I'm new to web security so I don't want to implement my own. I plan to use SimpleMembership via the VS2012 template for an ASP.NET MVC Internet Application. The problem is that I need to pass the data via a Web API.
I plan to use basic authentication for my Web API, so I just need to pass username/pass in the http headers. I can intercept the message using Thinktecure.IdentityModel. Here's an example that uses ASP.NET Membership:
authConfig.AddBasicAuthentication((userName, password) =>
Membership.ValidateUser(userName, password));
I can replace Membership.ValidateUser with my own bool function. I've successfully queried my custom database with username/password and everything worked fine. However, I'm using the template's user database because I DON'T want to store string (or even encoded) passwords.
I am unclear on how to manually validate the credentials using the SimpleMembership's database. I can grab a UserProfile, but can't figure out how to check the profile's password.
UserProfile user = context.UserProfiles.Find(1);
==OUTPUT==
user
UserId: 1
UserName: "bob"
Do you know how I can check if an inputted password matches that of an existing user?
Thanks for your help!
Why you are not using Membership.ValidateUser? This is not restricted to just ASP.NET Membership assuming you have your [InitializeSimpleMembership] (here) attribute in the correct places or have executed the logic inside it yourself elsewhere, and you have the correct references to WebMatrix etc you can still just call Membership.ValidateUser and it will use SimpleMemberships Validate user.
If you wanted to go to the database yourself, and assuming you are using hashed password etc then this article is probably going to help as you are going to need to hash your inputed password before selecting it out, the rest of which is just writing some EF or (any other db access method) to select from the User table where the username and hashed passwords match. But I can think of no obvious reason to do this as Membership.ValidateUser will do all this for you.
Related
I'm using asp.net membership for users accounts, user password is encrypted and stored on to the sql database as a user registers , the problem I'm having it when the user forgets the password I can't get it right when trying to retrieve it from the database, I have no idea how I can reverse the encryption.I'd appreciate the help.
You can't. By default the passwords are saved as a salted SHA1 hash, you can't "decrypt" such a hash.
It would be bad practice to save passwords in a fashion that allows you to view them, no matter which algorithm you would be using for that. Just create some logic to enable a user to reset his or her password, instead of trying to retrieve the original password.
If you have an ASP.NET MVC 5 site configured without email confirmation, how can a password reset be performed by an administrator?
I can write a console app which resets the password in the database, but that seems inefficient. Also, the old aspnet_Membership_ResetPassword sproc has no counterpart in the new identity system.
I'm not sure I understand what you're trying to achieve. You still have to get the password to the user somehow, so will you be emailing them a generated password instead of the standard "follow a link in a email to a page that lets you pick a new password" approach?
Also, are you talking about specifically resetting one user's password or resetting all user passwords. If the latter, then a console app is the way to go. If the former, you can simply add a view to some backend that's only accessible to admins that let's them perform this function for a specific user.
As far as generating some random password goes, you're on your own there, but a simple web search should turn up plenty of methods to choose from.
Word to the wise, though, the email confirmation approach is standard for a reason. It provides a relatively secure way to allow a user to regain access to their account when they can't remember their password. It's most important feature, though, is that it forces the user to actually change their password, whereas with a provided password, random or not, users will actually use that password, rather than take the time to manually change it after logging in - especially with password managers these days. That means if you sent that password via email, or wrote it on a sticky or whatever, you now have a huge gaping security hole.
I am working on a new mvc4 site,and am using mvc4 forms authentication.
the users of the site expect to be able to login to the companies main site and click on a link and go to this new site i am developing. the old site stores the logged in user in a session variable. is it possible for me to check if the session variable exists and log the user in to my forms authentication? or will they need to login again?
Make the same machineKey section in your web.config in system.web like this:
<system.web>
<machineKey validationKey="SAME_KEY_GOES_HERE" ... />
...
You can generate machineKey here.
Then your goal is to pass all the authentication cookies from one website to another. I think you can store them in database, and provide authenticated users with an unique link to your new website. New website can read the key from database, and set cookie values obtained from the existing website. After that, user will be authenticated on your new website.
Update:
There could be easier and little bit less secure way of doing this. Don't keep cookie data in database, just create a form on the first website with post action. This form must contain all authentication cookies in hidden values. Action of the form must point to your second website. On the second website, you just need to place submitted form values to cookies. That's it! Much easier! (yep, and you need same machine key)
I was looking over some ASP.NET MVC 1 code (C#) in search of the mechanisms that the site was using to log in a user. This is what I found...
FormsAuthentication.SetAuthCookie(authenticatedUser.UserName, false);
followed by a redirect. Is it REALLY that simple?
I couldn't find any other code after the redirect that would be responsible for this.
FormsAuthentication.SetAuthCookie creates an authentication ticket for the supplied user name and adds it to the cookies collection of the response, or to the URL if you are using cookieless authentication.
This will "log in a user" but you need to actually make sure the user exists somehow. You can use the built in membership providers which will by default target a SQL Express database in your App_Data folder called ASPNETDB.mdf.
If the default membership provider does not work for you then you can create a custom membership provider by inheriting from the base MembershipProvider class. If you don't want to do this then you can roll your own solution and still issue an authentication ticket, but at the very least you need to do something to actually make sure a user is who he says he is.
Im using an asp.net mvc 3 project. I want to be able to email a users password to them if they submit their username in RecoverPassword page.
How can i do that?
Thanks
Its best to store the password in your database as a hash so it can never be reversed. If they forget their password, best thing to do is let them reset it, rather than telling them what the old one is.
Don't do that. Storing passwords in plain text is insecure.