Random login error .NET rejecting passwords
I am having a rather unusual issue with a .NET website and user logins.
Now I am away the obvious answer is that the user is entering their details incorrectly however this is reported to not be the case.
The issue is that a handful of users are reporting that their details that have been sent are not working correctly. The login is handled using a SQL lookup of the users password hash and compares it to the entered password hash.
When I check the users login credentials it works perfectly every time without fail, however when the user tries using the same information the login attempt fails.
Is there any reason that this would happen? Is there something going wrong with the hashing of the users password that happens intermittently?
It has got me baffled but I need to find a solution.
The code for the login check is:
Any help or advice would be greatly appreciated.
Lee
Now I am away the obvious answer is that the user is entering their details incorrectly however this is reported to not be the case.
The issue is that a handful of users are reporting that their details that have been sent are not working correctly. The login is handled using a SQL lookup of the users password hash and compares it to the entered password hash.
When I check the users login credentials it works perfectly every time without fail, however when the user tries using the same information the login attempt fails.
Is there any reason that this would happen? Is there something going wrong with the hashing of the users password that happens intermittently?
It has got me baffled but I need to find a solution.
The code for the login check is:
authHash = (// CODE RETURNED FROM SQL LOOKUP FROM USER)
// Check password matches database for user
string saltAndPwd = String.Concat(authPassword, authSalt);
string hashedPwd = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPwd, "SHA1");
if (hashedPwd == authHash)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
authUser,
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
authType,
FormsAuthentication.FormsCookiePath);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
// Create the cookie.
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
// User has logged in
}
else
{
txtResult.Text = "Invalid login credentials!";
}Any help or advice would be greatly appreciated.
Lee
ASKER
I am glad it is not me that has made a mistake with the code then. I did think it odd that this is affecting around 5% of all users.
The issue is most likely with authHash but that is the hash that is returned from the DB for the user so as long as they have entered their details correctly then it should allow them in.
My only explanation is that they can not be entering their details correctly but they insist they are.
I have added some code that will log a failed request and the two hashes so I can see if the issue is caused by a failure in the system and not just user error.
Tomorrow morning will tell.
Thank you.
The issue is most likely with authHash but that is the hash that is returned from the DB for the user so as long as they have entered their details correctly then it should allow them in.
My only explanation is that they can not be entering their details correctly but they insist they are.
I have added some code that will log a failed request and the two hashes so I can see if the issue is caused by a failure in the system and not just user error.
Tomorrow morning will tell.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looking into this a bit further its would seem that there were occasions where the users where entering the completely wrong password. In some cases even though a password was emailed to them with instructions on copying and pasting and that it was case sensitive they would be using passwords that they had set for other systems.
Required adding some code to record the hash of the entered password for failed attempts for 24 hours and users that reported issues had totally different hashes to the one stored.
Thanks for the advice, turns out sending step by step instructions on logging in to a system is not guarantee that they will actually follow those instructions and taking their word for it is not always reliable either.
Required adding some code to record the hash of the entered password for failed attempts for 24 hours and users that reported issues had totally different hashes to the one stored.
Thanks for the advice, turns out sending step by step instructions on logging in to a system is not guarantee that they will actually follow those instructions and taking their word for it is not always reliable either.
It's good to know that at least, in last, you were able to dig out true cause for weird issue.
Based on my coding experience, I never rely on user's words for software or website until I don't confirm it my way.
Based on my coding experience, I never rely on user's words for software or website until I don't confirm it my way.
ASKER
I think it was because we had about 15 or 20 people with the same issue. I kind of assumed that that number would be a fault and not just a lot of users not following instructions.
I shall be less naive in the future I think.
I shall be less naive in the future I think.
To catch the issue, you need to add logging to your code:
Try to duplicate the variables in this line:
if (hashedPwd == authHash)
To a log file(on webserver).