2

I have an application running ASP.NET on 3.0 framework that uses form authentication. I am now building and MVC 4 application that also uses forms authentication and I would like to share authentication between the two apps. I have both config files matching for the auth tag and exact machine key tags. I think my problem is that the ASP.NET application uses the old ASP membership provider which has the user passwords in MD5 format, and the MVC application is using simple membership, password format SHA1.

Is there a way to share user authentication between the two apps even with different credentials(password formats)?

For the main app that authenticates in the forms tag I have this 

<credentials passwordFormat="MD5"/>

I am not really sure if this is my issue or what's going on.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
Adam N
  • 115
  • 1
  • 11
  • [In WebSecurity's SimpleMembershipProvider the PBKDF2 algorithm is used, the random salt is generated by the StaticRandomNumberGenerator and stored in the password field with the hash.](http://stackoverflow.com/a/10416811/209259) – Erik Philips Jul 24 '13 at 23:43

2 Answers2

1

Well figured out my answer. All I had to do was add in the tag was the attribute compatibilityMode="Framework20SP2".

This was due to the fact my ASP.NET app was running on the older framework and my new MVC app was on framework 4.0

Adam N
  • 115
  • 1
  • 11
0

Your options are pretty much:

  1. Write your own ASP.Net 2.0 MembershipProvider to use the PBKDF2 algorithm to store passwords (Resetting everyone's passwords will be required).

  2. You don't get to override SimpleMembershipProviders storage of passwords (that I know of) so you'll have to writing your own ExtendedMembershipProvider to duplicate the ASP.Net 2.0 security mechanisms in the default MembershipProvider.

As a side note, MD5 is (in my opinion) a terrible algorithm to store passwords. At this point from what I've read bcrypt or PBKDF2 is recommended by most security experts.

If you're interested on the changes Microsoft made to increase security in .Net releases the article Stronger Password Hashing in .NET with Microsoft’s Universal Providers is a good read.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • To better understand what you're saying, I will have to update the Asp.net membership passwords to match the hash/encoding of the simple membership password type? Then write a membership provider to duplicate what the asp.net membership provider does? Which application would need that customer provider? – Adam N Jul 25 '13 at 00:07
  • Updated per your comment. (You won't be updating passwords only, you'll have to write code, as far as I know) – Erik Philips Jul 25 '13 at 00:11
  • Well I guess I have my work cut out for me. Was hoping there would be something easier. I will take a look at those links you provided.Thanks for your reply – Adam N Jul 25 '13 at 00:29