ASP.NET membership & .net Core

Question

My database was built with SqlMembershipProvider as described here.

I am using System.Web.Security;

To check if user exists I am using: Membership.ValidateUser(u.UserName, u.Password);

I would like to move to .net core and System.Web.Security; is not supported - so instead of Membership.ValidateUser(u.UserName, u.Password); I was thinking to query the db and check if the user exists, but the passwords in the db are hashed.

How can I check if user is exists? Can I decrypt the passwords stored in the db? What are my options?

Thanks.

Answer 1

In Membership API in asp.net to retrieve a user’s password, you can do so by doing this:

MembershipUser user = Membership.GetUser("username");
string password = user.GetPassword();
string saferPassword = user.GetPassword("password answer");

The latter is safer as it requires you to pass in the user’s security answer as an added check. This will give you the unencrypted password (The default membership system stores hashed passwords in the database).

To support this feature, you’ll need to have password retrieval enabled in the web.config. You can do this in the node under . It’ll look something like this:

<membership defaultProvider="myProvider"> 
      <providers> 
        <add connectionStringName="LocalSqlServer" enablePasswordRetrieval="true" 
          enablePasswordReset="true" requiresQuestionAndAnswer="true" 
          applicationName="/" requiresUniqueEmail="false" passwordFormat="Encrypted" 
          maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" 
          minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" 
          passwordStrengthRegularExpression="" name="myProvider" 
          type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

     </providers>

</membership>

Hope that help you.

Happy Coding

Answer 2

Hash the password, then validate against the db.