Wrox Programmer Forums
Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 2.0 > ASP.NET 2.0 Basics
|
ASP.NET 2.0 Basics If you are new to ASP or ASP.NET programming with version 2.0, this is the forum to begin asking questions. Please also see the Visual Web Developer 2005 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 2.0 Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old November 6th, 2006, 11:05 AM
Authorized User
 
Join Date: Jul 2006
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Password hashing in membership

I am using a membership provider in my website with password format setting is hashed (the default). I want to check for the user's input password manually by comparing it with the one stored in the database. I searched for a direct method that does this work but found nothing, so I tried to make the work manually: getting the input password then hashing it using (sha1) then comparing it with the one in the database. I used this way to hash the input password:

string hashedPassword = FormsAuthentication.HashPasswordForStoringInConfig File(OldPasswordTextBox.Text, "sha1");

and then compared it with the one in the database but it was completely different. Here is an example: If the password is '123456' the hashed version of it is '7C4A8D09CA3762AF61E59520943DC26494F8941B' but the one in the database is 'hNemTUHlBI3Oj4Q5ZF6mM8T81XU='

Is that because of using PasswordSalt? if so then how can I simulate the PasswordSalt to achive what I want to do?

 
Old November 6th, 2006, 08:46 PM
Authorized User
 
Join Date: Apr 2005
Posts: 94
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I always used the SHA1 class directly.
if it required a salt I would generate it by hand with the RNGCryptoServiceProvider provider to generate my salt I add on.

I got the info from this link at Microsoft:
http://msdn.microsoft.com/library/de...redentials.asp

Using the SHA1 class directly should give you more predictable results. Think what you were using is for storing. Also, i am just looking but that one with the "=" at the end almost looks like it used an encryption algorythm vs hash. I could be wrong. I built an encryption class that has the output almost like that last hash you put out when done.

 
Old November 7th, 2006, 05:44 AM
Authorized User
 
Join Date: Jul 2006
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I've found a very easy way to do that, that is by using Membership.ValidateUser method. I got the username of the logged user by Membership.GetUser().UserName and used it as the first argument in the ValidateUser method, then catch the user's input password as the second argument. The idea is when the user tries to change his password or email from his control panel he must input his old password before any further processes.







Similar Threads
Thread Thread Starter Forum Replies Last Post
Membership.GetAllUsers() dcct84 C# 2 March 1st, 2019 06:37 AM
Membership security Maxxim ASP.NET 2.0 Professional 1 February 13th, 2007 10:39 PM
Membership and different applications Maxxim BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 0 February 12th, 2007 11:35 PM
E-mail in Membership PypeLine ASP.NET 2.0 Professional 0 January 7th, 2007 06:06 PM
Hashing of URL while posting web pages debsoft General .NET 1 April 22nd, 2004 09:20 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.