Comparing a user entered password to Member password
Hi folks,
This is a really long story but I need to compare a text field against the member password field that is stored in Umbraco.
So to explain I have a plain text string that i need to compare against the encrypted password that Umbraco stores for each user. I know that I can't the unencrypted password out so I need to encrypt the plain string that I have and compare that to the Umbraco password.
Trouble is, I don't know what encryption Umbraco uses or how to do it!
var memberShipHelper = new Umbraco.Web.Security.MembershipHelper(Umbraco.Web.UmbracoContext.Current);
if (memberShipHelper.Login(username, unencryptedPassword))
{
// yay, correct!
}
It's not so such that I'm trying to log someone in it's that I need to know a plain text string matches a password stored against a member. i can use the MemberService to get the raw password, ideally what I'd like to do is use the same function that Umbraco uses when it's stored the password originally and then I can compare the two strings.
As you can see this will ask the membership provider to take care of saving the password. You may be able to work out how the membership provider does it but why go through all that trouble if you know the result of a login attempt can give you the same result.
I don't even want to begin in asking you why you have people's clear-text passwords... :o
I think a better way of checking to see if the provided password is correct is:
if (System.Web.Security.Membership.ValidateUser(username, unencryptedPassword))
{
// yay, correct!
}
Since Umbraco uses the built in ASP.NET membership provided, this above method is a good way to check if the users details are correct without logging them in.
Comparing a user entered password to Member password
Hi folks,
This is a really long story but I need to compare a text field against the member password field that is stored in Umbraco.
So to explain I have a plain text string that i need to compare against the encrypted password that Umbraco stores for each user. I know that I can't the unencrypted password out so I need to encrypt the plain string that I have and compare that to the Umbraco password.
Trouble is, I don't know what encryption Umbraco uses or how to do it!
Could anyone shed any light please?
Thanks, Craig
You could read the result of a login attempt:
Hi Sebastiaan,
It's not so such that I'm trying to log someone in it's that I need to know a plain text string matches a password stored against a member. i can use the MemberService to get the raw password, ideally what I'd like to do is use the same function that Umbraco uses when it's stored the password originally and then I can compare the two strings.
thanks, Craig
Exactly. So if the login succeeds then the clear-text password must be correct.
You don't want to replicate how Umbraco creates passwords, it's much more difficult and depends on which membership provider (+it's options) has been used to create the password. This is where we save the password: https://github.com/umbraco/Umbraco-CMS/blob/master-v7/src/Umbraco.Core/Services/MemberService.cs#L120
As you can see this will ask the membership provider to take care of saving the password. You may be able to work out how the membership provider does it but why go through all that trouble if you know the result of a login attempt can give you the same result.
I don't even want to begin in asking you why you have people's clear-text passwords... :o
I think a better way of checking to see if the provided password is correct is:
Since Umbraco uses the built in ASP.NET membership provided, this above method is a good way to check if the users details are correct without logging them in.
Actually that's a good point!
I think that I'm overthinking what I'm trying to do!
I don't think he had people's clear text password - that was the problem :)
is working on a reply...