0

I'm recieving two strings: the username and the password, based on which, I'm retrieving and instance of AspNetUser, which has the corresponding fields. I want to produce the corresponding Id but only if the name and pass check out. The former is simple because it's in plain text.

How can I, given the provided password, verify that the hash value is correct?

I have looked at the code in the default template for a few hours but I can't get my head around it. Based on this page, I've created my own HASHes but the one I'm getting differs from the on in the DB, so I'm guessing that I'm doing it wrong or that they are adding some magic part before hashing it.

My: E8B9C259EAB04BBB67B2D67AF5745B
DB: AFczTgO67ViTWwZNejEiTyKRg5s96x5mOmwFFBj7yRUpys/5duOw0q6I6imCm1t1hQ==

See above, can you spot the difference...? The password used is "Abc123()", in case it matters.

Am I barking up the wrong tree when I try to use MD5CryptoServiceProvider? Is there a default string that's being jacked into the source before the hash's being computed?

If there are comments regarding the best practices, I'm open to them, of course. Bear in mind, however, that the security issues being my weak point, have bothered me for a long time so this is the way I want to go to understand the concept, down to bits and bolts. If possible, that is.

I can optionally use the facility that MS provided for me but I haven't got that right yet, neither. It appears to me like a lot of code doing "something here, something there".

<system.web>
  <membership defaultProvider="donkey">
    <providers >
      <clear/>
      <add name="donkey" passwordFormat="Hashed" />
    </providers>
  </membership>
  <authentication mode="None" />
  <compilation debug="true" targetFramework="4.5.2" />
  <customErrors mode="Off"></customErrors>
  <httpRuntime targetFramework="4.5.2" />
</system.web>
Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438
  • I assume that when you save the password via aspnet into db, the framework internally is applying some kind of hashing or salting. there are default algo which are being applied on the password. this link might help you http://stackoverflow.com/questions/1137368/what-is-default-hash-algorithm-that-asp-net-membership-uses?answertab=active#tab-top. you need to disable this salting and the problem will be solved. – Umer Hayyat Jan 07 '16 at 07:28
  • can you share section of your web config of "" ? – Umer Hayyat Jan 07 '16 at 07:35
  • @UmerHayyat No I can't. I just reviewed every single config file in the solution and I have no such tag. Please note, there's no such tag even in the config that relates to the template that's working (the default, vanilla login/register). – Konrad Viltersten Jan 07 '16 at 07:38
  • you want to have a method in which may return true/false based on comparison result? again, if you do not configure a hashing or salting key, aspnet uses a default one which ships with membership. – Umer Hayyat Jan 07 '16 at 07:39
  • @UmerHayyat Basically, yes. I've got a method that gets *name* and *pass* strings and I wish to get a verification that it's the right combination for a user in the DB (AspNetUser table). – Konrad Viltersten Jan 07 '16 at 07:41
  • can you try by adding section in web config and setting its passwordFormat="Clear" ? also clear provider in this section too. – Umer Hayyat Jan 07 '16 at 07:46
  • @UmerHayyat Please see edit. I'm showing the system.web part as it is. I based it roughly on [this link](https://msdn.microsoft.com/en-us/library/system.web.security.membershippasswordformat%28v=vs.110%29.aspx). – Konrad Viltersten Jan 07 '16 at 08:37

1 Answers1

0

The Membership class you're using provides the static ValidateUser method:

Verifies that the supplied user name and password are valid.

public static bool ValidateUser(
  string username,
  string password
)


public void Login_OnClick(object sender, EventArgs args)
{
   if (Membership.ValidateUser(UsernameTextbox.Text, PasswordTextbox.Text))
      FormsAuthentication.RedirectFromLoginPage(UsernameTextbox.Text, NotPublicCheckBox.Checked);
   else
     Msg.Text = "Login failed. Please check your user name and password and try again.";
}
Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219