Reputation: 1341
Do not store password in .net membership
I use the built in membership system in a MVC 3 .net application. Later in the developement I will use an external web service for authentication. Hence I would only have to store the (unique) username in the membership system. All other user info can be retrieved through the webservice.
Therefore I wonder how to not store a password?
Upvotes: 1
Views: 417
Answers (2)
Reputation: 6871
Not sure if I understand you correctly but I think the best solution to this is writing an custom membership provider. Basically this is just an class with an few functions overriden from the basic membership provider. Here you can implement your own logic for registering, logging in and logging out.
Found an example of an class I used an while back. Just write your own implementation. An other option is to work from your accountcontroller (like haz also mentioned) but I always tend not to implement too much logic into my controllers and let my services handle the business logic.
public class CustomMembershipProvider : MembershipProvider
{
private readonly IGenericService<User> _genericUserService;
public CustomMembershipProvider(IGenericService<User> genericUserService)
{
_genericUserService = genericUserService;
}
public CustomMembershipProvider() : this(new GenericService<User>())
{
}
public override MembershipUser CreateUser(string username, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey, out MembershipCreateStatus status)
{
throw new NotImplementedException();
}
public override bool ChangePasswordQuestionAndAnswer(string username, string password, string newPasswordQuestion, string newPasswordAnswer)
{
throw new NotImplementedException();
}
public override string GetPassword(string username, string answer)
{
throw new NotImplementedException();
}
public override bool ChangePassword(string username, string oldPassword, string newPassword)
{
throw new NotImplementedException();
}
public override string ResetPassword(string username, string answer)
{
throw new NotImplementedException();
}
public override void UpdateUser(MembershipUser user)
{
throw new NotImplementedException();
}
public override bool ValidateUser(string username, string password)
{
try
{
var encodedPassword = password.AsSha512();
var user = _genericUserService.First(u => u.Email == username && u.Password == string.Empty );
return user != null;
}
catch (Exception)
{
return false;
}
}
public override bool UnlockUser(string userName)
{
throw new NotImplementedException();
}
public override MembershipUser GetUser(object providerUserKey, bool userIsOnline)
{
throw new NotImplementedException();
}
public override MembershipUser GetUser(string username, bool userIsOnline)
{
var user = _genericUserService.First(x => x.Email.Equals(username));
var a = new MembershipUser("", user.Firstname, user.Id, user.Email, "", "", true, user.Active,
user.RegisteredOn, DateTime.Now, DateTime.Now, DateTime.Now, DateTime.Now);
return a;
}
public override string GetUserNameByEmail(string email)
{
throw new NotImplementedException();
}
public override bool DeleteUser(string username, bool deleteAllRelatedData)
{
throw new NotImplementedException();
}
public override MembershipUserCollection GetAllUsers(int pageIndex, int pageSize, out int totalRecords)
{
throw new NotImplementedException();
}
public override int GetNumberOfUsersOnline()
{
throw new NotImplementedException();
}
public override MembershipUserCollection FindUsersByName(string usernameToMatch, int pageIndex, int pageSize, out int totalRecords)
{
throw new NotImplementedException();
}
public override MembershipUserCollection FindUsersByEmail(string emailToMatch, int pageIndex, int pageSize, out int totalRecords)
{
throw new NotImplementedException();
}
public override bool EnablePasswordRetrieval
{
get { throw new NotImplementedException(); }
}
public override bool EnablePasswordReset
{
get { throw new NotImplementedException(); }
}
public override bool RequiresQuestionAndAnswer
{
get { throw new NotImplementedException(); }
}
public override string ApplicationName
{
get { throw new NotImplementedException(); }
set { throw new NotImplementedException(); }
}
public override int MaxInvalidPasswordAttempts
{
get { throw new NotImplementedException(); }
}
public override int PasswordAttemptWindow
{
get { throw new NotImplementedException(); }
}
public override bool RequiresUniqueEmail
{
get { throw new NotImplementedException(); }
}
public override MembershipPasswordFormat PasswordFormat
{
get { throw new NotImplementedException(); }
}
public override int MinRequiredPasswordLength
{
get { throw new NotImplementedException(); }
}
public override int MinRequiredNonAlphanumericCharacters
{
get { throw new NotImplementedException(); }
}
public override string PasswordStrengthRegularExpression
{
get { throw new NotImplementedException(); }
}
}
Upvotes: 2
Reputation: 1914
Don't worry about the storing of the password, just randomly generate and store a password when you create the user.
Have your account controller validate the password against the external webservice in the logon method, if its correct, then simply call FormsAuthentication.SetAuthCookie(userName, false /*persistantCookie*/), which will "login" the user :)
side note: Have you though about how you will migrate the existing user's to the new external webservice if you only have their password hash/salts?
Upvotes: 3
Related Questions
- ASP.NET MVC Identity login without password
- Membership Authorization
- How to Store Password? Forms Authentication
- Password in Simple Membership Tables
- Asp.net Membership password
- asp.net membership password security
- Not requiring a password for user registration in MVC 3 application
- ASP.net Membership control
- ASP.NET Membership validate password
- Storing Account / Passwords