I'm using the ChangePassword method of membership provider to change the password and one of the requirement before calling the ChangePassword is to retrieve the current password. But I'm getting error:
padding is invalid and cannot be removed
below is my web.config:
<system.web>
< machineKey validationKey="4FD671E39167DFB91A918018007D095E50B7D2971B01AEDE26A7233FD9CC4A470F80689997EC2C7BB515F9D82C8B4D1F3A8495193630B11E8401C96BD0A5A133"
decryptionKey="ED1555E75C7B91738172E0086456C70B9CAA4C44214FC2B1907123993EA4FA53"
validation="SHA1"
decryption="AES"/>
....
< /system.web>
You cheat, you reset the password to a known value first.
MembershipUser user = Membership.GetUser();
string generated = user.ResetPassword();
user.ChangePassword(generated, *newPassword*);
Related
HI
I am using asp.net mvc with asp.net membership.
I want to have a checkbox that if clicked keeps the users signed in for 2 weeks(unless they clear their cookies).
So I know their is
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie)
but I don't know how to set it up for 2week retention.
I rewrote most of the membership stuff. So I don't use stuff like Create() and VerifyUser().
Add a hash key or a random string to both the cookie and the database (both the same key). If the cookie and database value are the same, when the user starts a new session, sign him/her in again. When the user reaches the two weeks, remove the secret key from the database using a cronjob (Unix) or scheduled task (Windows).
Warning: Do not rely on the cookie expire date, since people can hack their browser.
Rule: NEVER, EVER trust ANY of your users!
You can set the global session timeout (the value is in minutes) in web.config eg.
<system.web>
<authentication mode="Forms">
<forms timeout="20160"/>
</authentication>
</system.web>
This will be for all authenticated users. If you want to use the 'Remember Me' functionality then you will need to write your own code to set the cookie/ticket. Something like this (taken from here):
protected void Page_Load()
{
if (Request.Cookies["username"] == null || Request.Cookies["username"].Value.ToString().Trim() == "")
{
Login1.RememberMeSet = true;
}
else
{
Login1.UserName = Request.Cookies["username"].Value.ToString().Trim();
Login1.RememberMeSet = true;
}
}
protected void RememberUserLogin()
{
// Check the remember option for login
if (Login1.RememberMeSet == true)
{
HttpCookie cookie = new HttpCookie("username");
cookie.Value = Login1.UserName.Trim();
cookie.Expires = DateTime.Now.AddHours(2);
HttpContext.Current.Response.AppendCookie(cookie);
Login1.RememberMeSet = true;
}
else if (Login1.RememberMeSet == false)
{
HttpContext.Current.Response.Cookies.Remove("username");
Response.Cookies["username"].Expires = DateTime.Now;
Login1.RememberMeSet = false;
}
}
Just use a simple cookie with 2 weeks expiration date.
Have you seen this?
http://forums.asp.net/t/1440824.aspx
Along similar lines to what Koning has suggested.
You can not use a session method to keep your users logged in, since browsers delete the session cookies when the browser is closed.
Do what user142019 offered and set the session's IdleTimeout parameter very short, up to 15 min. When the server receives any request from the browser, first check the session if it's alive. if not, try to get the cookie. If the cookie and database value are the same and not expired, assign it to the (new) session and return the response.
You can use onBeforeUnload listener to send a logout request when the user leaves your site. If logged out, delete the cookie and the db record, if not - assign a new hash for the next auto login and refresh that hash again when the user retunes to your website. You can also keep track of IP and the browser and link them to the hash in your db.
So, in case if the cookie is used with another browser or IP, and the hash code is valid, you can force them to login again.
I have the form authentication work fine with expiry 3 months cookie setting:
FormsAuthentication.Initialize();
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, this.txtUsername.Text, DateTime.Now
, DateTime.Now.AddMonths(3), true, string.Empty);
so even if IIS restarted or project rebuild occur the user still authenitaced until he choose to log out our 3 months passed.
as for the custom role provider [authorizing part] when the user login isValid() i add session variable:
HttpContext.Current.Session.Add("userinfo", userInfo);
but as we know the session expire after web.config change, project build, IIS reboot or 20 mins passed by default.
all what I want is to make the system save Session["userinfo"] same as authentication [cookie] do but ofcourse without setting userinfo in cookie because that's not secure even the userId is considered security breach to be stored in cookie!
so how to accomplish that? i thought to store the user id in cookie but encrypted then if i found session expired but user still authenticated I'll reload the userInfo from DB but is that good enough or better approach available? and what about storing userInfo in authTicked in (string.Empty) in above code segment, is at accessible later and how to use it?
ok, sounds no body responded! so i choose to store the userId in the user-data section of the auth ticket:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, this.txtUsername.Text, DateTime.Now
, DateTime.Now.AddMonths(3), true, UserInfo.UserId.ToString());
then when I need to check the userInfo I use the following property:
public UserInformation UserInfo
{
get
{
if (Session["userinfo"] == null)
{
FormsIdentity id = (FormsIdentity)User.Identity;
FormsAuthenticationTicket ticket = id.Ticket;
long userId = Convert.ToInt64(ticket.UserData);
Session["userinfo"]=new MySqlMembershipProvider().LoadUserInfo(userId);
}
return (UserInformation)Session["userinfo"];
}
}
that's all. i thought of profile provider but i didn't like the idea of fetching the user permissions from db [9 tables structure] then re-store them under on record in sessions tables [its like circulating around yourself] beside if user perms or prefs updated more db hits required!!
I have an existing table that has 100 users and passwords. The data type is a varchar.
I just created an asp.net mvc application and I want to convert the password to aspnet_membership table.
How do I convert varchar password on SQL level as "Password" and "Passwordsalt" in aspnet_membership table?
Password & PasswordSalt part are not processed and created at "SQL Level"
If you look closely to the asp.net membership database - tables / stored procedures / other objects. Then you will find that there are two stored procedures (sp for short) to create User in asp.net membership database tables.
aspnet_Membership_CreateUser
aspnet_Users_CreateUser
These sps will create user entry in aspnet_Membership & aspnet_Users table respectively.
ASP.Net membership works on the web.config file settings that you setup.
An example default webconfig entry will something like this:
<authentication mode="Forms"> // If you are using Form authentication
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" passwordFormat="Encrypted" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
In this settings section the attribute "passwordFormat" sets the way your user password is stored.
Options are - Clear (0), Hashed (1), Encrypted (2)
By default it will be having hashed value - or if u have not specified passwordFormat.
In clear text the password will be saved as - Text clear - readable.
With the Hashed option the password will not be (Encrypted), only encoded using a Hashing alogorithm
With the Encrypted option the password will be Encrypted and then encoded.
Encrypted option u specifies a non-auto generated "machine key"
To get one see: Get a non-autogenerated machine key
Password salt is a randomly generated string which is used to Encrypt and encode the password along with the Validation & Decryption Key.
If you want to overide the encryption method of asp.net membership provider and encode youself, (if using custome membership provider), you can do something like this:
private string EncodePassword(byte passFormat, string passtext, string passwordSalt)
{
if(passFormat.Equals(0)) // passwordFormat="Clear" (0)
return passtext;
else{
byte[] bytePASS = Encoding.Unicode.GetBytes(passtext);
byte[] byteSALT = Convert.FromBase64String(passwordSalt);
byte[] byteRESULT = new byte[byteSALT.Length + bytePASS.Length + 1];
System.Buffer.BlockCopy(byteSALT, 0, byteRESULT, 0, byteSALT.Length);
System.Buffer.BlockCopy(bytePASS, 0, byteRESULT, byteSALT.Length, bytePASS.Length);
if(passFormat.Equals(1)) // passwordFormat="Hashed" (1)
{
HashAlgorithm ha = HashAlgorithm.Create(Membership.HashAlgorithmType);
return (Convert.ToBase64String(ha.ComputeHash(byteRESULT)));
}
else // passwordFormat="Encrypted" (2)
{
MyCustomMembership myObj = new MyCustomMembership();
return(Convert.ToBase64String(myObj.EncryptPassword(byteRESULT)));
}
}
}
Example usage:
string passSalt = // Either generate a random salt for that user, or retrieve the salt from database if the user is in edit and has a password salt
EncodePassword(/* 0 or 1 or 2 */, passwordText, passSalt);
I hope this helps.
Its not possible at a SQL level, but with some C# code there are 2 posible techniques.
Simplest is to write a process to read through your existing table, and call Membership.CreateUser for each of the users, and the membership provider will create the user records for you, including the password & salt.
Alternatively, create yourself a dummy user, then wrote a process to change the password of the dummy user to the value from your existing users, and read the value from the aspnet_membership table. I have code that does this if you're interested.
HashAlgorithm ha = HashAlgorithm.Create(Membership.HashAlgorithmType);
How to check the ha is null or not if null means and how to throw the exception
HI
I am using asp.net mvc with asp.net membership.
I want to have a checkbox that if clicked keeps the users signed in for 2 weeks(unless they clear their cookies).
So I know their is
FormsAuthentication.SetAuthCookie(userName, createPersistentCookie)
but I don't know how to set it up for 2week retention.
I rewrote most of the membership stuff. So I don't use stuff like Create() and VerifyUser().
Add a hash key or a random string to both the cookie and the database (both the same key). If the cookie and database value are the same, when the user starts a new session, sign him/her in again. When the user reaches the two weeks, remove the secret key from the database using a cronjob (Unix) or scheduled task (Windows).
Warning: Do not rely on the cookie expire date, since people can hack their browser.
Rule: NEVER, EVER trust ANY of your users!
You can set the global session timeout (the value is in minutes) in web.config eg.
<system.web>
<authentication mode="Forms">
<forms timeout="20160"/>
</authentication>
</system.web>
This will be for all authenticated users. If you want to use the 'Remember Me' functionality then you will need to write your own code to set the cookie/ticket. Something like this (taken from here):
protected void Page_Load()
{
if (Request.Cookies["username"] == null || Request.Cookies["username"].Value.ToString().Trim() == "")
{
Login1.RememberMeSet = true;
}
else
{
Login1.UserName = Request.Cookies["username"].Value.ToString().Trim();
Login1.RememberMeSet = true;
}
}
protected void RememberUserLogin()
{
// Check the remember option for login
if (Login1.RememberMeSet == true)
{
HttpCookie cookie = new HttpCookie("username");
cookie.Value = Login1.UserName.Trim();
cookie.Expires = DateTime.Now.AddHours(2);
HttpContext.Current.Response.AppendCookie(cookie);
Login1.RememberMeSet = true;
}
else if (Login1.RememberMeSet == false)
{
HttpContext.Current.Response.Cookies.Remove("username");
Response.Cookies["username"].Expires = DateTime.Now;
Login1.RememberMeSet = false;
}
}
Just use a simple cookie with 2 weeks expiration date.
Have you seen this?
http://forums.asp.net/t/1440824.aspx
Along similar lines to what Koning has suggested.
You can not use a session method to keep your users logged in, since browsers delete the session cookies when the browser is closed.
Do what user142019 offered and set the session's IdleTimeout parameter very short, up to 15 min. When the server receives any request from the browser, first check the session if it's alive. if not, try to get the cookie. If the cookie and database value are the same and not expired, assign it to the (new) session and return the response.
You can use onBeforeUnload listener to send a logout request when the user leaves your site. If logged out, delete the cookie and the db record, if not - assign a new hash for the next auto login and refresh that hash again when the user retunes to your website. You can also keep track of IP and the browser and link them to the hash in your db.
So, in case if the cookie is used with another browser or IP, and the hash code is valid, you can force them to login again.
We have got a custom MembershipProvider in ASP.NET. Now there are 2 possible scenario the user can be validated:
User login via login.aspx page by entering his username/password. I have used Login control and linked it with the MyMembershipProvider. This is working perfectly fine.
An authentication token is passed via some URL in query string form a different web sites. For this I have one overload in MembershipProvider.Validate(string authenticationToken), which is actually validating the user. In this case we cannot use the Login control. Now how can I use the same MembershipProvider to validate the user without actually using the Login control? I tried to call Validate manually, but this is not signing the user in.
Here is the code snippet I am using
if (!string.IsNullOrEmpty(Request.QueryString["authenticationToken"])) {
string ticket = Request.QueryString["authenticationToken"];
MyMembershipProvider provider = Membership.Provider as MyMembershipProvider;
if (provider != null) {
if (provider.ValidateUser(ticket))
// Login Success
else
// Login Fail
}
}
After validation is successful, you need to sign in the user, by calling FormsAuthentication.Authenticate: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.authenticate.aspx
EDIT: It is FormsAuthentication.SetAuthCookie:
http://msdn.microsoft.com/en-us/library/twk5762b.aspx
Also, to redirect the user back where he wanted to go, call: FormsAuthentication.RedirectFromLoginPage: http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.redirectfromloginpage.aspx
link text
You can set your own FormsAuthenticationTicket if the validation is successful.
Something like this;
if (provider != null) {
if (provider.ValidateUser(ticket)) {
// Login Success
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
1, //version
someUserName, //name
DateTime.Now, //issue date
DateTime.Now.AddMinutes(lengthOfSession), //expiration
false, // persistence of login
FormsAuthentication.FormsCookiePath
);
//encrypt the ticket
string hash = FormsAuthentication.Encrypt(authTicket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, hash);
Response.Cookies.Add(cookie);
Response.Redirect(url where you want the user to land);
} else {
// Login Fail
}
}
You are right in the case of storing the auth information as a cookie directly. But using a strong hash function (e.g. MD5 + SHA1) is great and secure.
By the way, if you use sessions (which is also just a hash cookie) you could attach auth information to it.