Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • jake williamson 207 posts 873 karma points
    Mar 14, 2018 @ 19:42
    jake williamson
    0

    how does umbraco hash member passwords (and for a bonus, can i create a member using a hashed password)?

    hey out there,

    we've a shopping cart that creates members as part of a checkout. ideally, we want the new member to enter their password, we'll store it with the basket and then set it when we create the member.

    for obvious reasons we wanna hash the password before we store it! after all, who wants plain text passwords floating around in a checkout/database?

    we're also working on the basis that a umbraco members password is one way hashed...

    digging through the core, i found the the aptly named 'IMembershipProviderPasswordHasher' in 'Umbraco.Core.Security' has a method 'HashPassword' which then led me to 'Umbraco.Core.Security.MembershipProviderBase' which has 'HashPasswordForStorage'. sounds good!

    so i quickly tried this:

    var membersMembershipProvider = new MembersMembershipProvider();
    var hashedPassword = membersMembershipProvider.HashPasswordForStorage("ComplicatedPassword");
    

    but it does nothing... am i barking up the right tree or just barking?!

    as mentioned in the title, the bonus here is if i do somehow manage to hash the password, can i actually create the member with the generated value? the interface 'IMemberService' has a 'SavePassword' but that expects a plain text password...

    fun eh?! any suggestions (even if it's a 'na, you can't do what ya trying to do') would be greatly appreciated.

    cheers,

    jake

  • jake williamson 207 posts 873 karma points
    Sep 17, 2018 @ 12:59
    jake williamson
    101

    i revised this today and did some digging...

    in the end i debugged the umbraco project against my own and stepped through the member creation. i noticed that the member is created with a default password that has an interesting prefix e.g.

    ___UIDEMPTYPWORD__ABcrwZbLR2BQLMozzp330OegSqCm6Co7465+W5lYB0V+7FhbZ+iktXhMsjw4u7Ovmw==
    

    a quick search of the source and 'UIDEMPTYPWORD' is a constant definded in 'Umbraco.Core\Constants-Security.cs' and that led to 'Umbraco.Core\Persistence\Repositories\MemberRepository.cs' and on line 241 i found this:

    //if the password is empty, generate one with the special prefix
    //this will hash the guid with a salt so should be nicely random
    if (entity.RawPasswordValue.IsNullOrWhiteSpace())
    {
        var aspHasher = new PasswordHasher();
        dto.Password = Constants.Security.EmptyPasswordPrefix +
                        aspHasher.HashPassword(Guid.NewGuid().ToString("N"));
        //re-assign
        entity.RawPasswordValue = dto.Password;
    }
    

    so... i can use the password hasher to hash the password and store that on the basket however the knock on there is that there's no method in the umbraco core to set a members password using an already hashed password.

    damn. very close. i guess i could write a chunk of code that set the hashed password for me directly in the database but that would require an additional database call and decouple the member creation process from the umbraco core.

    i think our best solution is to not gather a password during the checkout and set the 'is approved' flag on the member to false (it gets set to true by default). on the complete step of the checkout we'll prompt the user to create a password and when that saves, set the 'is approved' flag to true. that way the member won't be able to login until they set their password.

    tricky...

Please Sign in or register to post replies

Write your reply to:

Draft