R – ASP.NET Membership Provider – Validate Hashed Security Question/Answer

asp.netmembership-provider

On a page I'm adding retrieve forgotten USERNAME

Step 1) Enter email address (Get account by email)

Step 2) Verify Security Question (they provide answer and I validate it)

Step 3) Send them an email with username

Step 2 is where I'm stuck. How do I validate the answer with what's stored in the database?

All values are hashed.

I see other questions posted similar to this but they don't answer the question, at least not clearly.

Best Answer

Like you said, the values in the DB are hashed, so in order to validate what the user typed in matches what's in the DB, hashed the value that the user entered and compare the two hashed values. If they are equal, it validates.

You basically need to hash the answer text before you compare it to the value in the database.

Also, be aware that sometimes the answer text is salted with a value before it is hashed, so the same steps would need to be taken when validating.

Related Solutions

How to change a hashed password using asp.net membership provider if you don’t know the current password

This is an easy one that I wasted too much time on. Hopefully this post saves someone else the pain of slapping their forehead as hard as I did.

Solution, reset the password randomly and pass that into the change method.

MembershipUser u = Membership.GetUser();
u.ChangePassword(u.ResetPassword(), "myAwesomePassword");

C# – Forms Auth-pwd recovery-I’d rather the user reset it on the web and not send email

If you are using asp.net forms authentication it already provides the mechanisms for a user to reset a password by using a security question. This can be configured in the Web.config and used with a Password Recovery control, part of ASP.net login controls.

Setting in web.config under your membership providers section:

requiresQuestionAndAnswer - When set to true the Question view will be required for the user's password to be retrieved or reset. When set to false the Question view is not displayed to the user.

Using the Password Recovery control here is sample code:

  <asp:PasswordRecovery ID="PasswordRecovery1" runat="server">
  <QuestionTemplate>
                <h2>Forgot Password</h2>
                Hello <asp:Literal ID="UserName" runat="server"></asp:Literal><br />
                Please answer your password question : <br />
                <asp:Literal ID="Question" runat="server"></asp:Literal>
                <asp:TextBox ID="Answer" runat="server"></asp:TextBox><br />
                 <asp:Button ID="SubmitButton" runat="server" Text="Send Answer By Mail" 
CommandName="Submit"/><br />
                  <asp:Literal ID="FailureText" runat="server"></asp:Literal>
    </QuestionTemplate>
    </asp:PasswordRecovery>

For more information on using the ASP.net Login controls go to http://quickstarts.asp.net/QuickStartv20/aspnet/doc/ctrlref/login/default.aspx

As far as not sending the email, you can cancel the email by adding OnSendingMail="CancelEmail" in the Password recovery control and then add code behind like below and then just display the new reset password on the screen.

Sub CancelEmail(ByVal sender As Object, ByVal e As MailMessageEventArgs)
        e.Cancel = True
End Sub

Hope that helps!

Best Answer

Related Solutions

How to change a hashed password using asp.net membership provider if you don’t know the current password

C# – Forms Auth-pwd recovery-I’d rather the user reset it on the web and not send email

Related Topic