Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Josh Reid 182 posts 257 karma points
    Apr 23, 2013 @ 22:43
    Josh Reid
    0

    Contour Codefirst Login

    Hey Guys

    Contour 3.0.9 & Umbraco 4.11.1 (about to be upgraded to 4.11.6 now i realised).

    Using Tims examples from here: http://www.nibble.be/?p=205 (with a few tweaks), membership provider has hashed passwords and on validate this always throws the exception "Incorrect Password".

    Basically this fails matching my details.

    Member.GetMemberFromLoginAndEncodedPassword(Email, Password)

    Any ideas why and what I could do to fix it?

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.Security;
    using Umbraco.Forms.CodeFirst;
    using Umbraco.Forms.Core.Providers.FieldTypes;
    using umbraco.cms.businesslogic.member;

    namespace Contour.CodeFirstMembers
    {
        [Form("Member/Login", Id = "c125bf44-3493-4e18-880e-0bc88bf5aa2e", ShowValidationSummary = true, MessageOnSubmit = "You are now logged in",
            DisableDefaultStylesheet=true)]
        public class Login: FormBase
        {
            [Field("Login", "",
               Mandatory = true,
               Regex = @"^[A-Za-z0-9._%+-][email protected][A-Za-z0-9.-]+\.[A-Za-z]{2,6}$")]
            public string Email { get; set; }

            [Field("Login", "",
                Type = typeof(Password),
                Mandatory = true)]
            public string Password { get; set; }


            public override IEnumerable<Exception> Validate()
            {
                var e = new List<Exception>();
                MembershipUser m = Membership.GetUser(Email);
                if(m == null)
                    e.Add(new Exception("No member found with that email address."));
                else if (Member.GetMemberFromLoginAndEncodedPassword(Email, Password) == null)
                {
                    e.Add(new Exception("Incorrect password"));
                }
                return e;
            }

            public override void Submit()
            {
               var m = Member.GetMemberFromLoginAndEncodedPassword(Email, Password);
               if (m != null)
               {
                   Member.AddMemberToCache(m);
                   umbraco.library.setSession("UserMsg", "You've been logged in successfully, thank you...");
                   String redir = !String.IsNullOrEmpty(HttpContext.Current.Request.QueryString["redirect"]) ? System.Net.WebUtility.HtmlDecode(HttpContext.Current.Request.QueryString["redirect"]) : "/";
                   HttpContext.Current.Response.Redirect(redir);
               }
            }
        }
    }

     

    Thanks in advance ;)
    JR

  • Bear 40 posts 127 karma points
    Apr 24, 2013 @ 00:25
    Bear
    100

    I probably wouldn't do two checks and show the messages "No member found with that email address." and "Incorrect Password". 

    Mainly this for security because if I was a hacker - because of these two messages - I'd be able to test for existing emails and matching passwords. Instead, I'd go for a "Sorry, we can't log you in right now. Please try again later." and / or show a "Forgot Password" link.

    You could try and get the user from the email first (as you are doing) but also use the (.NET) method;

    Membership.ValidateUser

    something like this pseudo code...

    MembershipUser m = Membership.GetUser(Email);
    
    if(m != null && Membership.ValidateUser(username, password) ) {
    
    // Do Login & Redirect(?)
    
    } else {
    
    // Sorry, we can't log you in right now. Please try again later.
    
    }

    Also, for the forgot password, ideally you want to create a link (with an expiry date) and send that link via email. Then they can click it to reset their password or get to enter new password. 

  • Josh Reid 182 posts 257 karma points
    Apr 24, 2013 @ 01:15
    Josh Reid
    0

    Works a treat, thanks!

    Can't believe for some reason I couldn't find the ValidateUser() method!

  • Tim Geyssens 6561 posts 15372 karma points MVP 2x c-trib
    Apr 24, 2013 @ 08:41
    Tim Geyssens
    0

    Hey Josh,

    Also if you look at my example I'm using the Member.GetMemberFromLoginNameAndPassword method and in your non working one you are using GetMemberFromLoginAndEncodedPassword so that one expects a hashed password the other doesn't

  • Josh Reid 182 posts 257 karma points
    Apr 24, 2013 @ 09:45
    Josh Reid
    0

    Thanks Tim

    I tried both, assuming that the Encoded version was to use with the hashed password (in provider, not passing to it), but actually had no luck with either of them. Have since got it working with .NET Membership.ValidateUser(username, password) which I simply couldn't find to use.

    Further, I'm working really hard to migrate from obsolete or deprecated Umbraco methods.

    Cheers
    Josh

  • Tim Geyssens 6561 posts 15372 karma points MVP 2x c-trib
    Apr 24, 2013 @ 10:37
    Tim Geyssens
    0

    Ok glad it's working now :)

Please Sign in or register to post replies

Write your reply to:

Draft