All geek questions in one place

ASP.NET Membership - Get Password and Password from Membership Table - Hash User ID

I am so close to having this project completed. I need to get the Salt password and password from my Membership table in order to compare it with my "OldPasswords" table.

The problem is that the membership provider does not allow me to use the GetPassword method because the password hashed.

And I cannot get it in regular sqlConnection, because UserID also hashed.

Does anyone know how to hash the user id so that I can put it in the where clause?

Or maybe there is another way to get to this data?

Any help is appreciated.

Thanks,

Steve

+4
source share
2 answers

Steve, UserId is not hashed. Perhaps you are confusing UserName with UserId (ProviderUserKey), which is Guid.

In the context of your other questions: you should refer to this code as in the code used to create the new user, in order to register the hash password, salt and AND format in OnPasswordChanging so that you can check / reject / insert.

This will allow you to obtain relevant information for the current user:

var user = Membership.GetUser(); var userId = user.ProviderUserKey; MembershipPasswordFormat passwordFormat; string passwordSalt; string password; var cstring = WebConfigurationManager.ConnectionStrings["localSqlServer"]; using (var conn = new SqlConnection(cstring.ConnectionString)) { using (var cmd = conn.CreateCommand()) { cmd.CommandText = "select PasswordFormat,PasswordSalt,Password from aspnet_Membership where UserId=@UserId "; cmd.Parameters.AddWithValue("@UserId", userId); conn.Open(); using (var rdr = cmd.ExecuteReader()) { if (rdr != null && rdr.Read()) { passwordFormat = (MembershipPasswordFormat) rdr.GetInt32(0); passwordSalt = rdr.GetString(1); password = rdr.GetString(2); } else { throw new Exception("An unhandled exception of type 'DoesntWorkException' has occured"); } } } } //do something interesting hew with passwordFormat, passwordSalt , password
+7
source

It seems that several different things are happening here ...

  • You cannot recover a hashed password. Period. The goal of hashing is to prevent just such a recovery process.

  • You can use the user ID to search if for any reason the value of the user ID has already been hashed in the database (although this is a bit strange, there is no good reason to hash the user ID). But you need to know how this hashed. If it's MD5 or SHA1, the fastest way is to use FormsAuthentication.HashPasswordForStoringInConfigFile (but use it instead of username instead of username).

  • Salt does not have to be hashed, otherwise it is unsuitable for use. Salts are added to the clear text password before hashing, so any value that you see in the salt column is a salt.

+3
source

Source: https://habr.com/ru/post/1308424/

More articles:


All Articles