Help get this topic noticed by sharing it on Twitter, Facebook, or email.

Same CodeOnTime password encryption/decryption to separate assembly file?

Hey!

So, the problem here is as follows:
We use CodeOnTime for our web-side of our product, and as such we're forced to use COT's ASP.NET authentication for logging in / authentication.

I need to create a separate assembly (that will be used in a SQL server) that can encode a password and get the same result as ASP.NET does in the project. I've made multiple implementations using HMACSHA512 (while also specifying that as the wanted algorithm to every field I can in web.config) that uses different keys (that I've also got from the web.config file (such as MembershipProviderValidationKey (appSettings) and decryptionKey + validationKey (system.web->machineKey) but it never gives the right result as COT's implementation does.

So, I'm here to ask if there's an easy way to find out the correct algorithm AND keys/salt used in password validation, that I could implement it to our separate assembly file?

Kind regards!
1 person has
this question
+1
Reply
  • 1
    Hi TerJ.

    We also have some products which have already their own Security modules and Password encryption rules. To be able to create a COT application and integrate with the already existing Security and its users/passwords, we configured COT Security to use our Security tables through COT Settings. To be able to check COT Membership password, we created a new Password field in the Users datatable to store COT hashed content. In the COT security settings, we set this new field as the Password field.

    After all this set, we generated an ApplicationServices.Override.cs and created an Override to the COT UserLogin, as follows:


    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.Security;
    using OffiSys.Data;

    namespace OffiSys.Services
    {

    public partial class ApplicationServices
    {

    public override bool UserLogin(string username, string password, bool createPersistentCookie)
    {


    In it, you will get the username and password entered by the user. So, I was able to the query my other application User's table and fetch their password. Since it uses our own encription method, we decript right there and compare with what the COT user entered. If it matches, we check COT ASP.NET Membership to see if the user is Validated there, if not, we change the ASP.NET password to the new one and let the Login process run naturally.


    // check if we have found user in the database
    if (userExists)
    {
    if (originalPassword == password)
    {
    // create a Membership object for current user
    MembershipUser mu = Membership.GetUser(username);

    // try to validate credentials
    bool validCredentials = Membership.ValidateUser(username, password);

    if (validCredentials == false)
    {
    // set new password, as this could be the first time user logged into the COT app
    // or they might have changed their password
    mu.ChangePassword(mu.ResetPassword(), pfnPW);
    }
    }
    }


    After that, we just let COT run its base method:


    // run base method
    return base.UserLogin(username, password, createPersistentCookie);


    Hope this gives you some ideas.

    Best.

    Ivan
  • (some HTML allowed)
    How does this make you feel?
    Add Image
    I'm

    e.g. kidding, amused, unsure, silly indifferent, undecided, unconcerned happy, confident, thankful, excited sad, anxious, confused, frustrated