When I login on my local machine there is no problem, but when I upload the code and try to login at modules/users/login.aspx, it fails every time. I'm not very familiar with encryption, do I need to provide encryption keys somewhere? Or could this be a security issue with my web host? Or something else?


Any help would be really appreciated.

Cheers,

Mike

It has nothing to do with encryption unless you added that yourself.

How is it connecting to your database?

Are you getting any errors? Did you check the Windows Event Log of the web server running the application?

Are you using the VB.NET version or the C# version? The VB.NET version logs to a file in the main folder.

It does have something to do with encryption. Here is the Submit_Click event which when the code is uploaded always sets newUser to null, so I get 'Login failed'. PhilePrincipal.ValidateLogin is called to set the value of newUser and this involves encryption (see code below). That is the only reason I can think of why it is not working. Any ideas?

private void Submit_Click(object sender, System.EventArgs e)
        {
            PhilePrincipal newUser = PhilePrincipal.ValidateLogin( EmailAddress.Text, Password.Text );
            if (newUser == null)
            {
                LoginResult.Text = "Login failed for " + EmailAddress.Text;
                LoginResult.Visible = true;
            }
            else
            {
                Context.User = newUser;
                FormsAuthentication.SetAuthCookie( EmailAddress.Text, true );
                Response.Redirect("/ThePhile/default.aspx");
            }

public static PhilePrincipal ValidateLogin(string emailAddress, string password)
        {
            Configuration.ModuleSettings moduleSettings = Configuration.ModuleConfig.GetSettings();
            int newID;

            byte[] cryptPassword = EncryptPassword( password );

            Data.User dataUser = new Data.User( moduleSettings.ConnectionString );
            if ( (newID = dataUser.ValidateLogin(emailAddress, cryptPassword)) > -1 )
                return new PhilePrincipal( newID );
            else
                return null;
        }

        public static byte[] EncryptPassword(string password)
        {
            UnicodeEncoding encoding = new UnicodeEncoding();
            byte[] hashBytes = encoding.GetBytes( password );

            // compute SHA-1 hash.
            SHA1 sha1 = new SHA1CryptoServiceProvider();
            byte[] cryptPassword = sha1.ComputeHash ( hashBytes );

            return cryptPassword;
        }
        }


Thanks,

Mike

This code is just a one-way hash of the password. We store only hashed values in the database. When a user gives his password we do a new hash on what he gives us and then we compare that against the hashed password value we have in the database. These 2 hashed values (which are just an array of hex bytes) have to match in order to determine that he entered the password correctly.

I'm guessing you deployed database does not have the correct hex password values stored in the Accounts_Users table.

Can you register as a new user on your deployed database?

I don't have a problem registering as a new user in the database. The record is written to the database seemingly OK, but when it comes to logging in against that record, something goes wrong.