For my registrationpage I created a memberRegistration.ascx user control. This user control has a createuserwizard control and uses the Umbraco membership provider.
For the password security I would like to force users to enter passwords with a given password length, and passwords should be strong (one alphanumerical character).
However there don't seem to be attributes on the Umbraco membership provider for password length and password strength.
Is there a way to configure this for the Umbraco membership provider?
From what I can see in the source code the Umbraco membership provider defines the properties as mentioned above, but it does not apply them when creating a member or changing/resetting a password. I guess you could either update the provider (or create a work item on codeplex), or code the password policy into the wizard by hooking into one of its events:
I think the easiest way to get ignored properties into action is just to inherit the existent umbraco provider and override Create/Update methods so to add required validations.
I will create a workitem on codeplex, as I think minRequiredPasswordLength and minRequiredNonAlphaNumericalCharacters should be baked into the Umbraco Membership Provider.
No, I meant to create your own membership provider inheriting from the UmbracoMembershipProvider and register it via web.config instead of the latter. (Actually I think it wouldn't take longer than half an hour).
For instance:
public class NiceUmbracoMembershipProvider : UmbracoMembershipProvider { public override MembershipUser CreateUser( string username, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey, out MembershipCreateStatus status) { if(password.Length < m_MinRequiredPasswordLength) { status = MembershipCreateStatus.InvalidPassword; return null; } return base.CreateUser(username, password, email, passwordQuestion, passwordAnswer, isApproved, providerUserKey, out status); } }
You can override the "UpdateUser" method in a similar way and add any additional validations that you could need.
Than you will need just to register this provider as the default one in your web.config and that's it.
Also, if you use some tool like the RedGate .NET Reflector then you can investigate the code of e.g. Asp.Net SqlMembershipProvideras as a reference implementation.
I created an old issue and I don't know if it's stil valid, but it might be good to look at it before creating you own MembershipProvider: http://umbraco.codeplex.com/workitem/25855
If you want a quick way of doing it, you can do it by adding a RegExp validator to your register user control. The following RegEx wioll ensure that a password is between 8 - 29 characters long, and contains a mix of upper, lower and numeric characters: ^.*(?=.{7,30})(?=.*[\d])(?=.*[a-z])(?=.*[A-Z]).*$
@Rodion thanks for the advice, but I think I'm to far now in development of my registration page to rewrite the member logic.
@Tim Thanks I think this can solve my issue in a fast manner. The only thing I'm struggling with is that my CreateUserWizard doesn't seem to stop registering a user when validation fails:
@Anthony, it looks like your compare validator for the password is not a member of the "cwMember" validator group like the rest of the validators. If you add that to the group, does it work?
I managed to add policy complexity rules to Umbraco accounts by adding the minRequiredPasswordLength and minRequiredNonalphanumericCharacters attributes to the UsersMembershipProvider and not the UmbracoMembershipProvider. A comment in the code indicates that the UmbracoMembershipProvider is not used for CMS accounts. This is on version 7.7.2.
how to set password minimum length and password strength
Hi,
For my registrationpage I created a memberRegistration.ascx user control. This user control has a createuserwizard control and uses the Umbraco membership provider.
My Umbraco membership provider looks like this:
<add name="UmbracoMembershipProvider" type="umbraco.providers.members.UmbracoMembershipProvider" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Jobseeker" umbracoApprovePropertyTypeAlias="isApproved" umbracoLockPropertyTypeAlias="isLocked" requiresUniqueEmail="true" passwordFormat="Hashed" />
For the password security I would like to force users to enter passwords with a given password length, and passwords should be strong (one alphanumerical character).
However there don't seem to be attributes on the Umbraco membership provider for password length and password strength.
Is there a way to configure this for the Umbraco membership provider?
Thanks for your help,
Anthony
Hi Anthony,
Have you tried setting the minRequiredPasswordLength attribute? example:
You should be able to just add these to the provider config:
http://msdn.microsoft.com/en-us/library/system.web.security.membership.minrequiredpasswordlength.aspx
http://msdn.microsoft.com/en-us/library/system.web.security.membership.minrequirednonalphanumericcharacters.aspx
Grtz
L
Hi Jorge, Lennart,
I added the minRequiredPasswordLenght="7" attribute to the Umbraco Membership Provider:
<add name="UmbracoMembershipProvider"
type="umbraco.providers.members.UmbracoMembershipProvider"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
defaultMemberTypeAlias="Jobseeker"
umbracoApprovePropertyTypeAlias="isApproved"
umbracoLockPropertyTypeAlias="isLocked"
requiresUniqueEmail="true"
passwordFormat="Hashed"
minRequiredPasswordLength="7" />
But this doesn't seem to have any effect on the password validation. I can still register a member with a password that has less than 7 characters.
Hi Anthony,
From what I can see in the source code the Umbraco membership provider defines the properties as mentioned above, but it does not apply them when creating a member or changing/resetting a password. I guess you could either update the provider (or create a work item on codeplex), or code the password policy into the wizard by hooking into one of its events:
http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.createuserwizard.creatinguser.aspx
Grtz
L
I think the easiest way to get ignored properties into action is just to inherit the existent umbraco provider and override Create/Update methods so to add required validations.
HI Rodion,
You mean inherit the umbraco provider in my user control?
Thanks for the tip,
Anthony
Hi Lennart,
I will create a workitem on codeplex, as I think minRequiredPasswordLength and minRequiredNonAlphaNumericalCharacters should be baked into the Umbraco Membership Provider.
Thanks for the advice,
Anthony
@Lennart, I created the work item: http://umbraco.codeplex.com/workitem/30694
No, I meant to create your own membership provider inheriting from the UmbracoMembershipProvider and register it via web.config instead of the latter. (Actually I think it wouldn't take longer than half an hour).
For instance:
You can override the "UpdateUser" method in a similar way and add any additional validations that you could need.
Than you will need just to register this provider as the default one in your web.config and that's it.
Also, if you use some tool like the RedGate .NET Reflector then you can investigate the code of e.g. Asp.Net SqlMembershipProvideras as a reference implementation.
I created an old issue and I don't know if it's stil valid, but it might be good to look at it before creating you own MembershipProvider: http://umbraco.codeplex.com/workitem/25855
Jeroen
If you want a quick way of doing it, you can do it by adding a RegExp validator to your register user control. The following RegEx wioll ensure that a password is between 8 - 29 characters long, and contains a mix of upper, lower and numeric characters: ^.*(?=.{7,30})(?=.*[\d])(?=.*[a-z])(?=.*[A-Z]).*$
@Rodion thanks for the advice, but I think I'm to far now in development of my registration page to rewrite the member logic.
@Tim Thanks I think this can solve my issue in a fast manner. The only thing I'm struggling with is that my CreateUserWizard doesn't seem to stop registering a user when validation fails:
<asp:CreateUserWizardStep ID="cuwStep2" Title="Step 2/2" runat="server">
<ContentTemplate>
<p><strong>Step 2/2</strong>: Enter your account information</p>
<table class="registrationtable">
<tr>
<td>Email:</td>
<td><asp:TextBox ID="Username" runat="server"></asp:TextBox><asp:TextBox ID="Email" runat="server" Visible="false"></asp:TextBox></td>
<td><asp:RequiredFieldValidator ID="reqUserName" runat="server"
ToolTip="Username is a required field"
ErrorMessage="Email is a required field"
ControlToValidate="Username"
ValidationGroup="cwMember"
Text="*" />
<asp:RegularExpressionValidator ID="regEmail" ControlToValidate="UserName"
Text="*"
ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*"
Runat="server"
ValidationGroup="cwMember" /></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox ID="Password" runat="server" TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
ID="reqPassword"
runat="server"
ControlToValidate="Password"
ValidationGroup="cwMember"
Text="*"
ErrorMessage="Password is a required field" />
</td>
</tr>
<tr>
<td>Confirm Password:</td>
<td><asp:TextBox ID="txtConfirmPassword" runat="server" TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
ID="reqConfirmPassword"
runat="server"
Display="Dynamic"
ControlToValidate="txtConfirmPassword"
ValidationGroup="cwMember"
Text="Confirm password" />
<asp:CompareValidator ID="cmpPassword"
runat="server"
Display="Dynamic"
ControlToValidate="Password"
ControlToCompare="txtConfirmPassword"
Text="*"
ErrorMessage="Passwords are not equal" />
</td>
</tr>
</table>
<asp:PlaceHolder ID="phValidationSummary" runat="server"></asp:PlaceHolder>
<asp:ValidationSummary
ID="vsSummary"
runat="server"
ValidationGroup="cwMember"
DisplayMode="BulletList"
HeaderText="Correct the following:" />
</ContentTemplate>
</asp:CreateUserWizardStep>
<asp:CompleteWizardStep ID="cuwStep3" runat="server">
<ContentTemplate>
<p>User should now be created, but not approved...</p>
<asp:HyperLink ID="hlAuth" runat="server"></asp:HyperLink>
</ContentTemplate>
</asp:CompleteWizardStep>
</WizardSteps>
</asp:CreateUserWizard>
I use a CreateUserError event handler to handle validation errors in the createuserwizardstep:
protected void cwMember_CreateUserError(object sender, CreateUserErrorEventArgs e)
{
StringBuilder sb = new StringBuilder();
CreateUserWizard cuw = (CreateUserWizard)sender;
switch (e.CreateUserError)
{
case MembershipCreateStatus.DuplicateEmail:
sb.Append(cuw.DuplicateEmailErrorMessage.ToString());
break;
case MembershipCreateStatus.DuplicateUserName:
sb.Append("this email address is already registered, please use another email address");
break;
case MembershipCreateStatus.InvalidEmail:
sb.Append(cuw.InvalidEmailErrorMessage.ToString());
break;
case MembershipCreateStatus.InvalidPassword:
sb.Append(cuw.InvalidPasswordErrorMessage.ToString());
break;
case MembershipCreateStatus.InvalidUserName:
sb.Append("username is not valid");
break;
case MembershipCreateStatus.UserRejected:
sb.Append("administrator said 'no way'");
break;
default:
break;
}
CreateUserWizardStep cuwStep2 = cuw.FindControl("cuwStep2") as CreateUserWizardStep;
PlaceHolder phValidationSummary = (PlaceHolder)cuwStep2.ContentTemplateContainer.FindControl("phValidationSummary");
CustomValidator cvError = new CustomValidator();
cvError.ValidationGroup = "cwMember";
cvError.ErrorMessage = sb.ToString();
cvError.IsValid = false;
phValidationSummary.Controls.Add(cvError);
}
But for some reason only validation that that is catched in the CreateUserError event is handled. I only posted this issue on StackOverFlow.com:
http://stackoverflow.com/questions/9052563/how-to-stop-creatuserwizard-control-creating-user-when-passwords-are-not-equal
Thanks for your advice,
Anthony
@Anthony, it looks like your compare validator for the password is not a member of the "cwMember" validator group like the rest of the validators. If you add that to the group, does it work?
Hi Tim, I set the validator group to 'cwMember' and now the compare validation fires.
The Regular Expression Validator works also fine.
Thanks a lot, this greatly increases the security of my registration page
greetings,
Anthony
I managed to add policy complexity rules to Umbraco accounts by adding the minRequiredPasswordLength and minRequiredNonalphanumericCharacters attributes to the UsersMembershipProvider and not the UmbracoMembershipProvider. A comment in the code indicates that the UmbracoMembershipProvider is not used for CMS accounts. This is on version 7.7.2.
is working on a reply...