Random login error .NET rejecting passwords

I am having a rather unusual issue with a .NET website and user logins.

Now I am away the obvious answer is that the user is entering their details incorrectly however this is reported to not be the case.

The issue is that a handful of users are reporting that their details that have been sent are not working correctly. The login is handled using a SQL lookup of the users password hash and compares it to the entered password hash.

When I check the users login credentials it works perfectly every time without fail, however when the user tries using the same information the login attempt fails.

Is there any reason that this would happen? Is there something going wrong with the hashing of the users password that happens intermittently?

It has got me baffled but I need to find a solution.

The code for the login check is:


// Check password matches database for user

        string saltAndPwd = String.Concat(authPassword, authSalt);

        string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1");

        if (hashedPwd == authHash)

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,

            // Encrypt the ticket.
            string encTicket = FormsAuthentication.Encrypt(ticket);

            // Create the cookie.
            Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));

            // User has logged in
            txtResult.Text = "Invalid login credentials!";

Open in new window

Any help or advice would be greatly appreciated.

Lee RedheadManaging DirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

your code looks correct to me. I suspect the issue is with authHash.

To catch the issue, you need to add logging to your code:

Try to duplicate the variables in this line:

 if (hashedPwd == authHash)

To a log file(on webserver).
Lee RedheadManaging DirectorAuthor Commented:
I am glad it is not me that has made a mistake with the code then. I did think it odd that this is affecting around 5% of all users.

The issue is most likely with authHash but that is the hash that is returned from the DB for the user so as long as they have entered their details correctly then it should allow them in.

My only explanation is that they can not be entering their details correctly but they insist they are.

I have added some code that will log a failed request and the two hashes so I can see if the issue is caused by a failure in the system and not just user error.

Tomorrow morning will tell.

Thank you.
Vikram Singh SainiSoftware Engineer cum AD DeveloperCommented:
My only explanation is that they can not be entering their details correctly but they insist they are.

Let's test if it is true -

Log the user's entered credentials (username and password) in plain format and also log the hashed format for same.
Get list of some of the users who were reporting that it is failing.
Now for those users, check if their entered credentials and the hashed information is exactly the same each time with in database.

Now I'm suspecting (although not sure) that the hashing is not working properly. So you might ask why it is working for some and not for others. It is because hashing is not working same way each time as it should be (again a assumption).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Lee RedheadManaging DirectorAuthor Commented:
Looking into this a bit further its would seem that there were occasions where the users where entering the completely wrong password. In some cases even though a password was emailed to them with instructions on copying and pasting and that it was case sensitive they would be using passwords that they had set for other systems.

Required adding some code to record the hash of the entered password for failed attempts for 24 hours and users that reported issues had totally different hashes to the one stored.

Thanks for the advice, turns out sending step by step instructions on logging in to a system is not guarantee that they will actually follow those instructions and taking their word for it is not always reliable either.
Vikram Singh SainiSoftware Engineer cum AD DeveloperCommented:
It's good to know that at least, in last, you were able to dig out true cause for weird issue.

Based on my coding experience, I never rely on user's words for software or website until I don't confirm it my way.
Lee RedheadManaging DirectorAuthor Commented:
I think it was because we had about 15 or 20 people with the same issue. I kind of assumed that that number would be a fault and not just a lot of users not following instructions.

I shall be less naive in the future I think.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.