Creating new members - password is stored as plain text
When creating new members through the MemberService, or by creating a new Member() and calling member.Save(), the password appears in the database in plain text.
These two methods appear to be the most intuitive ways to create a new member, yet these methods do not hash the password, despite the config setting (i.e. passwordFormat="Hashed")
If I use MemberService.SavePassword() it does hash the password, but this approach requires me to modify the config setting: allowManuallyChangingPassword="true"
which violates best recommended practice.
I am very new to Umbraco, what is the correct workflow for creating new members and assigning a temporary password (hashed) so they can login?
This sounds a bit strange, because I would have expected that if you create the Member the password is stored according to the settings on the MembershipProvider.
A few questions that could help answering your question:
Which version of Umbraco are you using?
Can you share some code that you're using
Can you copy paste the web.config MembershipProvider line that you are using?
As you can see in the "UmbracoMembershipProvider, "passwordFormat" is set to "Hashed". Execute the code above, with this "UmbracoMembershipProvider" definition, and the password will be stored in plain text.
If this information is not clear in any way, please ask for additional clarification.
First off, please make members in the following way:
var member = memberService.CreateMember("[email protected]", "[email protected]", "Test", "Member");
memberService.Save(member);
memberService.SavePassword(member, "test123456");
Second: there does seem to be a bug here, when saving the password you get This provider does not support manually changing the password. We should indeed fix that!
Sebastiaan, thank you for your reply. The code you provide is the way I am doing it for now now, as it will store the password hashed, but requirese that I modify the following config value:
allowManuallyChangingPassword="true"
I'm sorry if I wasn't clear, but I'm looking for a way to assign a temporary password, "HASHED", without changing the config, and the code I provided allows me to set the password with the recommended config value:
allowManuallyChangingPassword="false"
I hope that helps to clarify what I'm looking for:
How can I store a hashed password without setting the allowManuallyChangingPassword value to false?
Thank you for your response, I am very glad to see I am on the right track : )
You can't do what you want to do right now, it's a bug we need to fix. For now allowManuallyChangingPassword needs to be false if you want to save someone's password. :)
Hi all, there's some important things to know here:
The IMemberService (just like all other services) is used to persist data to the database. So yes, setting a password directly on the member will go directly to the database, that is what it is designed to do. The IMemberService is not intended to wrap things like membership or ASP.NET identity implementations that are responsible for controlling things like passwords, it is designed to write to the database. In fact, the membership providers wrap the IMemberService ... we can't have both wrapping each other
This IMemberService.SavePassword method shouldn't really exist, but i it does so for now I've updated it's logic. See this issue for full details: http://issues.umbraco.org/issue/U4-10361 . With this update (coming in 7.6.6) you can use this method if:
You have AllowManuallyChangingPassword is true - this is not recommended since it exists for legacy reasons only and makes the APIs insecure
You've created a member without any password value (i.e. string.Empty)
That said, I would recommend using the MembershipHelper or membeship provider APIs to create your members. Any password manipulation must be done via these APIs.
In 7.8 we'll be porting in the UmbracoIdentity project https://github.com/shazwazza/umbracoidentity so that members are governed by ASP.NET Identity just like Users are now. We will maintain compat with old membership provider APIs too (just like Users are now) and this IMemberService.SavePassword will be obsoleted.
Would it be possible to set both "change password manually" and "change password programmably".. like both options, so the "New password", does not appear in backend, but you can still change it by code..
Creating new members - password is stored as plain text
When creating new members through the MemberService, or by creating a new Member() and calling member.Save(), the password appears in the database in plain text.
These two methods appear to be the most intuitive ways to create a new member, yet these methods do not hash the password, despite the config setting (i.e. passwordFormat="Hashed")
If I use MemberService.SavePassword() it does hash the password, but this approach requires me to modify the config setting: allowManuallyChangingPassword="true" which violates best recommended practice.
I am very new to Umbraco, what is the correct workflow for creating new members and assigning a temporary password (hashed) so they can login?
Hi Garth,
welcome to Our!
This sounds a bit strange, because I would have expected that if you create the Member the password is stored according to the settings on the MembershipProvider.
A few questions that could help answering your question:
And then we will try to solve this!
Thanks,
Jeffrey
Which version of Umbraco are you using?
Currently we are on v7.6.4
Can you share some code that you're using
I have tried many variations of creating a new member with a default password. Here is a very simple version, two lines:
Can you copy paste the web.config MembershipProvider line that you are using?
[add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="10" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="false" /]
As you can see in the "UmbracoMembershipProvider, "passwordFormat" is set to "Hashed". Execute the code above, with this "UmbracoMembershipProvider" definition, and the password will be stored in plain text.
If this information is not clear in any way, please ask for additional clarification.
First off, please make members in the following way:
Second: there does seem to be a bug here, when saving the password you get
This provider does not support manually changing the password. We should indeed fix that!Sebastiaan, thank you for your reply. The code you provide is the way I am doing it for now now, as it will store the password hashed, but requirese that I modify the following config value:
allowManuallyChangingPassword="true"
I'm sorry if I wasn't clear, but I'm looking for a way to assign a temporary password, "HASHED", without changing the config, and the code I provided allows me to set the password with the recommended config value:
allowManuallyChangingPassword="false"
I hope that helps to clarify what I'm looking for:
How can I store a hashed password without setting the allowManuallyChangingPassword value to false?
Thank you for your response, I am very glad to see I am on the right track : )
You can't do what you want to do right now, it's a bug we need to fix. For now
allowManuallyChangingPasswordneeds to befalseif you want to save someone's password. :)Sebastiaan, thank you again for responding, I know now not to beat my head against the wall, which I really appreciate : )
Hi all, there's some important things to know here:
The IMemberService (just like all other services) is used to persist data to the database. So yes, setting a password directly on the member will go directly to the database, that is what it is designed to do. The IMemberService is not intended to wrap things like membership or ASP.NET identity implementations that are responsible for controlling things like passwords, it is designed to write to the database. In fact, the membership providers wrap the IMemberService ... we can't have both wrapping each other
There are various ways to create members. The simplest way is to to use the
MembershipHelper.RegisterMemberwhich is what the razor macro snippets will use (i.e. create a partial view macro and use the Register one, this is what executes in the POST https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Controllers/UmbRegisterController.cs#L25)Alternatively, you can create a Member directly via the ASP.NET MembershipProvider which handles the passwords and this is what the MembershipHelper will also do https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Security/MembershipHelper.cs#L161
This
IMemberService.SavePasswordmethod shouldn't really exist, but i it does so for now I've updated it's logic. See this issue for full details: http://issues.umbraco.org/issue/U4-10361 . With this update (coming in 7.6.6) you can use this method if:That said, I would recommend using the
MembershipHelperor membeship provider APIs to create your members. Any password manipulation must be done via these APIs.In 7.8 we'll be porting in the UmbracoIdentity project https://github.com/shazwazza/umbracoidentity so that members are governed by ASP.NET Identity just like Users are now. We will maintain compat with old membership provider APIs too (just like Users are now) and this
IMemberService.SavePasswordwill be obsoleted.FYI:
memberService.SavePassword(member, "test123456");will be possible again in v7.6.6.See http://issues.umbraco.org/issue/U4-10361
So long as
as per above
Would it be possible to set both "change password manually" and "change password programmably".. like both options, so the "New password", does not appear in backend, but you can still change it by code..
is working on a reply...