Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Perry Cope 25 posts 146 karma points
    Jun 11, 2018 @ 16:18
    Perry Cope
    0

    I'm trying to implement Password history for Members so that a user can not enter a password they have previously used.

    Im planning on doing this by adding an extra table and storing the hashed password history there and checking against it when a Member updates password.

    The Issue i am having is that the password format is set too hashed and cant figure out how to generate the Hashed password in the same way Members.ChangePassword does, so i cant check against the PasswordHistory table.

    Ive tried

    var _passwordhasher = new MembershipProviderPasswordHasher(Membership.Provider.AsUmbracoMembershipProvider());
    var hashed = _passwordhasher.HashPassword(model.NewPassword);
    

    And

    var hash = Membership.Provider.AsUmbracoMembershipProvider().HashPasswordForStorage(model.NewPassword);
    

    Neither give same result as

    var attempt = Members.ChangePassword(Membership.GetUser().UserName, new Umbraco.Web.Models.ChangingPasswordModel()
                    {
                        NewPassword = model.NewPassword,
                        OldPassword = model.OldPassword
                    }, Membership.Provider);
    var originalPasswordhash = _memberService.GetByUsername(Membership.GetUser().UserName).RawPasswordValue;
    
  • Perry Cope 25 posts 146 karma points
    Jun 12, 2018 @ 14:48
    Perry Cope
    100

    I managed to find an answer to this after a day of going through the source code, and rethinking my approach.

    The provider has a protected method of

    MembershipProviderBase.CheckPassword
    

    I made a public method on my custom provider that took in the raw Passwords from the History table and returned the above method's result.

  • Streety 358 posts 567 karma points
    Apr 03, 2020 @ 09:26
    Streety
    0

    Hi Perry,

    Would be interested to see how you implemented password history with ,net Identity.

    Would you be prepared to share your findings

  • Perry Cope 25 posts 146 karma points
    Apr 03, 2020 @ 09:56
    Perry Cope
    0

    Hi,

    It was a long time ago and i believe the project got abandoned before going live. But i did implement it not sure how well but here goes.

    heres an articale i used on help extending Membership provider https://24days.in/umbraco-cms/2015/extending-membership/

    I created a history new table to store hashed passwords against a username. which i populated on password change, after a member has a pssword set you can access the Rawvalue using this _memberService.GetByUsername(user.UserName).RawPasswordValue

    then simply on each password request change fed in the new password (unhashed) and ran it against the above method looping through the hashed pwhistory table values.

  • Perry Cope 25 posts 146 karma points
    Apr 03, 2020 @ 09:57
    Perry Cope
    0

    Change password controller

     public ActionResult ChangePassword([Bind(Prefix = "viewModel")]ChangePasswordViewModel model)
            {
            var _memberService = Services.MemberService;
            var user = Membership.GetUser();
            var pwHistory = user.UserName.GetHistory();
    
            if (Membership.ValidateUser(Membership.GetUser().UserName, model.OldPassword))
            {
    
                var provider = Membership.Provider.AsUmbracoMembershipProvider() as CustomMembershipProvider;
                foreach (var pw in pwHistory)
                {
                    if (provider.CheckPasswordHistory(model.NewPassword, pw))
                    {
                        return CurrentUmbracoPage();
                    }
                }
    
                var attempt = Members.ChangePassword(Membership.GetUser().UserName, new Umbraco.Web.Models.ChangingPasswordModel()
                {
                    NewPassword = model.NewPassword,
                    OldPassword = model.OldPassword
                }, Membership.Provider);
                if (attempt.Success)
                {
                    var newPasswordhash = _memberService.GetByUsername(user.UserName).RawPasswordValue;
                    user.UserName.AddPassword(newPasswordhash);
    
                    TempData["ResetSuccess"] = true;
                    return CurrentUmbracoPage();
                }
            }
    
            return CurrentUmbracoPage();
        }
    
  • Perry Cope 25 posts 146 karma points
    Apr 03, 2020 @ 10:00
    Perry Cope
    0

    Custom MembershipProvider

     public class CustomMembershipProvider : MembersMembershipProvider
     {
        string twilioSid = ConfigurationManager.AppSettings["twilioSid"];
        string tiwlioAuthToken = ConfigurationManager.AppSettings["twilioAuthToken"];
    
        public bool CheckPasswordHistory(string password,string rawPasword)
        {
            return CheckPassword(password,rawPasword);
        }
     }
    

    this is what i was looking for

    CheckPassword(password,rawPasword)
    

    only exposed in a custom implementation of MembersMembershipProvider as far as i remember

Please Sign in or register to post replies

Write your reply to:

Draft