Contour 3.0.9 & Umbraco 4.11.1 (about to be upgraded to 4.11.6 now i realised).
Using Tims examples from here: http://www.nibble.be/?p=205 (with a few tweaks), membership provider has hashed passwords and on validate this always throws the exception "Incorrect Password".
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.Security; using Umbraco.Forms.CodeFirst; using Umbraco.Forms.Core.Providers.FieldTypes; using umbraco.cms.businesslogic.member;
namespace Contour.CodeFirstMembers { [Form("Member/Login", Id = "c125bf44-3493-4e18-880e-0bc88bf5aa2e", ShowValidationSummary = true, MessageOnSubmit = "You are now logged in", DisableDefaultStylesheet=true)] public class Login: FormBase { [Field("Login", "", Mandatory = true, Regex = @"^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}$")] public string Email { get; set; }
[Field("Login", "", Type = typeof(Password), Mandatory = true)] public string Password { get; set; }
public override IEnumerable<Exception> Validate() { var e = new List<Exception>(); MembershipUser m = Membership.GetUser(Email); if(m == null) e.Add(new Exception("No member found with that email address.")); else if (Member.GetMemberFromLoginAndEncodedPassword(Email, Password) == null) { e.Add(new Exception("Incorrect password")); } return e; }
public override void Submit() { var m = Member.GetMemberFromLoginAndEncodedPassword(Email, Password); if (m != null) { Member.AddMemberToCache(m); umbraco.library.setSession("UserMsg", "You've been logged in successfully, thank you..."); String redir = !String.IsNullOrEmpty(HttpContext.Current.Request.QueryString["redirect"]) ? System.Net.WebUtility.HtmlDecode(HttpContext.Current.Request.QueryString["redirect"]) : "/"; HttpContext.Current.Response.Redirect(redir); } } } }
I probably wouldn't do two checks and show the messages "No member found with that email address." and "Incorrect Password".
Mainly this for security because if I was a hacker - because of these two messages - I'd be able to test for existing emails and matching passwords. Instead, I'd go for a "Sorry, we can't log you in right now. Please try again later." and / or show a "Forgot Password" link.
You could try and get the user from the email first (as you are doing) but also use the (.NET) method;
Membership.ValidateUser
something like this pseudo code...
MembershipUser m = Membership.GetUser(Email);
if(m != null && Membership.ValidateUser(username, password) ) {
// Do Login & Redirect(?)
} else {
// Sorry, we can't log you in right now. Please try again later.
}
Also, for the forgot password, ideally you want to create a link (with an expiry date) and send that link via email. Then they can click it to reset their password or get to enter new password.
Also if you look at my example I'm using the Member.GetMemberFromLoginNameAndPassword method and in your non working one you are using GetMemberFromLoginAndEncodedPassword so that one expects a hashed password the other doesn't
I tried both, assuming that the Encoded version was to use with the hashed password (in provider, not passing to it), but actually had no luck with either of them. Have since got it working with .NET Membership.ValidateUser(username, password) which I simply couldn't find to use.
Further, I'm working really hard to migrate from obsolete or deprecated Umbraco methods.
Contour Codefirst Login
Hey Guys
Contour 3.0.9 & Umbraco 4.11.1 (about to be upgraded to 4.11.6 now i realised).
Using Tims examples from here: http://www.nibble.be/?p=205 (with a few tweaks), membership provider has hashed passwords and on validate this always throws the exception "Incorrect Password".
Basically this fails matching my details.
Any ideas why and what I could do to fix it?
Thanks in advance ;)
JR
I probably wouldn't do two checks and show the messages "No member found with that email address." and "Incorrect Password".
Mainly this for security because if I was a hacker - because of these two messages - I'd be able to test for existing emails and matching passwords. Instead, I'd go for a "Sorry, we can't log you in right now. Please try again later." and / or show a "Forgot Password" link.
You could try and get the user from the email first (as you are doing) but also use the (.NET) method;
something like this pseudo code...
MembershipUser m = Membership.GetUser(Email); if(m != null && Membership.ValidateUser(username, password) ) { // Do Login & Redirect(?) } else { // Sorry, we can't log you in right now. Please try again later. }Also, for the forgot password, ideally you want to create a link (with an expiry date) and send that link via email. Then they can click it to reset their password or get to enter new password.
Works a treat, thanks!
Can't believe for some reason I couldn't find the ValidateUser() method!
Comment author was deleted
Hey Josh,
Also if you look at my example I'm using the Member.GetMemberFromLoginNameAndPassword method and in your non working one you are using GetMemberFromLoginAndEncodedPassword so that one expects a hashed password the other doesn't
Thanks Tim
I tried both, assuming that the Encoded version was to use with the hashed password (in provider, not passing to it), but actually had no luck with either of them. Have since got it working with .NET Membership.ValidateUser(username, password) which I simply couldn't find to use.
Further, I'm working really hard to migrate from obsolete or deprecated Umbraco methods.
Cheers
Josh
Comment author was deleted
Ok glad it's working now :)
is working on a reply...