I'm wondering if it's possible for me to get the QuestionAnswer field from ASP.NET membership in the same way that you can get the UserName and PasswordQuestion.
MembershipUser mu = Membership.GetUser(userId);
string username = mu.UserName;
string question = mu.PasswordQuestion;
I'm pretty certain that the QuestionAnswer is hashed in the database in the same way that the password is. If that is the case then you won't be able to get the QuestionAnswer in any sort of human-readable format (although if you require the QuestionAnswer in this format you can always run a regular SQL query against the table rather than using the Membership API).
If needed you can always change the password question and answer
Hope this helps.
Related
I am using ASP.NET identity in MVC 5 and wondered the best way to perform string comparison during say, a query to a table where records have been entered with the userId as an foreign key.
Normally I would just plump for == but I wasn't sure how the string for a userId inside .NET identity is created.
I guess it's actually a GUID of sorts under the hood so I'd presume that == would be fine but I wondered if the culture or case would come into it at all.
Does anyone know if the string is a unique GUID for == type comparison, or should I be using string.Equals and some StringComparison option to account for cultures?
ASP.NET Identity can use GUID for keys. In that case GUID should not have any culture specific characters. So StringComparision. InvariantCultureIgnoreCase should go for string.Equals in C#. ToLower (ToUpper) can be used for SQL queries (LINQ).
You probably want to use Ordinal/OrdinalIgnoreCase StringComparisons here as it compares strings character by character without regard to linguistic convention.
Read more here: https://msdn.microsoft.com/en-us/library/cc165449.aspx
And here: https://msdn.microsoft.com/en-us/library/system.stringcomparison(v=vs.110).aspx
Code samples:
string1.Equals(string2, StringComparison.Ordinal);
string1.Equals(string2, StringComparison.OrdinalIgnoreCase);
I want to retreive users passwords from the db , I tried something like this :
SELECT password, passwordformat, passwordsalt
FROM aspnet_membership am
INNER JOIN aspnet_users au
ON (au.userid = am.userid)
INNER JOIN aspnet_applications aa
ON (au.applicationId = aa.applicationid)
WHERE au.username = 'xxxxxxxxxxx'
AND aa.ApplicationId = 'xxxxxxxxxx'
But the query returns the hashed password , Is there any way i can get the original password not the hashed one. Thnx
If it is hashed you cannot retrieve it but you can recover it. Do not invent the wheel and use e.g. PasswordRecovery Control.
UPDATE:
If you by all means want to avoid using the PasswordRecovery control and want to implement this functionality by yourself you still do not need to implement your own queries to aspnet_db. There are plenty of built in methods for most of security issues in the Membership API.
You can use something like follows to reset the password:
string username = "user";
string password = "pass#word";
MembershipUser mu = Membership.GetUser(username);
mu.ChangePassword(mu.ResetPassword(), password);
This should work in case you store hashed passwords and disable q&a. In case you want q&a be enabled you can use a workaround described here.
No you can't!!
Its a hashed not encrypted
You should not store passwords as plain text
I want to send out an email to all users where their birthday is today
I am using the built-in asp.net (3.5) membership. All users have a profile (stored in aspnet_Profile) which contains a date/time property called 'birthday'. I need to get a list of users email addresses from the 'aspnet_Membership' table where a users birthday is today, along with the users 'firstname' which is string property in the aspnet_Profile table.
I would like a list returned preferrably using C# LINQ.
I am not sure how to access the birthday property in the profile table, based on the way it is stored in the db table i.e name/value columns
I think you should consider changing to the much-improved table based provider:
http://weblogs.asp.net/scottgu/archive/2006/01/10/435038.aspx
This allows you to separate your data into one value per table column in the standard SQL way. This performs petter than the standard provider and it solves your problem of querying the Profiles database.
It will take a small amount of work to convert the database, but on the code side, it is just a matter of configuring in a different provider and nothing else should change. That is the beaurty of the provider pattern.
I don't use LINQ enough to give you a good answer, but the following may be the underlying SQL you need (This is how my SSMS generated it in the query designer):
SELECT aspnet_Profile.PropertyValuesString AS firstname, aspnet_Membership.Email
FROM aspnet_Profile INNER JOIN
aspnet_Membership ON aspnet_Profile.UserId = aspnet_Membership.UserId INNER JOIN
aspnet_Profile AS aspnet_Profile_1 ON aspnet_Profile.UserId = aspnet_Profile_1.UserId
WHERE (aspnet_Profile_1.PropertyNames LIKE N'birthday') AND (aspnet_Profile.PropertyNames LIKE N'firstname') AND (DATEADD(dd, 0, DATEDIFF(dd, 0,
aspnet_Profile_1.PropertyValuesString)) = DATEADD(dd, 0, DATEDIFF(dd, 0, GETDATE())))
The Profile mechanism parses the values out by splitting each name/value pair up, and then parsing them individually. You could write code to do that yourself. Or you could follow #Daniel's approach and use the alternative provider, which makes life easier. The out-of-the-box provider is a pain with the string concatenation.
Is this code in the same app? You could just use the profile object to retrieve it, if you are talking C#... what context is this piece of code in? Batch service?
I'm looking to use a slightly modified ASP.Net Membership Provider to handle the standard user account creation/authentication/etc in a website. We have a fair amount of legacy data that I need to migrate in order to provide continuity with our existing users' saved information (like order history, wishlist, etc). [NOTE: We have to migrate anyway, so this is not the reason we're migrating data]
I'm wondering what a sensible approach is for joining this additional data to the asp.net membership tables. There are a two unique keys that I could use on the user table - UserId or email - which we will use as a surrogate for username.
My question is, what is the better access pattern (and hence foreign key) to use elsewhere in my tables for storing orders, wishlists, etc?
In HttpContext, a User object is available that contains the "Username", our email address,
but doesn't have the Guid for userId available.
I see 3 options:
I'd like to simply use the uniqueidentifier UserId for efficiency of access over a lengthy varchar email address, but it doesn't appear readily available without extra database calls to fetch it via email/login. Is there some way to get the UserId so I can make it the foreign key on different tables?
I can pass in email address (username) as the input parameter, join on userId where email address = #emailAddress, and use userId as the foreign key on other tables.
Not viable
I can store username/email address on all the other tables as a foreign key - which would be an unfortunate denormalization
Any thoughts on a best method from either a DB perspective or from an application efficiency perspective?
You can get UserId:
MembershipUser myObject = Membership.GetUser();
string UserID = myObject.ProviderUserKey.ToString();
or maybe (please, check it)
string userId = Membership.GetUser(User.Identity.Name).ProviderUserKey.ToString();
I need to compare the answer in with the aspnet_membership tables PasswordAnswer value.
The text in Password answer is in the form of Hashed. What algorithm they have used how they implemented the Salt value in ASP.net Membership Provider.
I have tried hashing (sh1) and compared with text what is salt value
How to hash my answer value.
string answer = "one";
string hashedvalue = "dfdsfsdfdsfdsfdfdf";
I need to compare this both.
I have converted the answer to hashed format. But both are different> I think due to salt value. How can I utilize this.
You should be using the Membership class' ValidateUser method to do this.