I am trying to generate alphanumeric passwords and I did this in web.config:
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
passwordFormat="Clear"
maxInvalidPasswordAttempts="10"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10" passwordStrengthRegularExpression="^[a-zA-Z0-9]*$"/>
But still i get non-alpha numeric characters. please correct me if wrong.
http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.resetpassword.aspx
The random password created by the ResetPassword method is not
guaranteed to pass the regular expression in the
PasswordStrengthRegularExpression property. However, the random
password will meet the criteria established by the
MinRequiredPasswordLength and MinRequiredNonAlphanumericCharacters
properties
Related
I am using an SQLMemberShipProvider.
When I enter my username and password the following code is executed membershipProvider.ValidateUser(myUserName, myPassword) and returns true indicating that the user is valid.
I reset the password with the following code:
var username = membershipProvider.GetUser(myUserName, false);
username.ChangePassword(username.ResetPassword(), newPassword);
Now when I enter my username and the new changed password, the following executes again membershipProvider.ValidateUser(myUserName, newPassword), but this time the validation fails.
I don't understand this, as I am using the same provider for both calls of ValidateUser. The password seemed to have changed as the original password is no longer valid as well.
The password format is hashed, IsLocked is false and IsApproved is true.
Code looks good. This is occuring most porbably because resetPassword is not set to true in your web.config:
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
<providers>
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
passwordFormat="Hashed"
applicationName="MyApplication" />
</providers>
</membership>
Ensure that enablePasswordReset="true" is set.
i have a web service call a method to authenticate user
the method is :
public bool getUser(string User, string Pass)
{
return( Membership.ValidateUser(TvId, TvPass));
}
but Membership.ValidateUser need to get connection to db, and I'm using Entity framework , any help?
We have two different connection strings defined, one for EF and one for the Membership provider, even though they're both the same DB.
So in the Web.config we have:
<configuration>
<connectionStrings>
<!-- Used by the EF DbContext -->
<add name="EFConnection" connectionString="metadata=res://*/Model.csdl|res://*/Model.ssdl|res://*/Model.msl;provider=System.Data.SqlClient;provider connection string="Data Source=localhost;Initial Catalog=MyDB;Persist Security Info=False;Trusted_Connection=yes;MultipleActiveResultSets=true;"" providerName="System.Data.EntityClient" />
<!-- Used for membership, see the Web.config entries below -->
<add name="ApplicationServices" connectionString="data source=localhost;initial catalog=MyDB;Persist Security Info=False;Trusted_Connection=yes;MultipleActiveResultSets=true;" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<membership>
<providers>
<!-- Uses the ApplicationServices connection string defined above to set the connection information for the membership provider -->
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="ePubDirect" />
</providers>
</membership>
</system.web>
</configuration>
There's a load of other stuff in the Web.config too of course, and your connection strings will likely be very different than my local dev environment, but this is the type of wiring you need for your Membership to just work.
Instead of System.Web.Security.SqlMembershipProvider you may need something more like:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
Or whatever membership provider you're using. Your detailed settings are likely to be different to these too.
It doesn't mean you r using entity framework or Ado.net classes to make the connection with the database. membership provider will work with entity framework as well. you need to define the membership connection string in the Web.config file
I am using the ASP.NET membership in my application.
When customers register I need to get the password of the user, is there any algorithm so that I can get the decrypted password.
eg:
1) we will be having set of tables that will be created on asp.net_membership where in that we store userName, password, password key, strength and security question.
<membership>`enter code here`
<providers>
<clear />
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, System.Web, `enter code here `Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="MMMS35.API"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
applicationName="Moose"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="1"
passwordStrengthRegularExpression="" />
</providers>
</membership>
When customers register I need to get the password of the user, is there any algorithm so that I can get the decrypted password.
If you want to get the password entered by the user when he is registering, you can probably do so. For example, if you use the ASP.NET CreateUserWizard control, you can access the CreateUserWizard.Password property. Nevertheless, it's not very clear what you'd want to do with it.
If you want to get the user's password after he's registered, which is probably not a good idea from a security perspective as noted in the comments to your question, you need to configure your MembershipProvider with:
enablePasswordRetrieval="true"
passwordFormat="Clear" or "Encrypted"
How Can I remove Functionality of max Invalid Password Attempts from Asp.Net Membership.?
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider"
connectionStringName="con"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
applicationName="/"/>
</providers>
</membership>
This thread might help you:
Disabling account lockout with the SqlMembershipProvider
Basically you could just set number of attempts to Int32.MaxValue. It's not exactly what you wanted but it will work for most cases.
I am going crazy, when I go into the Web Site Administration Tool to create some new users, it always tells me that my password is not 7 characters long.
Error msg:
Password length minimum: 7. Non-alphanumeric characters required: 1.
Here is my web.config, seems like it is not even looked at.
<membership userIsOnlineTimeWindow="20">
<providers>
<remove name="AspNetSqlProvider" />
<add name="AspNetSqlProvider" connectionStringName="LocalSqlServer"
type="System.Web.Security.SqlMembershipProvider"
applicationName="OCIS"
minRequiredPasswordLength="3"/>
</providers>
</membership>
I even went as far to modify the machine.config and after rebooting, still the same result.
Very frustrating.
You guys have any ideas why my web.config files seems to be ignored?
Thank you,
Steve
The AspNetSqlProvider is not the default provider name that is defined in the MembershipSection. Thus, you have to set the default provider name as follows.
<membership defaultProvider="AspNetSqlProvider">
<providers>
<add name="AspNetSqlProvider" ... />
</providers>
</membership>
You probably should never have need to modify machine.config but I understand your frustration.
First, try implementing all properties of the provider in your local config to your specs and see what happens..
<membership>
<providers>
<add
name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider, ..."
connectionStringName="LocalSqlServer"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
applicationName="/"
requiresUniqueEmail="false"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
/>
</providers>
</membership>