HashPasswordForStoringInConfigFile known issues ?

  • Thread starter Thread starter Hermit Dave
  • Start date Start date
H

Hermit Dave

Hi,

As you all probably know.. i am using forms authentication on a site... i
used a specific machine key etc to enable cross domain authentication which
i no longer use.
The interesting this is that if i register.... its fine.. i can log in.
But my client and a friend of hers tried to log in and the hash generated is
different. Thought that maybe she typed in the wrong password or something
but its happened all too many times now..

Was wondering if there are any known issues

// This is from my web.config (which could be a cause but am not sure)

<machineKey
validationKey='B469A89B66AAC6B403C8F49C9020B7C026C1AE7388C49FC4FF8B4DEDB7456
8BEEC58A976975F976E8BCD1F563F531E2DCFF9E2E7342CD796722AD58A86500FA1'
decryptionKey='50042DC9A1DFD69ED71D1E7BEF672F0CB203435E24F1BE45'
validation='SHA1'/>

<authentication mode="Forms">
<forms name="STEP.ASPXAUTH"
loginUrl="Login.aspx"
timeout = "30"
slidingExpiration="true"
protection="All"
path="/" />
</authentication>

--------------------------------------------------------------------------
// This is how i generate the hash before storing it in the db...

myUser.PasswordHash =
FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text,
"md5");

for login i again generate the hash of supplied password and compare the
hash... box standard procedure...

Would be glad for any pointers in the right directions... thanks...

--
Regards,

HD

Once a Geek.... Always a Geek
 
Hi Hermit

Thank you for the response. Regarding on the issue, I am
finding proper resource to assist you and we will update as soon as posible.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security(This posting is provided "AS IS",
with no warranties, and confers no rights.)
 
Steven,

Okay here's how it exactly happens...
i have this admin pages that are used to add/update products...
now that is protected using forms authentication

In the db i have a table with 2 roles.. users and admin
when a user registers the default role assigned is that of users
i manually change the type to admin so that it doesn't throw me out..

now when i try to access the location where i have set deny to anonymous
users and having set the loginURL to the correct login.aspx page..
if get forwarded and i can login... its all fine.

now i need to show it to the client saying look... its all ready... and i
ask her to register.
she registers... i change a role to admin again
but she keeps getting thrown out cause the hashed passwords don't match.
happened a few times over and i had to tell her that i will have a look into
it a bit deeper..

if you need any code snippet (i did provide some at the beginning of this
thread.) then please do let me know..

all i am doing is doing registeration.. i am generating the hash using
HashPasswordForStoringInConfigFile and storing it in the db.
while login i take the entered value and i generate the hash using the same
method and pass it to my stored proc.

--
Regards,

HD

Once a Geek.... Always a Geek
 
Just removed the machine keys and slightly changed the way i was
authenticating..
Plus my client had issues with her machine.. asked her to check on a second
machine... and after those changes... it just worked fine..

thanks steven..
 
Hi Hermit,

That was an interesting problem! I was trying to reproduce this problem on
my side but couldn't. Anyway, I am glad you have resolved the issue. Good
luck on your project!


Thanks, Arvind R
Microsoft, ASP.Net

This posting is provided "as is" with no warranties, and confers no rights.
 
Arvind,

Okay it all started when i uploaded a few admin pages for my client... she
registered her username and i had to set her up as admin in the db...
i asked her to then login in. It kept giving her invalid username /
password. so put a trace on the db and asked her to log in.. some reason the
hash wasnt even close (dont think it would be close in any case).. i know
its not supposed to happen.. .cause its a one way algorithm xyz equals a
fixed hash
just for my sake i actually got her to give me her password and i tried it
myself.. so either she typed in something wrong twice.. or she was just
giving me a hard time.. :)
removed the machine keys and restructed the way i was passing the values
around (dont have a clue on how it behaves beyond formsauthentication
class - might be a good idea to actually decompile some ms assemblies :) )
anyways... one day i will either way see the code at MS.

Thanks for trying...
 
Back
Top