4

I am about to deploy my C# MVC AspNet Identity website to production, and I am concerned that the password hash in the db may be specific to the machine that it is created on (like it depends on the machine key)..

Please note that this is a "out the box" implementation of ASP.NET MVC as per the visual studio 2013 template.

It's way too late for me to change to a different authentication provider. Is it safe to move my DB and webserver to another machine, or will all the existing users stop working?

LJNielsenDk
  • 1,414
  • 1
  • 16
  • 32
user230910
  • 2,353
  • 2
  • 28
  • 50
  • 1
    I strongly think that existing users will stop working, as their passwords will be different on new machine. What you can do now is to use the same Machine key on the New server. You can add the machine key in the web config. – Puneet Apr 27 '15 at 06:10
  • So you are saying that the default asp.net identity hash IS dependant on the machine key in some way? – user230910 Apr 27 '15 at 06:14
  • see [this link][1] and [this one][2] for similar responses. [1]: https://stackoverflow.com/questions/23804505/does-asp-net-identity-2-use-machinekey-to-hash-the-password [2]: https://stackoverflow.com/questions/19957176/asp-net-identity-password-hashing – SteveFerg Apr 27 '15 at 06:22
  • Thanks, appreciate the effort – user230910 Apr 27 '15 at 06:36
  • Ok, this comes out that you don't need to worry about the password hashing until you are using DEFAULT Asp.net identity authentication. but your post says "password hash in the db is specific to the machine that it is created on", which is confusing for readers. – Puneet Apr 27 '15 at 06:36
  • Ah, I was explaining my "worry" not my implementation.. i'll try to reword it.. – user230910 Apr 27 '15 at 06:38
  • Updated to clarify, thanks – user230910 Apr 27 '15 at 06:40

1 Answers1

2

Ok, as per the comments above, just for future google-ers - the hash is NOT machine dependant and can be safely moved between servers.

user230910
  • 2,353
  • 2
  • 28
  • 50