•  

Starter accounts for Alternative Membership Provider

Wed, Dec 19, 2007

Personal

I was looking at the Artem XML Membership Provider source code and discovered there is built in support for three different methods for storing passwords:  Clear, Hashed, and Encrypted.  Now which is better?  I’ll let you decide that.  But what I did want to provide you with a base account for your web site.  To configure your web site for one of the three you just have to set the following value in your ~/web.config file:

   1:  <membership defaultProvider="XmlMembershipProvider">
   2:      <providers>
   3:          <clear/>
   4:          <add applicationName="MyApp"
   5:             name="XmlMembershipProvider"
   6:             type="Artem.Web.Security.XmlMembershipProvider"
   7:             minRequiredPasswordLength="4"
   8:             minRequiredNonAlphanumericCharacters="0"
   9:             requiresQuestionAndAnswer="false"
  10:             requiresUniqueEmail="false"
  11:             passwordFormat="Clear"/>  <!-- Clear | Hashed | Encrypted -->
  12:      </providers>
  13:  </membership>

Regardless of which method you choose you will need to add the <XmlUser> information into the ~/App_Data/Users.Config file.

If you wanted to use Clear then you would probably not even bother with this code (I guess you might want the password recovery option) so that isn’t really worth discussing.  If you want to use this XML Provider with a clear account then you can start with this account information:

   1:    <XmlUser>
   2:      <UserKey>21d87c46-5875-40d8-b4c6-584e0998a67a</UserKey>
   3:      <UserName>clear</UserName>
   4:      <Password>clear</Password>
   5:      <PasswordSalt />
   6:      <Email>clear@localhost.local</Email>
   7:      <CreationDate>2007-12-19T09:56:21.84388-08:00</CreationDate>
   8:      <LastActivityDate>2007-12-19T09:56:22.194384-08:00</LastActivityDate>
   9:      <LastLoginDate>2007-12-19T09:56:22.194384-08:00</LastLoginDate>
  10:      <LastPasswordChangeDate>2007-12-19T09:56:21.84388-08:00</LastPasswordChangeDate>
  11:      <PasswordQuestion>Is this password clear?</PasswordQuestion>
  12:      <PasswordAnswer>Yes</PasswordAnswer>
  13:    </XmlUser>

If you want to use hashed then your in luck!  This XML Provider uses the expected FormsAuthentication.HashPasswordForStoringInConfigFile method but adds an additional twist to the hashing by introducing a salting method, unique for each user:

   1:  // Generate the salt if not passed in
   2:  if (string.IsNullOrEmpty(salt)) {
   3:   byte[] saltBytes = new byte[16];
   4:   RandomNumberGenerator rng = RandomNumberGenerator.Create();
   5:   rng.GetBytes(saltBytes);
   6:   salt = Convert.ToBase64String(saltBytes);
   7:  }
   8:  ret = FormsAuthentication.HashPasswordForStoringInConfigFile((salt + password), "SHA1");

A user account (named hashed) with a hashed password (also named hashed): 

   1:    <XmlUser>
   2:      <UserKey>e450a258-e0f6-490b-a376-aed1f4be4395</UserKey>
   3:      <UserName>hashed</UserName>
   4:      <Password>4B667A35FA75BAC057B5F9EAF78BA31E334DF293</Password>
   5:      <PasswordSalt>x6HES3s4KUWM5GVG68t2tA==</PasswordSalt>
   6:      <Email>hashed@localhost.local</Email>
   7:      <CreationDate>2007-12-19T09:52:16.0804896-08:00</CreationDate>
   8:      <LastActivityDate>2007-12-19T09:52:16.441008-08:00</LastActivityDate>
   9:      <LastLoginDate>2007-12-19T09:52:16.441008-08:00</LastLoginDate>
  10:      <LastPasswordChangeDate>2007-12-19T09:52:16.0804896-08:00</LastPasswordChangeDate>
  11:      <PasswordQuestion>Is this password hashed?</PasswordQuestion>
  12:      <PasswordAnswer>yes</PasswordAnswer>
  13:    </XmlUser>

If you want to use encrypted then your also in luck!  The standard FormsAuthentication.Encrypt method is used:

   1:  byte[] clearText = Encoding.UTF8.GetBytes(password);
   2:  byte[] encryptedText = base.EncryptPassword(clearText);
   3:  ret = Convert.ToBase64String(encryptedText);

A user account (named encrypted) with an encrypted password (also named encrypted):

   1:    <XmlUser>
   2:      <UserKey>0da5d9bd-af22-479a-ac71-9fb562bcdcca</UserKey>
   3:      <UserName>encrypted</UserName>
   4:      <Password>nufv/y/rweLrHQCf6Ndmqw==</Password>
   5:      <PasswordSalt />
   6:      <Email>encrypted@localhost.local</Email>
   7:      <CreationDate>2007-12-19T09:45:52.9095168-08:00</CreationDate>
   8:      <LastActivityDate>2007-12-19T09:59:25.0272848-08:00</LastActivityDate>
   9:      <LastLoginDate>2007-12-19T09:59:25.0272848-08:00</LastLoginDate>
  10:      <LastPasswordChangeDate>2007-12-19T09:45:52.9095168-08:00</LastPasswordChangeDate>
  11:      <PasswordQuestion>Is this password encrypted?</PasswordQuestion>
  12:      <PasswordAnswer>Yes</PasswordAnswer>
  13:    </XmlUser>

Don’t forget that you will need the machine key section to decrypt this stuff correctly

   1:  <machineKey validationKey="011D5308643D8F62AE10CDF30DAB640B7399BF6C57B0269D9F7287EFDE8DF4CAFF79D60A23FBCCC736FC2487ED695512BA95044DE4C58DC02C2BA0C4A266454C"
   2:  decryptionKey="28929A06A6647D4C89FED3A7D5C52B12B23680FBDAAF7E00B69BA47B37EEAC34"
   3:  validation="SHA1"
   4:  decryption="AES"/>

After you choose one of the above methods and you are ready to proceed then you will want to log into your web site and immediately create a new account.  Once you have the new account with your own name and password you should delete the starter account.  With that you should be on your way.

Comments are closed.