Have Geek Brain

How can I manually verify a user with a membership database in ASP.NET?

I would like to know how can I validate user credentials for an existing asp.net membership database. In short, we want to provide single sign-on for access.

So, I did this to connect directly to the membership database and tried to run a sql query on the aspnet_Membership table:

private bool CanLogin(string userName, string password)
{
  // Check DB to see if the credential is correct
  try
    {
      string passwordHash = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "SHA1");
      string sql = string.Format("select 1 from aspnet_Users a inner join aspnet_Membership b on a.UserId = b.UserId and a.applicationid = b.applicationid where a.username = '{0}' and b.password='{1}'", userName.ToLowerInvariant(), passwordHash);
      using (SqlConnection sqlConn = new SqlConnection(ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString))
      using (SqlCommand sqlCmd = new SqlCommand(sql, sqlConn))
      {
         sqlConn.Open();
         int count = sqlCmd.ExecuteNonQuery();
         return count == 1;
       }
    }
    catch (Exception ex)
    {
        return false;
    }    
 }

The problem is the meaning of the password, does anyone know how it is hashed?

+2


a source to share


3 answers


If you have two asp.net applications on the same IIS server you can do SSO this way. I asked this question and answered myself.

here

Once you have both applications pointing to your asp_membership database by placing the following in the system.web section of your web config

<authentication mode="Forms" />
<membership>
  <providers>
    <clear/>
    <add name="AspNetSqlMembershipProvider"
              type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
              connectionStringName="membership"
              applicationName="/"
              />
  </providers>
</membership>
<roleManager enabled="true" />


make sure both have the same application name property.

I was using IIS 6, so I configured it to auto-generate a machine key for both applications. Since both of these applications are running on the same machine, the key will be identical, this is a critical part for SSO to work. After setting up IIS, the following was added to my web.config

<machineKey decryptionKey="AutoGenerate" validation="SHA1" validationKey="AutoGenerate" />

That's all. Once that is done, I can log into app 1 and then go to app2 and save the security credentials.

+1


a source


The problem is the value of the password, does anyone know how the password is hashed?

Yes you do! Check your web.config file for the following:

<membership defaultProvider="MembershipSqlProvider" 
userIsOnlineTimeWindow="15">
 <providers>
  <add name="MembershipSqlProvider" 
    type="System.Web.Security.SqlMembershipProvider, System.Web,
    Version=1.2.3400.0, Culture=neutral, 
    PublicKeyToken=b03f5f7f11d50a3a" 

    PasswordFormat="Hashed" />
 </providers>
</membership>


PasswordFormat

is what you are looking for. It can have the following three meanings:

  • Clear

  • Encrypted

  • Hashed

And Microsoft sets the default Hashed

for PasswordFormat

.

0


a source


Why not check it automatically via System.Web.Security.Membership.ValidateUser()

?

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>    
        <membership defaultProvider="MyMembershipProvider">
            <providers>
                <clear />
                <add name="MyMembershipProvider" type="MyApplication.MyMembershipProvider" connectionStringName="MyConnString" />
            </providers>
        </membership>
    </system.web>
</configuration>
0


a source






More articles:


All Articles