Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Craig O'Mahony 364 posts 918 karma points
    Jul 22, 2015 @ 10:24
    Craig O'Mahony
    0

    Comparing a user entered password to Member password

    Hi folks,

    This is a really long story but I need to compare a text field against the member password field that is stored in Umbraco.

    So to explain I have a plain text string that i need to compare against the encrypted password that Umbraco stores for each user. I know that I can't the unencrypted password out so I need to encrypt the plain string that I have and compare that to the Umbraco password.

    Trouble is, I don't know what encryption Umbraco uses or how to do it!

    Could anyone shed any light please?

    Thanks, Craig

  • Sebastiaan Janssen 5018 posts 15341 karma points MVP admin hq
    Jul 22, 2015 @ 10:53
    Sebastiaan Janssen
    3

    You could read the result of a login attempt:

    var memberShipHelper = new Umbraco.Web.Security.MembershipHelper(Umbraco.Web.UmbracoContext.Current);
    if (memberShipHelper.Login(username, unencryptedPassword)) 
    { 
        // yay, correct! 
    }
    
  • Craig O'Mahony 364 posts 918 karma points
    Jul 22, 2015 @ 11:02
    Craig O'Mahony
    0

    Hi Sebastiaan,

    It's not so such that I'm trying to log someone in it's that I need to know a plain text string matches a password stored against a member. i can use the MemberService to get the raw password, ideally what I'd like to do is use the same function that Umbraco uses when it's stored the password originally and then I can compare the two strings.

    thanks, Craig

  • Sebastiaan Janssen 5018 posts 15341 karma points MVP admin hq
    Jul 22, 2015 @ 11:15
    Sebastiaan Janssen
    0

    Exactly. So if the login succeeds then the clear-text password must be correct.

    You don't want to replicate how Umbraco creates passwords, it's much more difficult and depends on which membership provider (+it's options) has been used to create the password. This is where we save the password: https://github.com/umbraco/Umbraco-CMS/blob/master-v7/src/Umbraco.Core/Services/MemberService.cs#L120

    As you can see this will ask the membership provider to take care of saving the password. You may be able to work out how the membership provider does it but why go through all that trouble if you know the result of a login attempt can give you the same result.

    I don't even want to begin in asking you why you have people's clear-text passwords... :o

  • Harvey 28 posts 122 karma points
    Apr 30, 2017 @ 16:23
    Harvey
    0

    I think a better way of checking to see if the provided password is correct is:

    if (System.Web.Security.Membership.ValidateUser(username, unencryptedPassword)) 
    { 
        // yay, correct! 
    }
    

    Since Umbraco uses the built in ASP.NET membership provided, this above method is a good way to check if the users details are correct without logging them in.

  • Craig O'Mahony 364 posts 918 karma points
    Jul 22, 2015 @ 11:19
    Craig O'Mahony
    0

    Actually that's a good point!

    I think that I'm overthinking what I'm trying to do!

  • Richard Hamilton 79 posts 166 karma points
    Aug 10, 2016 @ 13:13
    Richard Hamilton
    0

    I don't think he had people's clear text password - that was the problem :)

Please Sign in or register to post replies

Write your reply to:

Draft