?
Solved

decrypting a password for use with the login control V2

Posted on 2006-04-19
2
Medium Priority
?
1,228 Views
Last Modified: 2012-06-27
I'm using the login control in conjunction with the createuserwizard control in V2.  I've created a user through the wizard control and now I want to log in under that user.  I've checked the DB and the user is being added in the membership table under the adventureworks DB.

I would like to get some sample code that would show me some methods of how to do this.

my current code is shown below.  however I suspect in order to read the password from the membership table I have to decrypt it first before it can be read.

Current code:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
    {
        bool Authenticated = false;
        Authenticated = SiteLevelCustomAuthenticationMethod(Login1.UserName, Login1.Password);
        e.Authenticated = Authenticated;
        if (Authenticated == true)
        {
            Response.Redirect("default.aspx");
        }

    }

 private bool SiteLevelCustomAuthenticationMethod(string UserName, string Password)
    {
        bool boolReturnValue = false;
        string strConnection = "server=comp2-28;Data Source=comp2-28;initial catalog=AdventureWorks;user id=se;password=Zaq!xsw2";
        SqlConnection Connection = new SqlConnection(strConnection);
        String strSQL = "Select * From aspnet_membership where username = UserName";
        SqlCommand command = new SqlCommand(strSQL, Connection);
        SqlDataReader Dr;
        Connection.Open();
        Dr = command.ExecuteReader();
        while (Dr.Read())
        {
            if ((UserName == Dr["username"].ToString()) & (Password == Dr["PasswordAnswer"].ToString()))
            {
                boolReturnValue = true;
            }
            Dr.Close();
            return boolReturnValue;
        }
    }

I haven't started implementing this yet because i suspect the password vairable from login1 and the encrypted passwordanswer in the sql won't match due to encryption.  I've found the decrptpassword method but little examples on how to use it for C#.

public override string GetPassword (
      string username,
      string passwordAnswer

my question is; does the password in sql need to be decrypted first before it can be compared to the password in the login1 control, if so how is the decryptpassword method used to do so?  The select statement I suspect would return the encrypted value which would not compare to the string value;  if ((UserName == Dr["username"].ToString()) & (Password == Dr["PasswordAnswer"].ToString()))

How could I change this to work.  any suggestions are greatly appreciated.
0
Comment
Question by:Steve7423
2 Comments
 
LVL 44

Accepted Solution

by:
Arthur_Wood earned 500 total points
ID: 16490150
I suspect that if the password has been stored in an 'encrypted' form, that has been done with an IRREVERSIBLE hash - meaning that you cannot 'decrypt' the stored password.  You would 'encrypt' using the same Hash code, the supplied password, and then compare that encrypted version of the user supplied password with the stored password in the database - if they match - they match, and the user supplied the correct password on logging in. other wise they don't match, and the user did NOT supply the correct password, on logging in.

This is MUCH more secure than 'decrypting' the stored password - if your code could decrypt it, then potentailly ANYONE could do the same.

AW
0
 

Author Comment

by:Steve7423
ID: 16499115
what's happening now is that the createuserwizard control is managing the encryption.

my web config:

 <machineKey
        validationKey='CAD3B0AAF2448AAECE74E68DAC2295C187003798FE9A2D9F099497F8DCED22653EC1D2B695576E88E9DF2AEE1F28E84532A73C12C1DF5575497D383F38A96E25'  
        decryptionKey='86708E878661F3D61A1813D7BA38B8507788424700263CBC'  
        validation='SHA1'/>

without this element the security config wizard causes errors and therefore unable to create roles or users for the web site.

would I use this decrypting key to decrypt the PW in the DB?  if so how??

as shown above; in order to compare the entry with the record in the DB,
String strSQL = "Select * From aspnet_membership where username = UserName" and passwordanswer = password.

the decryption of the password should take place prior to the select statement.
seudo code:
Eg: decr_PW = decryptpassword(login1.password)
String strSQL = "Select * From aspnet_membership where username = UserName" and passwordanswer = decr_PW

As I'm realatively new to ASP and the new controls in 2005 what's the way most people manage security and logins via login control?

Steve.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
One of the pain points with developing AJAX, JavaScript, JQuery, and other client-side behaviors is that JavaScript doesn’t allow for cross domain request for pulling content. For example, JavaScript code on www.johnchapman.name could not pull conte…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question