2

the Membership Provider ValidateUser using EF is quite simple

public override bool ValidateUser(string username, string password)
{
    // Validate User Credentials
    var r = db.ST_Users.FirstOrDefault(
                           x => x.Username.Equals(username) && 
                                x.Password.Equals(password));
    return r != null ? true : false;
}

But this returns true (finds and retrieves the hole object) no matter if I use balexandre or BAleXanDre.

How can I enable EF to compare in case-sensitive mode?

I know how to compare in case insensitive (using the StringComparison.CurrentCultureIgnoreCase overload, but I just want the opposite)

Craig M
  • 5,598
  • 4
  • 32
  • 43
balexandre
  • 73,608
  • 45
  • 233
  • 342

2 Answers2

8

You should not query on the password. You should retrieve the User object and do a password compare locally, because SQL server will do a case insensitive compare for you by default (unless you change your database settings, which is not something you should take lightly).

var r = db.ST_Users.SingleOrDefault(x => x.Username == username);

return r != null && r.Password == password;

Besides, you seem to be storing plain passwords in your database. Depending on the type of application, this might not be a good idea. Try hashing them with a salt. Lots of good information to find about that here on Stackoverflow. For instance, take a look at this question and this website.

Community
  • 1
  • 1
Steven
  • 166,672
  • 24
  • 332
  • 435
  • 2
    The +1 is for both the answer and advice. Learn from Sony, ECI, and all the other companies that have made the news as of late - DO NOT store plain text passwords! – JasCav Jun 13 '11 at 20:43
  • 1
    I use `BCrypt` to store my passwords, the question only has a plain example. Would be weird that with my reputation I wouldn't know/store sensitive data the correct way! – balexandre Jun 13 '11 at 21:41
  • @balexandre: I'm not familiar to `BCrypt`, but if you are storing your passwords in a hashed form in the database, you wont have any string insensitive string compare problem, so it seems to me that you are not storing your passwords in a hashed form. Perhaps you are encrypting your passwords, which is less safe than hashing. Besides why do you want to be able to decrypt your users passwords? – Steven Jun 14 '11 at 06:49
  • 1
    the question was just a plain example for other part of the application, that I can't (as it belongs to the company) put the code - weird internal rules. `BCrypt` is extremely easy to use and extremely safe >> http://derekslager.com/blog/posts/2007/10/bcrypt-dotnet-strong-password-hashing-for-dotnet-and-mono.ashx. Again, my question has only an example code, not production code. **But I got something from your answer**: Don't compare with LINQ, extract the object and compare outside the query. Thank's for that. – balexandre Jun 14 '11 at 07:56
  • @balexandre: Don't shoot the messenger ;-) I'm glad my answer helped you. Cheers! – Steven Jun 14 '11 at 12:22
0

I was facing the same issue. I tried:

1. from p in entity.SecurityUsers where p.userName.Equals(userName) && p.password.Equals(password) select p
2. from p in entity.SecurityUsers where p.userName == userName && p.password == password select p

But both of these didn't work. Then I selected USER only..,

var user = (from p in entity.SecurityUsers where p.userName == userName select p).first();

And then compare its password:

return p != null && p.Password == password;
Arsman Ahmad
  • 2,000
  • 1
  • 26
  • 34