From builtin ASP.NET membership to custom membership password problem - asp.net

We have a production site using ASP.NET built in membership. Now we wan't to extend the tables with some custom properties so we built a custom membership provider using ADO.Net entities.
Everything is working fine, we can create new users and the login controls are also working. We imported every existing user from the aspnet_Membership table into our custom table, and copied the password field into our custom password field in the custom table.
Unfortunately, these existing user cannot login into the system. We found out while debugging the system that the password is not properly decrypted (we're using passwordFormat="Encrypted").
For example:
We have an user with password testing123. When we decrypt the password from the database, it returns 睝렱ꀱ꘲䧥꾖饱testing123
Does anybody have an idea what we're doing wrong here?
EDIT:
I find this answer where is described you should remove the salt (8 bytes) from your password. In that case that is the solution for me, but then I have a problem with new users passwords which are working OK by default.. Is there no other possibility?

Related

Using AspNetUsers in windows forms application

I am trying to set up two projects. One mvc5 project and a windows forms project. I would like the user to register on the Mvc5 site and then be able to use the Username and Password in a windows forms login. I am storing the sql database in Azure. All I need to do is check the username and password but am not sure how to check the Hashed password saved in the AspNetUsers table as I dont know how MVC5 Encrypts the password when the user registers. Any pointers would be grateful, or advise if this is a sensible option to share users between projects?
Thanks

Users are stored where in ASPX and VS?

I am using a default .aspx web forms example in Visual Studio 2010 and I am curious if anyone can speak to how the default login/register system stores the user's information. From what I can tell this is not stored in any kind of SQL type table.
Is it known exactly where this file is located, and how would one interface with that? I would like that table to contain a URL for each user in addition to their password. ( I am guessing the 'table' only contains user and password ).
Is this possible or would I be better of creating my own login/register system? I know it wouldn't be that much coding, but it would sure be nice to utilize what is already there.
Please spare me if this is easily edited up in a menu somewhere. Was unknowingly thrown into a aspx project with little previous experience. Taking in info as fast as I can!
Thanks in advance for your inputs!
If you use the Membership class you have access to all the methods you need. This class includes methods for:
Creating users
Changing their password
Deleting Users
etc.
The users are stored in the aspnetdb and the information is in several tables. The main ones are:
aspnet_User - this stores the users
aspnet_Applications - which applications are running
aspnet_Membership - this relates the users to the applications they are authorised for
aspnet_Profile - user profile information the the application
This is a standard SQL database that exists on your SQL Server.
For a fuller explanation read this MSDN article.
The users are stored in the ASPNETDB.MDF database in the App_Data folder.This file is hidden by default so I can understand why you're confused.
To make ASPNETDB visible - select the App_Data folder in Solution Explorer and click Show All Files.
Now if you click on the .mdf file the database will open in the Server Explorer in Visual Studio.
The user information is located in the aspnet_Users and aspnet_Membership tables.
The query below will return the user id, user name,encrypted password and email:
SELECT aspnet_Users.UserId, aspnet_Users.UserName, aspnet_Membership.Password, aspnet_Membership.Email
FROM aspnet_Users INNER JOIN
aspnet_Membership ON aspnet_Users.UserId = aspnet_Membership.UserId

asp.net: Location of username and password in WebForm and MVC

If someone gives me WebForm/MVC website code using ASP.NET Membership (and he does not know the username/password), or I download it from the Internet without username/password information, how do I retrive username/password such that I can load it into VS2010, set up breakpoints, enter correct username/password, and run it to learn the code?
That information is stored in a database. The web.config file will tell you where is the database located. Once you know this, you can query the table for user information but the passwords will be hashed; however, you can always create new users programmatically or even just run straight queries against the database to do whatever you want/need.

asp.net 3.5 password recovery control in an mvc app?

Can I use the asp.net 3.5 Password Recovery control in an MVC application?
We need to provide password retrieval capability for our MVC app and I would like to use the password recovery control which only works with a web form app.
Unlike Login and Logout, the Password Recovery feature does not come implemented in a brand new ASP.NET MVC project, however, adding this feature to an ASP.NET MVC project is actually pretty easy as the Membership class already has the core functionality built-in.
I've posted in my blog an explanation on how I did it:
http://www.hectorcorrea.com/blog/Password-Recovery-in-an-ASP.NET-MVC-Project.aspx
A couple points on the current state-of-the-art (as of Oct, 2011):
1st: there's a good chance you don't actually want password "recovery" since it's considered a security risk and you have to turn-off one-way password encryption to be able to implement it. Instead, most people implement password "reset".
If you really do want to allow "recovery" then:
1) When you create a new internet project in VS2010, it creates: LogOn, Register, and ChangePassword pages for you. As Hector says, there's no password recovery created for you.
2) However, the Asp.Net Membership provider does support it, so you could add it by creating a Model, Controller and View yourself, setting enablePasswordRetrieval="true" and passwordFormat="Encryted" and calling Membership.GetUser().
If instead of password "Recovery" you actually want password "Reset" then there are a couple of ways to implement it:
i) Self-service - where the user can click on a link and an email is sent to them with a link to reset the password.
Examples:
This one I have tried. I like it because it handles both account confirmation and password reset:
-- http://nuget.org/List/Packages/SimpleMembership.Mvc3
I have NOT tried any of these:
-- http://hectorcorrea.com/Blog/Password-Recovery-in-an-ASP.NET-MVC-Project
-- http://stevenalexander.posterous.com/expiring-password-reset-token-in-mvc-with-wf
-- http://forrst.com/posts/ASP_NET_MVC_3_C_Password_Reset-gFA
ii) Administrator Managed - you contact the administrator who then reset's your password for you. TroyGoode's MvcMembership Starter Kit that Gthompson83 refers to above is an example of this. There's a menu item called "User Administration" that's accessible to administrators and allows passwords to be reset or a random one generated and emailed to the user. It also let's you manage roles.
A lot of server controls from Webforms will not work on MVC as designed. Check out the MvcMembership starter kit.

Membership system in ASP.net

I'm going to use the membership system in ASP.net, but need to change it in 2 ways.
The database which stores the users is Access, and I want to salt the password(etc) plus ask the user to enter details like links to their facebook pages etc which are stored in the database.
So how do I use access with the system?
And how can I change/add fields which are stored in the database (i know how to create them in the database btw, just how I get the membership system to ask for it and store it)
(I could make my own registration/user login system, except I don't know how to restrict access to pages, so how could I go about this?)
Links to tutorials/references would be great
And another on how to write a custom membership provider for the Access Database.
1) Use SQL Server Express edition. It's free, it's good, it works out of the box.
2) Check out the Profile providers for personalisation. http://msdn.microsoft.com/en-us/library/2y3fs9xs.aspx
Here's a link explaining how to use Access:
http://msdn.microsoft.com/en-us/library/44w5aswa.aspx
As for storing extra user information. Asp.NET provides this via personalization. Here are two links to get you going:
Video: http://www.asp.net/learn/videos/video-43.aspx
Article: http://msdn.microsoft.com/en-us/magazine/cc163724.aspx
one more...
Membership Provider MSAccess

Resources