password validation for createuserwizard
I am using the createuserwizard but password validation is not working. I am using a regular expression to check for strong passwords, but new users can enter weak passwords without generating an error.
register.aspx
register.aspx
ASKER
While your suggested method will likely work, I don't think it is necessary or the only way. I am trying to stay within the methodology of the Visual Studio CreateUserWizard and your suggested solution does not.
Hi
Yes, You are right that there is not only this way of doing your work.
But I had put a solution for you ...
It is up to you that you are using it or not?
- Deepak Lakkad
Yes, You are right that there is not only this way of doing your work.
But I had put a solution for you ...
It is up to you that you are using it or not?
- Deepak Lakkad
ASKER
Deepak, I appreciate your suggestion. My difficulty is that I'm a newbie, an old geezer returning to programming after 50 years away. While I have picked up some javascript skills, I am unfamiliar with web methods and ajax. That's why I'm using the createuserwizard that's part of VS.
Take a look at my website at www.lucidequipment.com and see the registration code. That section accepts passwords that don't meet the Sql Server policy requirements, but creates the users nevertheless, causing me big problems.
--Mark
Take a look at my website at www.lucidequipment.com and see the registration code. That section accepts passwords that don't meet the Sql Server policy requirements, but creates the users nevertheless, causing me big problems.
--Mark
Hi Mark,
Nice work,
I will check for the solution and given it to you. But, for that you have to wait for a day ...
- Deepak Lakkad
Nice work,
I will check for the solution and given it to you. But, for that you have to wait for a day ...
- Deepak Lakkad
ASKER
much appreciated, Deepak. A faster version is at 54.235.245.110, but I have not yet switched the DNS to the new site.
ASKER
Here's the latest version of the code. I have regular expressions in two places; only one should be needed. Also, I've removed explicit ValidationGroup properties and are using the default b/c I saw some references to these causing execution problems.
<asp:CreateUserWizard ID="NewUserWizard" runat="server"
passwordregularexpression='@\"(?:.{8,})(?=(.*\d){1,})(?=(.*\W){1,})'
passwordregularexpressionerrormessage="Your password must be at least 8 characters long, and contain at least one number and one special, non-alphanumeric character."
ContinueDestinationPageUrl="~/default.aspx" BackColor="#F7F6F3"
BorderColor="#E6E2D8" BorderStyle="Solid" BorderWidth="1px" align="center"
Font-Names="Verdana" Font-Size="0.8em" AutoGeneratePassword="True">
<ContinueButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
ForeColor="#284775" />
<CreateUserButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
ForeColor="#284775" />
<TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" ForeColor="White" />
<WizardSteps>
<asp:CreateUserWizardStep runat="server" >
<ContentTemplate>
<table style="font-family:Verdana;font-size:100%;" align="center">
<tr>
<td align="right" colspan="2"
style="color:White;background-color:#5D7B9D;font-weight:bold;">
Sign Up for Your New Account</td>
</tr>
<tr>
<td align="right">
<asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName">User Name:</asp:Label>
</td>
<td align="right">
<asp:TextBox ID="UserName" runat="server" ToolTip="Pick a user name"></asp:TextBox>
<asp:RequiredFieldValidator ID="UserNameRequired" runat="server"
ControlToValidate="UserName" ErrorMessage="User Name is required."
ToolTip="User Name is required.">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password">Password:</asp:Label>
</td>
<td align="right">
<asp:RegularExpressionValidator
ID="RegularExpressionValidator1" runat="server"
ControlToValidate="Password"
validationExpression="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n]).*$"
ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character.">
</asp:RegularExpressionValidator>
<asp:TextBox ID="Password" runat="server" Tooltip="Must be at least 8 characters long and must include at least 1 non-alphanumeric character such as @, #, $, %, &" TextMode="Password"></asp:TextBox>
<asp:RequiredFieldValidator ID="PasswordRequired" runat="server"
ControlToValidate="Password" ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character."
ToolTip="Password is required.">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label ID="ConfirmPasswordLabel" runat="server"
AssociatedControlID="ConfirmPassword">Confirm Password:</asp:Label>
</td>
<td align="right">
<asp:TextBox ID="ConfirmPassword" runat="server" TextMode="Password"></asp:TextBox>
<asp:RequiredFieldValidator ID="ConfirmPasswordRequired" runat="server"
ControlToValidate="ConfirmPassword"
ErrorMessage="Confirm Password is required."
ToolTip="Confirm Password is required.">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label ID="EmailLabel" runat="server" AssociatedControlID="Email">E-mail:</asp:Label>
</td>
<td align="right">
<asp:TextBox ID="Email" runat="server"></asp:TextBox>
<asp:RequiredFieldValidator ID="EmailRequired" runat="server"
ControlToValidate="Email" ErrorMessage="E-mail is required."
ToolTip="E-mail is required.">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label ID="QuestionLabel" runat="server" AssociatedControlID="Question">Security Question:</asp:Label>
</td>
<td align="right">
<asp:TextBox ID="Question" runat="server" ToolTip="For example, 'favorite team'"></asp:TextBox>
<asp:RequiredFieldValidator ID="QuestionRequired" runat="server"
ControlToValidate="Question" ErrorMessage="Security question is required."
ToolTip="Security question is required.">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right">
<asp:Label ID="AnswerLabel" runat="server" AssociatedControlID="Answer">Security Answer:</asp:Label>
</td>
<td align="right">
<asp:TextBox ID="Answer" runat="server"></asp:TextBox>
<asp:RequiredFieldValidator ID="AnswerRequired" runat="server"
ControlToValidate="Answer" ErrorMessage="Security answer is required."
ToolTip="Security answer is required.">*</asp:RequiredFieldValidator>
</td>
</tr>
<tr>
<td align="right" colspan="2">
<asp:CompareValidator ID="PasswordCompare" runat="server"
ControlToCompare="Password" ControlToValidate="ConfirmPassword"
Display="Dynamic"
ErrorMessage="The Password and Confirmation Password must match.">
</asp:CompareValidator>
<regularexpressionvalidator
ID="passwordValidator" runat="server" controltovalidate="Password"
text="improper password"
validationExpression="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n]).*$"
ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character." >
</regularexpressionvalidator>
</td>
</tr>
<tr>
<td align="right" colspan="2" style="color:Red;">
<asp:Literal ID="ErrorMessage" runat="server" EnableViewState="False"></asp:Literal>
</td>
</tr>
</table>
</ContentTemplate>
</asp:CreateUserWizardStep>
<asp:WizardStep ID="chooseRoleName" runat="server" StepType="Step"
Title="Choose Role">
<asp:DropDownList ID="DropDownChooseRole" runat="server"
DataSourceID="LinqDataSource1" DataTextField="RoleName"
DataValueField="RoleID" AutoPostBack="True">
</asp:DropDownList>
</asp:WizardStep>
<asp:CompleteWizardStep runat="server" />
</WizardSteps>
<HeaderStyle BackColor="#5D7B9D" BorderStyle="Solid" Font-Bold="True"
Font-Size="0.9em" ForeColor="White" HorizontalAlign="Center" />
<NavigationButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC"
BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana"
ForeColor="#284775" />
<SideBarButtonStyle BorderWidth="0px" Font-Names="Verdana" ForeColor="White" />
<SideBarStyle BackColor="#5D7B9D" BorderWidth="0px" Font-Size="0.9em"
VerticalAlign="Top" />
<StepStyle BorderWidth="0px" />
</asp:CreateUserWizard>
Does it make any difference if you move the regexvalidator to after the textbox declaration?
ASKER
I have tried it in several places w/o any effect
And does it work if you remove the required field validator?
ASKER
Haven't tried that. My understanding is the the RequiredFieldValidator (which is working) checks to see that the field is not empty. The RegularExpressionValidator
Hi,
You can use multiple RegularExpression to validate Password.
I was looking for a solution for your query and find one link which had use above mentioned concept. Please refer it.
http://www.informit.com/articles/article.aspx?p=101137&seqNum=3
Refer "Listing 3.6 RegularExpressionValidator
I am sure, It will be helpful to you ...
- Deepak Lakkad
You can use multiple RegularExpression to validate Password.
I was looking for a solution for your query and find one link which had use above mentioned concept. Please refer it.
http://www.informit.com/articles/article.aspx?p=101137&seqNum=3
Refer "Listing 3.6 RegularExpressionValidator
I am sure, It will be helpful to you ...
- Deepak Lakkad
ASKER
Deepak, thanks for your efforts and help.
I'm sure you looked at my code and saw that I am already using a regular expression--just one, not multiple ones. Perhaps the multiple expression that I am already using is incorrect. I'll go back and look at that.
However I suspect that problem is not in the regular expression. The createuserwizard properly traps several errors such as missing entries or previously used email addresses (that error may be coming from the Sql Server Membership table). It traps a 'confirm password' that doesn't match the originally entered password, so it must be using a confirm validator behind the scenes. It's just not using a regular expression validator on the password.
I'll change the regular expression to something really simple that just checks the length of the password to see if that fires. But one key question is exactly what fires the validators. In the code example you reference, there is a script, presumably running in the code-behind file, that does the work, presumably. For my app, I assume (dangerous, I know) that the 'create user" button at the bottom of the form does the equivalent job. My code-behind file, attached, has nothing about this.
I'm going to simplify the regular expression now to see if it fires at all.
register.aspx.vb
I'm sure you looked at my code and saw that I am already using a regular expression--just one, not multiple ones. Perhaps the multiple expression that I am already using is incorrect. I'll go back and look at that.
However I suspect that problem is not in the regular expression. The createuserwizard properly traps several errors such as missing entries or previously used email addresses (that error may be coming from the Sql Server Membership table). It traps a 'confirm password' that doesn't match the originally entered password, so it must be using a confirm validator behind the scenes. It's just not using a regular expression validator on the password.
I'll change the regular expression to something really simple that just checks the length of the password to see if that fires. But one key question is exactly what fires the validators. In the code example you reference, there is a script, presumably running in the code-behind file, that does the work, presumably. For my app, I assume (dangerous, I know) that the 'create user" button at the bottom of the form does the equivalent job. My code-behind file, attached, has nothing about this.
I'm going to simplify the regular expression now to see if it fires at all.
register.aspx.vb
ASKER
Visible progress!
"visible" is the key word. I still have just one regular expression, but I changed the Display property from the default to 'Dynamic' and the entry is validating. I still have other problems, but stay tuned.
"visible" is the key word. I still have just one regular expression, but I changed the Display property from the default to 'Dynamic' and the entry is validating. I still have other problems, but stay tuned.
ASKER
Some kind of validation is happening within the createUserWizard, but I can't find the validator. The error message is "
Password length minimum: 7. Non-alphanumeric characters required: 1.
Now I've got a regular expression validator on the registration page with an error message, and another regex in web config, but nowhere do I have that error message. Maybe it's coming from the Membership provider table in my Sql Server db.
Regardless, I can't seem to create a user b/c I can't get the password validated. Help, please.
Password length minimum: 7. Non-alphanumeric characters required: 1.
Now I've got a regular expression validator on the registration page with an error message, and another regex in web config, but nowhere do I have that error message. Maybe it's coming from the Membership provider table in my Sql Server db.
Regardless, I can't seem to create a user b/c I can't get the password validated. Help, please.
ASKER
Some progress:
The unknown error message is, I believe, auto-generated from settings in the Membership section of web.config file. I have adjusted that file, including setting the regex for passwordstrengthregularexp
However I am back to where I started w/ login problems. See my still open question about creating a login and then not being able to use it. The Membership table shows a valid, not locked out user, but I get a password error when attempting to login.
The unknown error message is, I believe, auto-generated from settings in the Membership section of web.config file. I have adjusted that file, including setting the regex for passwordstrengthregularexp
However I am back to where I started w/ login problems. See my still open question about creating a login and then not being able to use it. The Membership table shows a valid, not locked out user, but I get a password error when attempting to login.
ASKER
This is still broken, but the error is easily repeated, very consistently. Here are the steps to replicate the problem:
1. go to the website at 54.235.245.110 and register as a new user
2. After registration, I have LoginCreatedUser set to false fpr debugging convenience, so you are logged out.Try to login to your newly created account with the password you created.
3. Login fails. This is the error I am trying to fix.
4. Ask for a new password, which will come to you by email. Use it to log into the app, which will work.
5. Once you are logged in, use the Change Password button on upper Right to reset your password to the one you originally used, but now not working.
6. Log out, then log back in with original password. It now works.
1. go to the website at 54.235.245.110 and register as a new user
2. After registration, I have LoginCreatedUser set to false fpr debugging convenience, so you are logged out.Try to login to your newly created account with the password you created.
3. Login fails. This is the error I am trying to fix.
4. Ask for a new password, which will come to you by email. Use it to log into the app, which will work.
5. Once you are logged in, use the Change Password button on upper Right to reset your password to the one you originally used, but now not working.
6. Log out, then log back in with original password. It now works.
ASKER
Now that my app is public and available for test at 54.235.245.110, and that the steps to replicate the problem consistently are posted in the previous comment, I itemize here the three places that I've found where the password might be validated:
1. In the CreateUserWizard properties, where there are two pertinent properties:
3. In the web.config code, in the Membership section
I have been experimenting with each of these sections, but have no real idea which ones take priority. The regex validator has the most immediate control over user input. My Sql Server db with the Membership table (and the whole app) are hosted on Amazon Web Services. I'm not even sure of the SS password policy, but have been entering strong passwords with multiple character types. Regardless, the register app is not working.
1. In the CreateUserWizard properties, where there are two pertinent properties:
passwordregularexpression='@\"(?:.{8,})(?=(.*\d){1,})(?=(.*\W){1,})'
passwordregularexpressionerrormessage="Your password must be at least 8 characters long, and contain at least one number and one special, non-alphanumeric character." <regularexpressionvalidator
ID="passwordValidator" runat="server" controltovalidate="Password"
text="improper password"
validationExpression="(?=^.{8,}$)(?=.*\d)(?=.*\W+)(?![.\n]).*$"
ErrorMessage="Your password must be 8 characters long, and contain at least one number and one special character." >
</regularexpressionvalidator>3. In the web.config code, in the Membership section
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="45">
<providers>
<clear/>
<add
connectionStringName="lucidequipmentConnectionString"
applicationName="Website3"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Hashed"
minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="1"
passwordStrengthRegularExpression='@\"(?:.{7,})(?=(.*\d){1,})(?=(.*\W){1,})'
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
/>
</providers>
</membership>I have been experimenting with each of these sections, but have no real idea which ones take priority. The regex validator has the most immediate control over user input. My Sql Server db with the Membership table (and the whole app) are hosted on Amazon Web Services. I'm not even sure of the SS password policy, but have been entering strong passwords with multiple character types. Regardless, the register app is not working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
never solved, needed to restate
I think you have to use little Javascript to validate strong password.
try following link for that
http://www.codeproject.com/Tips/386385/Strong-Password-Validation
- Deepak Lakkad