2

Closed

Create Member function in the ASP.NET Configuration web tool crashes if hashing passwords

description

Create Member function in the ASP.NET Configuration web tool crashes if hashing passwords (the cryptographic Hash() function crashes for some reason), but it works fine within your application.
I have not been able to find out why this happens because the stack trace is extremely opaque, but it is definitely caused by the cryptographic hashing call. I have tried other hashing methods to no avail. Perhaps it has to do with the security requirements of cryptographic code that the ASP.NET Configuration web tool does not have??
Closed Jul 31, 2011 at 8:44 AM by bradw2k
I found a related bug: I wasn't calling EncodePassword() on the new passwordAnswer in ChangePasswordQuestionAndAnswer().And based on Sandust's comment, I've changed EncodePassword() and UnEncodePassword() to immediately return an empty string in case null or an empty string is passed in.These changes are in 1.1 and 2.0.In 2.0 I've also added unit tests for a "Hashed" configuration.

comments

Sandust wrote Apr 12, 2009 at 4:04 PM

I found a "solution" to the crash when registering a user using the web tool. I made 2 changes, they don't make much sense but maybe you could find something out of it:
1 - changed the <machineKey>(Compared to the one on the Web.config_partial_example). Changed it to a 1 generated through this site: http://aspnetresources.com/tools/keycreator.aspx I used the default parameter of the site to generate it.

2 - Changed the "requiresQuestionAndAnswer" variable in the WCSoft.db4oProviders.db4oMembershipProvider class to always be true. This of course raises a lesser problem, all users must have a secret question now.

I'm not sure why this things work, but those changes worked for me.

Also I'm using Db4objects.Db4o 7.4.60.11658 which is a little newer than the one in the source code, don't think that has anything to do with this issue though.

Sandust wrote Apr 24, 2009 at 12:59 AM

I decided to give it another look since I'm going to start my project now and found where the bug is. When user creation is set to not use secret questions the User constructor is passes an empty string as the passwordAnswer parameter. When trying to hash the empty string it crashes in the EncodePassword() method used to hash the answer.

I added a check to see if the passwordAnswer parameter was String.Empty, if so I pass null instead of empty and it handles it well.

I dunno how to upload fixes or contribute with the project directly, can someone do that for me? :)

lorenzobattaglia wrote Jul 15, 2009 at 9:13 AM

Why? Changein this
Known issues:
  • Create Member function in the ASP.NET Configuration web tool crashes if hashing passwords (the cryptographic Hash() function crashes for some reason), but it works fine within your application.
I look in your source code and i have change this:



in the db4oMembershipProvider.cs

Method: CreateUser

The error was in EncodePassword(passwordAnswer) remove EncodePassword and let only passwordAnswer:



var user = new User(
                (Guid) providerUserKey,
                username,
                EncodePassword(password),
                email,
                passwordQuestion,
                passwordAnswer,
                isApproved,
                "",
                createDate,
                createDate,
                createDate,
                applicationName,
                false,
                createDate,
                0,
                createDate,
                0,
                createDate);

var user = new User(
                (Guid) providerUserKey,

                username,

                EncodePassword(password),

                email,

                passwordQuestion,

                passwordAnswer, // was EncodePassword(passwordAnswer)

                isApproved,

                "",

                createDate,

                createDate,

                createDate,

                applicationName,

                false,

                createDate,

                0,

                createDate,

                0,

                createDate);


OK?

wrote Aug 12, 2009 at 4:06 PM

bradw2k wrote Feb 11, 2011 at 5:59 AM

Thanks for this, I will consider including your change in the next release, which will be on the latest db4o version and .NET 4.0.

Thanks,
Brad

bradw2k wrote Jul 31, 2011 at 8:43 AM

I found a related bug: I wasn't calling EncodePassword() on the new passwordAnswer in ChangePasswordQuestionAndAnswer().

And based on Sandust's comment, I've changed EncodePassword() and UnEncodePassword() to immediately return an empty string in case null or an empty string is passed in.

These changes are in 1.1 and 2.0.

In 2.0 I've also added unit tests for a "Hashed" configuration.


Thanks,
Brad

wrote Jul 31, 2011 at 8:44 AM

wrote Feb 12, 2013 at 9:15 PM

wrote May 14, 2013 at 7:26 AM