asp.net sql authentication in coldfusion

Question

So, I'm building a site that needs to access a database which was created originally for asp.net. I want to use the same username and password as the asp.net site used, which is already in the database. The developer mentioned that the default authentication was used in asp.net.

Example Password from the database: sYWPXNvJlVNs8EVZvIQOSaWfQ4I=

Example PasswordSalt from the database: ruNTdhelY57ghQsTFz/TIg==

Here is what I have tried:

<cfquery name="auth" datasource="ct">
SELECT userid, Password, PasswordSalt from dbo.aspnet_Membership
WHERE userid = '#auth1.userid#'
</cfquery>

<cfset cfHash = toBase64(hash(auth.PasswordSalt & cookie.password, "SHA1"))>

<cfif cfHash eq auth.Password> ...then authenticate etc.

I've tried a few iterations of this, but no go, the resulting cfHash ends up too long, like this:

OUJBOUJENjI0MzEzNjM3M0EwQjk3Nzc3ODIzNUVGMkJCODczOEI0Qg==

Any ideas?

Something like this came up about 3 months ago tagged coldfusion. Check the ASP security settings to see which scheme was used. There's an encryption and a hashing implementation I think. — barnyr, Nov 09 '12 at 17:41
I lied, it wasn't tagged coldfusion at all, but it was in my activity feed: http://stackoverflow.com/questions/2547397/how-to-create-a-asp-net-membership-provider-hashed-password-manually/2551717#2551717 — barnyr, Nov 09 '12 at 17:43
Yeah, I've seen that code, and was trying to replicate in coldfusion, to no avail... — Phil, Nov 09 '12 at 17:56
[This thread](http://stackoverflow.com/a/12539088/104223) might be what you are after. — Leigh, Nov 09 '12 at 18:00

score 1 · Accepted Answer · edited May 23 '17 at 12:34

(Edit: Original answer did not work in all cases. Substantially revised ...)

This thread might be what you are after. In summary, the two key differences are:

Using UTF-16LE encoding instead of UTF-8 (CF's default).
Encoding the salt and password bytes, which may produce different results than just encoding everything as a single string, which is what the hash() function does:

<cfscript>
    thePassword = "password12345";
    base64Salt = "l+g9MUcs+cLExeDTNy8M+A==";
    // extract bytes of the salt and password
    saltBytes = binaryDecode(base64Salt, "base64");
    passBytes = charsetDecode(thePassword, "UTF-16LE" );

    // next combine the bytes. note, the returned arrays are immutable, 
    // so we cannot use the standard CF tricks to merge them    
    ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
    dataBytes = ArrayUtils.addAll( saltBytes, passBytes );

    // hash binary using java
    MessageDigest = createObject("java", "java.security.MessageDigest").getInstance("SHA-1");
    MessageDigest.update(dataBytes);    
    theBase64Hash = binaryEncode(MessageDigest.digest(), "base64");

    WriteOutput("theBase64Hash= "& theBase64Hash &"<br/>");
</cfscript>

asp.net sql authentication in coldfusion

1 Answers1