decrypting a password for use with the login control V2

I'm using the login control in conjunction with the createuserwizard control in V2.  I've created a user through the wizard control and now I want to log in under that user.  I've checked the DB and the user is being added in the membership table under the adventureworks DB.

I would like to get some sample code that would show me some methods of how to do this.

my current code is shown below.  however I suspect in order to read the password from the membership table I have to decrypt it first before it can be read.

Current code:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
    {
        bool Authenticated = false;
        Authenticated = SiteLevelCustomAuthenticationMethod(Login1.UserName, Login1.Password);
        e.Authenticated = Authenticated;
        if (Authenticated == true)
        {
            Response.Redirect("default.aspx");
        }

    }

 private bool SiteLevelCustomAuthenticationMethod(string UserName, string Password)
    {
        bool boolReturnValue = false;
        string strConnection = "server=comp2-28;Data Source=comp2-28;initial catalog=AdventureWorks;user id=se;password=Zaq!xsw2";
        SqlConnection Connection = new SqlConnection(strConnection);
        String strSQL = "Select * From aspnet_membership where username = UserName";
        SqlCommand command = new SqlCommand(strSQL, Connection);
        SqlDataReader Dr;
        Connection.Open();
        Dr = command.ExecuteReader();
        while (Dr.Read())
        {
            if ((UserName == Dr["username"].ToString()) & (Password == Dr["PasswordAnswer"].ToString()))
            {
                boolReturnValue = true;
            }
            Dr.Close();
            return boolReturnValue;
        }
    }

I haven't started implementing this yet because i suspect the password vairable from login1 and the encrypted passwordanswer in the sql won't match due to encryption.  I've found the decrptpassword method but little examples on how to use it for C#.

public override string GetPassword (
      string username,
      string passwordAnswer

my question is; does the password in sql need to be decrypted first before it can be compared to the password in the login1 control, if so how is the decryptpassword method used to do so?  The select statement I suspect would return the encrypted value which would not compare to the string value;  if ((UserName == Dr["username"].ToString()) & (Password == Dr["PasswordAnswer"].ToString()))

How could I change this to work.  any suggestions are greatly appreciated.
Steve7423Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Arthur_WoodCommented:
I suspect that if the password has been stored in an 'encrypted' form, that has been done with an IRREVERSIBLE hash - meaning that you cannot 'decrypt' the stored password.  You would 'encrypt' using the same Hash code, the supplied password, and then compare that encrypted version of the user supplied password with the stored password in the database - if they match - they match, and the user supplied the correct password on logging in. other wise they don't match, and the user did NOT supply the correct password, on logging in.

This is MUCH more secure than 'decrypting' the stored password - if your code could decrypt it, then potentailly ANYONE could do the same.

AW
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve7423Author Commented:
what's happening now is that the createuserwizard control is managing the encryption.

my web config:

 <machineKey
        validationKey='CAD3B0AAF2448AAECE74E68DAC2295C187003798FE9A2D9F099497F8DCED22653EC1D2B695576E88E9DF2AEE1F28E84532A73C12C1DF5575497D383F38A96E25'  
        decryptionKey='86708E878661F3D61A1813D7BA38B8507788424700263CBC'  
        validation='SHA1'/>

without this element the security config wizard causes errors and therefore unable to create roles or users for the web site.

would I use this decrypting key to decrypt the PW in the DB?  if so how??

as shown above; in order to compare the entry with the record in the DB,
String strSQL = "Select * From aspnet_membership where username = UserName" and passwordanswer = password.

the decryption of the password should take place prior to the select statement.
seudo code:
Eg: decr_PW = decryptpassword(login1.password)
String strSQL = "Select * From aspnet_membership where username = UserName" and passwordanswer = decr_PW

As I'm realatively new to ASP and the new controls in 2005 what's the way most people manage security and logins via login control?

Steve.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.