of bad password attempts and locking out the user.
What's wrong?
The Membership configuration in my web.config:
<membership defaultProvider="SqlMembershipProvider" >
<providers>
<clear />
<add connectionStringName="ConnectionStringName" enablePasswordRetrieval="true"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="true" passwordFormat="Encrypted" maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10" passwordStrengthRegularExpression=""
applicationName="MyApp" name="SqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
what is the PasswordAttemptWindow and MaxInvalidPasswordAttempts set to? and is these configuration settings set in the correct web.config? (the one actual in use by the test environment)
Here's the config for my membership usage which is working as required if it's of any use:
<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="30">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<!--
Membership defaults mainly below this point:
connString, reqQ&A - modified - all others currently default.
-->
<add connectionStringName="CustomSqlServerProvider"
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
applicationName="/" />
</providers>
</membership>
Also, have you tried using the .Login() method for the authentication process instead? That's what i'm using rather than validateuser().
Please set the user.[IsApproved] to true