Sign in Register
Go to solution
Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Perry Cope 31 posts 195 karma points
    Jun 11, 2018 @ 16:18
    Perry Cope
    0

    Password History

    Extending Umbraco and using the API
    Umbraco 7

    I'm trying to implement Password history for Members so that a user can not enter a password they have previously used.

    Im planning on doing this by adding an extra table and storing the hashed password history there and checking against it when a Member updates password.

    The Issue i am having is that the password format is set too hashed and cant figure out how to generate the Hashed password in the same way Members.ChangePassword does, so i cant check against the PasswordHistory table.

    Ive tried 

    var _passwordhasher = new MembershipProviderPasswordHasher(Membership.Provider.AsUmbracoMembershipProvider());
var hashed = _passwordhasher.HashPassword(model.NewPassword);

    And

    var hash = Membership.Provider.AsUmbracoMembershipProvider().HashPasswordForStorage(model.NewPassword);

    Neither give same result as

    var attempt = Members.ChangePassword(Membership.GetUser().UserName, new Umbraco.Web.Models.ChangingPasswordModel()
                {
                    NewPassword = model.NewPassword,
                    OldPassword = model.OldPassword
                }, Membership.Provider);
var originalPasswordhash = _memberService.GetByUsername(Membership.GetUser().UserName).RawPasswordValue;
    Copy Link
  • Perry Cope 31 posts 195 karma points
    Jun 12, 2018 @ 14:48
    Perry Cope
    100

    I managed to find an answer to this after a day of going through the source code, and rethinking my approach.

    The provider has a protected method of 

    MembershipProviderBase.CheckPassword

    I made a public method on my custom provider that took in the raw Passwords from the History table and returned the above method's result.

    Copy Link
  • Streety 358 posts 568 karma points
    Apr 03, 2020 @ 09:26
    Streety
    0

    Hi Perry,

    Would be interested to see how you implemented password history with ,net Identity.

    Would you be prepared to share your findings

    Copy Link
  • Perry Cope 31 posts 195 karma points
    Apr 03, 2020 @ 09:56
    Perry Cope
    0

    Hi,

    It was a long time ago and i believe the project got abandoned before going live. But i did implement it not sure how well but here goes.

    heres an articale i used on help extending Membership provider https://24days.in/umbraco-cms/2015/extending-membership/

    I created a history new table to store hashed passwords against a username. which i populated on password change, after a member has a pssword set you can access the Rawvalue using this _memberService.GetByUsername(user.UserName).RawPasswordValue

    then simply on each password request change fed in the new password (unhashed) and ran it against the above method looping through the hashed pwhistory table values.

    Copy Link
  • Perry Cope 31 posts 195 karma points
    Apr 03, 2020 @ 09:57
    Perry Cope
    0

    Change password controller

     public ActionResult ChangePassword([Bind(Prefix = "viewModel")]ChangePasswordViewModel model)
        {
        var _memberService = Services.MemberService;
        var user = Membership.GetUser();
        var pwHistory = user.UserName.GetHistory();

        if (Membership.ValidateUser(Membership.GetUser().UserName, model.OldPassword))
        {

            var provider = Membership.Provider.AsUmbracoMembershipProvider() as CustomMembershipProvider;
            foreach (var pw in pwHistory)
            {
                if (provider.CheckPasswordHistory(model.NewPassword, pw))
                {
                    return CurrentUmbracoPage();
                }
            }

            var attempt = Members.ChangePassword(Membership.GetUser().UserName, new Umbraco.Web.Models.ChangingPasswordModel()
            {
                NewPassword = model.NewPassword,
                OldPassword = model.OldPassword
            }, Membership.Provider);
            if (attempt.Success)
            {
                var newPasswordhash = _memberService.GetByUsername(user.UserName).RawPasswordValue;
                user.UserName.AddPassword(newPasswordhash);

                TempData["ResetSuccess"] = true;
                return CurrentUmbracoPage();
            }
        }

        return CurrentUmbracoPage();
    }
    Copy Link
  • Perry Cope 31 posts 195 karma points
    Apr 03, 2020 @ 10:00
    Perry Cope
    0

    Custom MembershipProvider

     public class CustomMembershipProvider : MembersMembershipProvider
 {
    string twilioSid = ConfigurationManager.AppSettings["twilioSid"];
    string tiwlioAuthToken = ConfigurationManager.AppSettings["twilioAuthToken"];

    public bool CheckPasswordHistory(string password,string rawPasword)
    {
        return CheckPassword(password,rawPasword);
    }
 }

    this is what i was looking for

    CheckPassword(password,rawPasword)

    only exposed in a custom implementation of MembersMembershipProvider as far as i remember

    Copy Link
Please Sign in or register to post replies

Write your reply to:

Draft