I created a Membership login system for my client, now they do NOT want the user to use one of his 5 last passwords when it comes time to create a new one.
Is that something that is build in or how could I accomplish that?
This feature doesn't exist on asp.net membership login system.
You must implement it by yourself, on the automatic-creating page of changing password.
You need somewhere to save the previous hash list of your users passwords, and check this list, just before accepting a password change.
Update
Where to start:
Start from the all ready existing password change control.
Here is a password change example.
http://www.asp.net/cssadapters/Membership/ChangePassword.aspx
In this control, (that you can easy drag and drop on your page) capture the events,
<asp:ChangePassword ID="ChangePassword1" runat="server"
onchangingpassword="ChangePassword1_ChangingPassword" ... >...
Make your function to check for old passwords
protected void ChangePassword1_ChangingPassword(object sender, LoginCancelEventArgs e)
{
if (PasswordFoundOnList())
{
... show an error....
e.Cancel = true;
}
}
Now save somewhere the last passwords, for example you can saved them on user profile, or on your database.
here are some more informations for user profile.
http://www.asp.net/Learn/Ajax/tutorial-03-cs.aspx
Hope this help you make it.
Check this awesome post by Ronan Moriarty:
Implementing Password History using a Custom Membership Provider
It's an extensive post and I used option 2 as he describes. It has helped me implement what you ask. It's working great here.
Related
I have to edit the Login/Registration that ASP provides to include a custom dropdown ("BranchID") menu that saves to the database so each user has its own Branch. I am using ASP Membership system, and of course it saves to the ASPNETMDF database it creates. Googling has net me some results but I am quite confused. I know there are "User Profiles", and I I can save this Profile data, but what I am not quite sure is if its a temporary measure or if it does record to the database.
I could make my own custom membership system, use the built it and adapt it or use the user profiles. What is the best course of action? I'd vastly prefer to adapt/edit the built in Membership system and add the data I require to it but I still don't haven't a clear answer to what I should do or what's best.
You have two choices:
Create a CustomMembershipProvider , and if you need to a CustomRoleProvider, you can do this by implementing .NET's MembershipProvider. Sample: http://www.codeproject.com/Articles/165159/Custom-Membership-Providers
Create a separate table that stores additional user information, i.e., "BranchID", and add a one-to-one relationship between your table and .NET's Membership
It's really up to you which one you choose.
MembershipProvider is pretty easy to extend. Assuming the branch is something they have to select to authenticate? You should be able to extend authenticate to do something like:
public class MyCustomMembershipProvider : MembershipProvider
{
/*
....
*/
public bool ValidateUser(string username, string password, string branch)
{
return (::ValidateUser(username, password) && MyCustomRoutine(username, branch));
}
}
I programed an application with asp.net and use "respons.redirect" in some pages, like this:
Response.Redirect(string.Format("~/*****/****.aspx?ID={0}", ID));
as user execute this cod he will redirect to correct page and every thing is fine .he can see this redirect link in his browser address :
http://localhost:1852/Jornal/Editor/ReviewerEmail.aspx?ID=1030
Now if he changes the ID manually and the ID is correct he can access the other data without any permission. how can i avoid this problem?(I wont use session)
please help me
If the ID needs to be public and no access control can solve the problem.
then i would suggest that you add a second parameter that is a hash of that Id.
Tampering with the ID parameter will cause a missmatch between ID and hash
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256.aspx
you cold also change your ID parameter to a less 'guessable' id, like a GUID
You need to use access control.
Whenever you display any data, you need to check whether the currently-logged-in user has access to that data.
Obviously, you also need to track the currently-logged-in user, in a way that will prevent attackers from being able to claim they are someone else..
To do that, use ASP.Net's built-in membership system.
I'm using asp.net Membership, I develop an admin page who can regenerate a temp password to send to the user, then when the user log on for first time, the password must be changed, but I cant figure out who to know if the password was reseted.
I tried something like in a base controller:
if (user.LastPasswordChangedDate >= user.LastLoginDate)
{
filterContext.Result = RedirectToAction("ChangePassword", "Account");
}
But, I already have updated the LastLoginDate because the ChangePassword Action need to be with a autenticated user.
I was thinking when reseting the password to lock/unlock the user to get updated the "LastLockoutDate" and do:
if (user.LastPasswordChangedDate >= user.LastLockoutDate)
{
filterContext.Result = RedirectToAction("ChangePassword", "Account");
}
But, I can't find a method to do manual lockout
Thanks!!!
There's a lot of things you could do, some would depend on how your system works. For instance, you could store a specific piece of data in the Comment field, if you're not using comments.
Or, if you don't use the "Approved" bit (that is, when you create new users you do not require them to validate an email or something, but instead create them with IsApproved set to true) then you can set IsApproved to False and force a password change if it's false.
There is no method to access much of this data in the Membership API, you just have to access it from you database.
You could also store this in the Personalization provider.
Another option is to simply avoid storing this in the Membership database, and instead just add a table or a field in your apps data to deal with this.
I want to have a log file keep rows of who logs in and timestamp. is there a place to do this? And what sort of code is needed?
The default MembershipProvider can let you know when was the last time that a given User logged in to your site.
Look at MembershipUser. It has the following properties that might be of use for you:
MembershipUser.LastActivityDate
MembershipUser.LastLoginDate
.
If you are using webforms you can suscribe to the Login.LoggedIn event of the Login Control. In your callback function you can then log the login to your persitant store (database table, xml file, ...).
If you are not using the login control you could also register a handler for the HttpApplication.AuthenticateRequest. This would also work for asp.net mvc.
On the Login module/page on your site add the OnLoggedIn the OnLoggingIn and the OnLoginError , and there log your users.
In this functions, you can get the user name by find the UserName control
TextBox txtUserName = (TextBox)Login1.FindControl("UserName");
or if the user have been logged in, by the sender infos
protected void OnLoggedIn(object sender, EventArgs e)
{
//-> ((Login)sender).UserName
}
Then log your users - the datetime of login is of cource the DateTine.Now
I am been taking a look at asp.net membership and it seems to provide everything that i need but i need some kind of custom Role functionality.
Currently i can add user to a role, great.
But i also need to be able to add Permissions to Roles..
i.e.
Role: Editor
Permissions: Can View Editor Menu, Can Write to Editors Table, Can Delete Entries in Editors Table.
Currently it doesn't support this, The idea behind this is to create a admin option in my program to create a role and then assign permissions to a role to say "allow the user to view a certain part of the application", "allow the user to open a menu item"
Any ideas how i would implement soemthing like this?
I presume a custom ROLE provider but i was wondering if some kind of framework extension existed already without rolling my own?
Or anybody knows a good tutorial of how to tackle this issue?
I am quite happy with what asp.net SQL provider has created in terms of tables etc... but i think i need to extend this by adding another table called RolesPermissions
and then I presume :-) adding some kind of enumeration into the table for each valid permission??
THanks in advance
You can programmatically permit or not permit to the user to see some pages, or do some actions using for example the function IsInRole, and check if you let or not a user to do some actions.
HttpContext.Current.User.IsInRole("rolename")
You can make a class/or table with your permissions, and depend from the role that a user belong, to open, close, permit etc a lot of thinks on the same page. I have programming an idea like that on my programs, is very simple.
Here is an idea...
public enum csPermissions
{
pActionDelete = 1,
pActionEdit = 2 ,
...more actions...
}
private int[] AdminPermission = {
(int)csPermissions.pActionEdit,
(int)csPermissions.pActionDelete,
....
};
private int[] BackOfficePermission = {
(int)csPermissions.pActionEdit,
....
};
public static bool IsThisAllowed(csPermissions AskPermitForThisAction)
{
... questions here for all users roles...
... here is only an example .....
if (HttpContext.Current.User.IsInRole("Administator")))
{
for (int i = 0; i < AdminPermission.Length; i++)
if (AdminPermission[i] == (int)AskPermitForThisAction)
return true;
}
...
return false;
}
Hope this help.
You can use the framework to restrict access to entire pages or directories based upon roles. This can be configured in the web.config's authorization element. http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
Additionally, if you're using a SiteMap for your menu, and have configured authorization, you can use security trimming to restrict the menu. http://www.google.com/search?q=asp.net+security+trimming