Maintain ASP.Net membership passwords during machine key changes

Question

Maintain ASP.Net membership passwords during machine key changes

Is there a utility or sample code that can decrypt using the old key and then encrypt passwords with the new key for ASP.Net membership users?

+3

asp.net asp.net-membership

ScottS Nov 03 '10 at 19:58

source share

3 answers

Gregory suvalian · Answer 1 · 2014-04-11T14:31:19+0000

None of the workarounds worked for me. My solution is below. It includes first storing passwords in clear text, and then re-encrypting them using the new MachineKey.

Change car key

Greg · Answer 2 · 2010-11-16T15:13:03+0000

This is my best guess for a solution, but I did not have the opportunity to test it. It uses the following settings for your current provider:

enablePasswordRetrieval="true" requiresQuestionAndAnswer="false" passwordFormat="Encrypted"

, .

( mootinator jumpstart )

using System.Reflection;
using System.Web.Configuration;
using System.Web.Security;
namespace MyNamespace
{
    public class MySqlMembershipProvider : SqlMembershipProvider
    {
        protected override byte[] DecryptPassword(byte[] encodedPassword)
        {
            MachineKeySection section = (MachineKeySection)WebConfigurationManager.GetSection("system.web/machineKey");
            section.DecryptionKey = "oldkey"; // TODO: Set your old key here

            MethodInfo method = typeof(MachineKeySection).GetMethod("EncryptOrDecryptData", BindingFlags.Instance | BindingFlags.NonPublic);

            return (byte[])method.Invoke(section, new object[] { encodedPassword, null, 0, encodedPassword.Length, 0, false, false });
        }
    }
}

web.config:

<membership defaultProvider="DefaultSqlMembershipProvider">
  <providers>
    <clear/>
    <add name="DefaultSqlMembershipProvider" connectionStringName="MembershipConnectionString" enablePasswordRetrieval="true" requiresQuestionAndAnswer="false" applicationName="TODO" passwordFormat="Encrypted" type="System.Web.Security.SqlMembershipProvider"/>
    <add name="MySqlMembershipProvider" connectionStringName="MembershipConnectionString" enablePasswordRetrieval="true" requiresQuestionAndAnswer="false" applicationName="TODO" passwordFormat="Encrypted" type="MyNamespace.MySqlMembershipProvider"/>
  </providers>
</membership>

:

MembershipProvider retrievePasswordProvider = Membership.Providers["MySqlMembershipProvider"];

foreach (MembershipUser user in Membership.GetAllUsers())
{
    MembershipUser retrievePassworedUser = retrievePasswordProvider.GetUser(user.UserName, false);
    string password = retrievePassworedUser.GetPassword(); // get password using old key

    user.ChangePassword(password, password); // change password to same password using new key
}

, .

Kevin stricker · Answer 3 · 2010-11-03T20:33:31+0000

I think you could do this by setting the key on the fly:

You may need to expand SqlMembershipProvider(or whatever you use) to access the method protected DecryptPassword.

    MachineKeySection section = (MachineKeySection)WebConfigurationManager.GetSection("system.web/machineKey");

section.DecryptionKey = "old";
// Read old password
section.DecryptionKey = "new";
// Store new password

Maintain ASP.Net membership passwords during machine key changes

More articles: