I have a new table that hold old passwords, I need to check if there is a match.
If there is a match I need the ChangePassword contol to NOT change the password. I need to tell the user that this password was used and pic a new one.
I can't seem to be able to interrupt the control from changing the password.
Maybe I am using the wrong event.
Here is a piece of my code, or how I wish it would work.
I appreciate all your help.
protected void ChangePassword1_ChangedPassword(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser();
string usrName = "";
if (user != null)
{
string connStr = ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;
SqlConnection mySqlConnection = new SqlConnection(connStr);
SqlCommand mySqlCommand = mySqlConnection.CreateCommand();
mySqlCommand.CommandText = "Select UserName from OldPasswords where UserName = 'test'";
mySqlConnection.Open();
SqlDataReader mySqlDataReader = mySqlCommand.ExecuteReader(CommandBehavior.Default);
while (mySqlDataReader.Read())
{
usrName = mySqlDataReader["UserName"].ToString();
if (usrName == user.ToString())
{
Label1.Text = "Match";
}
else
{
Label1.Text = "NO Match!";
}
}
Best Answer
You are overriding the wrong method, Steve. You want to override the cancellable
ChangingPassword
.Try this:
And, as per previous Q/A sessions, You should NEVER EVER EVER store a user's password1. Go to the membership table and get the salt and use that to hash the incoming password to compare to the already salt-hashed values you have stored in your lookup table.
Good luck.
(1) - how tenable would your position be when the CEO finds out that his password has been stored in an exploitable format? There is a level of trust given to the black mages that are us and that trust carries it's own risks. Be aware of them. ;-)
EDIT:
A working example:
ChangePassword.aspx
Update: You may also be interested in simply defining a handler in a higher scope that will watch all password activity:
consider this