I'm creating a custom "add user" page in ASP.Net web forms and have hit a problem. I can insert all the data into the membership table but the passwords are stored in plain text and the password salt has been hardcoded.
How do i go about hashing the passwords so that users can log in (as the membership framework checks for a password hash and not a clear text password). Also, is the salt completely random or is it linked to the password hash somehow?
Any help would be greatly appreciated,
Marc
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed" />
</providers>
</membership>
See the line where passwordFormat="Hashed" is mentioned. You need to work out this setting to have the password hashed. PasswordFormat has three values. You chose which one you want and configure your application accordingly.
Related
I have an app that I'm trying to implement the following, but can't seem to figure out how:
User signs up, but the system creates its own temporary password for them
Admin approves user and as part of that approval, the user gets sent a temporary username/password.
The problem is that I can't set the MembershipProvider to enable password retrieval as that seems to disable certficate authentication. I do have passwordReset enabled, but when I try to use it in step 2 (trying to create a new password so I can have it in plaintext to email it to the user), it throws an error:
General Error: System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.ArgumentNullException: Value cannot be null.
Parameter name: passwordAnswer
Is there any way around this?
Here's a code snippet of the relevant code:
MembershipUser mu = Membership.GetUser(Session["UserId"], false);
string password = mu.ResetPassword();
The password is null because nothing got entered. In your code, just use an if:
if (passwordAnswer==null){
//do stuff here
}
While you can write anything there, I recommend, maybe:
if (passwordAnswer==null){
passwordAnswer=" ";//just a space
}
If you want it to be a generated password, research on generating random alphanumeric strings.
I was able to circumvent this issue by adding requiresQuestionAndAnswer="false" to the membership provider in my web.config:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
requiresUniqueEmail="true"
connectionStringName="DB"
applicationName="Acme"
maxInvalidPasswordAttempts="3"
requiresQuestionAndAnswer="false"
enablePasswordReset="true"
minRequiredPasswordLength="15"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="3"
passwordFormat="Hashed" />
</providers>
</membership>
I have created a web app using the SQLASPMembership provider and and everything works fine off my development machine. However when I publish it out to the web server it fails to connect to the database (at least that is what I think is happening, it is diffcult to tell as there is no error message).
I have taken the same connection string listed below that the Membership provider uses and created a row count query against the aspnet_Membership that returns the correct no problem. Additionally I created an ODBC connection to the database as well, so I know that I can see the database.
<add name="connectionSQL" providerName="System.Data.SqlClient"
connectionString="Password=******;Persist Security Info=True;User ID=*******;Initial Catalog=IdentityManagement;Data Source=sql2005dev"
/>
<providers>
<add connectionStringName="connectionSQL" enablePasswordRetrieval="false"
minRequiredNonalphanumericCharacters="0"
enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="true" passwordFormat="Hashed"
maxInvalidPasswordAttempts="4"
minRequiredPasswordLength="6" passwordAttemptWindow="5"
name="SQLASPMembershipProvider"
type="System.Web.Security.SqlMembershipProvider" />
</providers>
I have checked out every other solution I have found. I use TCP, there is no firewall issue, read write permissions are granted.
How can this be fixed?
I am working on an ASP.NET 4.0 C# project. The CreateUserWizard is working fine, but the login controls I built are always showing this message:
Your login attempt was not successful. Please try again.
This started happening after I changed the membership and connection string settings in machine.config to experiment, which I changed to default later i.e.:
Here's the connection string settings:
<connectionStrings>
<add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
And here is the membership section:
<membership>
<providers>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
Also, I have changed my default database to store my websites data to login controls default data i.e. ASPNEDB.mdf by writing two lines in every code behind of page
SqlConnection con = new SqlConnection("data source=.\\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true");
SqlCommand cmd = new SqlCommand();
Even when I finish CreateUserWizard1 successfully and redirect to my homepage.aspx, where I have used default label of asp.net LoginName, the label is showing blank.
And if I manually put Label1 and type Label1.Text = HttpContext.Current.User.Identity.Name;, its still not working.
Will you please help me. I have to show this project to my college and not only that but my team will fail due to my EXPERIMENT.
There are several potential issues here:
You changed the machinekey in the web.config. If so, change it back. If you can't change it back then delete all the users in your table and recreate them. You're using a one way hash algorithm that requires the machinekey to hash the entered password for comparison.
You made changes to the connection string. Are you sure the database even has those user records in it? Next, did you happen to delete / recreate the database? If so those users are gone. See #1.
More to the point it's obvious you haven't put everything back like it was.
So, why are you getting login failed? Potential options are:
The database being accessed isn't the one you think it is.
The user truly doesn't exist in the database its looking at.
The user does exist but the password you are providing isn't the correct one.
The user exists and the password is correct, but the machinekey has changed and therefore the system can't hash it correctly.
Basically it's probably time to start over by clearing out your database and adding users into it again.
We have a couple of ASP.NET WebForms applications that use the ADAM Membership provider, one of which includes the ChangePassword control. The control has started to fail every password change:
Password incorrect or New Password invalid.
New Password length minimum: 6.
Non-alphanumeric characters required: 0.
We can still successfully reset passwords on the ADAM instance, and the logins still authenticate in the applications. There are no exceptions thrown, and no errors in EventViewer.
Here is the provider section of the Web.config:
<membership defaultProvider="ADAMMembershipProvider">
<providers>
<clear/>
<add name="ADAMMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="MembershipConnectionString"
connectionProtection="None"
connectionUsername="[the username]"
connectionPassword="[the password]"
enableSearchMethods="true"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="5"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"/>
</providers>
</membership>
The problem is that ADAM does not allow passwords to be changed over insecure connections by default. There are couple ways around this problem:
Setting your connectionProtection property to "Secure" and having the necessary SSL certificates in place.
or
Using dsmgmt and changing the "Ds Behavior" to "Allow passed op on unsecured connection".
We use the ASP.NET profile subsystem to associate key-value pairs of information with users.
I am implementing functionality for the deletion of users.
I have been using the ProfileManager.DeleteProfile(string userName) method, but I have noticed that this leaves a row in the aspnet_Users table in the aspnetdb database we use to store the profile information.
Clearly, I could manipulate the database directly, but I am reluctant to do so.
What is the best way to ensure all information assocaited with a user is deleted from the aspnetdb?
PS: there is a tantalising Membership.DeleteUser(string userName, bool deleteEverything) method, but this returns a database connection error. A web.config issue?
Add a membership section to web.config, linked to a connection string containing valid credentials (here: "SqlServices"):
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
<providers>
<remove name="AspNetSqlProvider" />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
applicationName="/" />
</providers>
</membership>
Ensure the aspnet_SchemaVersions table in the aspnetdb database contains the row:
membership 1 true
You may then use the membership api (Membership.DeleteUser).