This project is read-only.

Create Member function in the ASP.NET Configuration web tool

Jul 15, 2009 at 10:12 AM

Known issues:
- Create Member function in the ASP.NET Configuration web tool crashes if hashing passwords (the cryptographic Hash() function crashes for some reason), but it works fine within your application.

I look in your source code and i have change this:

 

in the db4oMembershipProvider.cs

Method: CreateUser

The error was in EncodePassword(passwordAnswer) remove EncodePassword and let only passwordAnswer:

 

 var user = new User(
                    (Guid) providerUserKey,
                    username,
                    EncodePassword(password),
                    email,
                    passwordQuestion,
                    passwordAnswer,
                    isApproved,
                    "",
                    createDate,
                    createDate,
                    createDate,
                    applicationName,
                    false,
                    createDate,
                    0,
                    createDate,
                    0,
                    createDate);

 

 var user = new User(

                    (Guid) providerUserKey,

                    username,

                    EncodePassword(password),

                    email,

                    passwordQuestion,

                    passwordAnswer, // was EncodePassword(passwordAnswer)

                    isApproved,

                    "",

                    createDate,

                    createDate,

                    createDate,

                    applicationName,

                    false,

                    createDate,

                    0,

                    createDate,

                    0,

                    createDate);

 

OK?

Jul 31, 2011 at 8:03 AM

Hi, thanks for this suggestion.

My implementation was based on the Microsoft sample code here: http://msdn.microsoft.com/en-us/library/6tc47t75.aspx and they did use EncodePassword() when saving  the "PasswordAnswer":

        cmd.Parameters.Add("@Password", OdbcType.VarChar, 255).Value = EncodePassword(password);
        cmd.Parameters.Add("@Email", OdbcType.VarChar, 128).Value = email;
        cmd.Parameters.Add("@PasswordQuestion", OdbcType.VarChar, 255).Value = passwordQuestion;
        cmd.Parameters.Add("@PasswordAnswer", OdbcType.VarChar, 255).Value = EncodePassword(passwordAnswer);

They also use CheckPassword() when checking the "password answer", and that will involve encryption if encryption is configured.  So you may be onto *something*, but I think there will be other problems (with password reset) if the passwordAnswer is not saved with the call to EncodePassword().

By the way, the unit tests will still pass with your change, but that is only because the unit tests run in clear text mode (I don't think it would be easy to get them to run in encrypted mode, due to the way the base provider .NET code reaches out for the encryption key -- not sure how to mock that).

Thanks,
Brad

Jul 31, 2011 at 9:39 AM

I found a related but:  I wasn't calling EncodePassword() on the new passwordAnswer in ChangePasswordQuestionAndAnswer().

Also, based on another suggestion I've changed EncodePassword() and UnEncodePassword() to immediately return an empty string in case null or an empty string is passed in.

These changes are in 1.1 and 2.0.

Thanks,
Brad