Sign in Register
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Perry Cope 31 posts 195 karma points
    Jun 11, 2018 @ 16:18
    Perry Cope
    0

    Password History

    I'm trying to implement Password history for Members so that a user can not enter a password they have previously used.

    Im planning on doing this by adding an extra table and storing the hashed password history there and checking against it when a Member updates password.

    The Issue i am having is that the password format is set too hashed and cant figure out how to generate the Hashed password in the same way Members.ChangePassword does, so i cant check against the PasswordHistory table.

    Ive tried 

    var _passwordhasher = new MembershipProviderPasswordHasher(Membership.Provider.AsUmbracoMembershipProvider());
var hashed = _passwordhasher.HashPassword(model.NewPassword);

    And

    var hash = Membership.Provider.AsUmbracoMembershipProvider().HashPasswordForStorage(model.NewPassword);

    Neither give same result as

    var attempt = Members.ChangePassword(Membership.GetUser().UserName, new Umbraco.Web.Models.ChangingPasswordModel()
                {
                    NewPassword = model.NewPassword,
                    OldPassword = model.OldPassword
                }, Membership.Provider);
var originalPasswordhash = _memberService.GetByUsername(Membership.GetUser().UserName).RawPasswordValue;
    Copy Link
  • Perry Cope 31 posts 195 karma points
    Jun 12, 2018 @ 14:48
    Perry Cope
    100

    I managed to find an answer to this after a day of going through the source code, and rethinking my approach.

    The provider has a protected method of 

    MembershipProviderBase.CheckPassword

    I made a public method on my custom provider that took in the raw Passwords from the History table and returned the above method's result.

    Copy Link
  • Streety 358 posts 568 karma points
    Apr 03, 2020 @ 09:26
    Streety
    0

    Hi Perry,

    Would be interested to see how you implemented password history with ,net Identity.

    Would you be prepared to share your findings

    Copy Link
  • Perry Cope 31 posts 195 karma points
    Apr 03, 2020 @ 09:56
    Perry Cope
    0

    Hi,

    It was a long time ago and i believe the project got abandoned before going live. But i did implement it not sure how well but here goes.

    heres an articale i used on help extending Membership provider https://24days.in/umbraco-cms/2015/extending-membership/

    I created a history new table to store hashed passwords against a username. which i populated on password change, after a member has a pssword set you can access the Rawvalue using this _memberService.GetByUsername(user.UserName).RawPasswordValue

    then simply on each password request change fed in the new password (unhashed) and ran it against the above method looping through the hashed pwhistory table values.

    Copy Link
  • Perry Cope 31 posts 195 karma points
    Apr 03, 2020 @ 09:57
    Perry Cope
    0

    Change password controller

     public ActionResult ChangePassword([Bind(Prefix = "viewModel")]ChangePasswordViewModel model)
        {
        var _memberService = Services.MemberService;
        var user = Membership.GetUser();
        var pwHistory = user.UserName.GetHistory();

        if (Membership.ValidateUser(Membership.GetUser().UserName, model.OldPassword))
        {

            var provider = Membership.Provider.AsUmbracoMembershipProvider() as CustomMembershipProvider;
            foreach (var pw in pwHistory)
            {
                if (provider.CheckPasswordHistory(model.NewPassword, pw))
                {
                    return CurrentUmbracoPage();
                }
            }

            var attempt = Members.ChangePassword(Membership.GetUser().UserName, new Umbraco.Web.Models.ChangingPasswordModel()
            {
                NewPassword = model.NewPassword,
                OldPassword = model.OldPassword
            }, Membership.Provider);
            if (attempt.Success)
            {
                var newPasswordhash = _memberService.GetByUsername(user.UserName).RawPasswordValue;
                user.UserName.AddPassword(newPasswordhash);

                TempData["ResetSuccess"] = true;
                return CurrentUmbracoPage();
            }
        }

        return CurrentUmbracoPage();
    }
    Copy Link
  • Perry Cope 31 posts 195 karma points
    Apr 03, 2020 @ 10:00
    Perry Cope
    0

    Custom MembershipProvider

     public class CustomMembershipProvider : MembersMembershipProvider
 {
    string twilioSid = ConfigurationManager.AppSettings["twilioSid"];
    string tiwlioAuthToken = ConfigurationManager.AppSettings["twilioAuthToken"];

    public bool CheckPasswordHistory(string password,string rawPasword)
    {
        return CheckPassword(password,rawPasword);
    }
 }

    this is what i was looking for

    CheckPassword(password,rawPasword)

    only exposed in a custom implementation of MembersMembershipProvider as far as i remember

    Copy Link

  • This forum is in read-only mode while we transition to the new forum.

    You can continue this topic on the new forum by tapping the "Continue discussion" link below.

Please Sign in or register to post replies