2

In the application I am working on, users are created by are not approved until they activate their account. The IsApproved flag is set to false until they have activated.

When they submit their activation, we want to check that their password is valid before activating the user, but Membership.ValidateUser(..) will always return false if the user is not approved, so there appears to be no way to differentiate between an incorrect password and a non-approved user.

How can I check the password to validate a user that is not approved?

Possible solutions I've looked at so far:

  • Custom membership provider: this is a lot of work and defeats the whole point of using the Membership system in .NET, this is basic functionality, there must be a way to check a password.
  • Setting the IsApproved flag briefly and changing it back: this is very insecure.
  • Using ChangePassword to change to a random password and then back again, checking to see if it succeeds: this is a nasty hack, I really don't want to do this.
  • Calling the private CheckPassword function on the SqlMembershipProvider: methods are private for a reason, again, I don't want to do this.

Is there another way? Surely this is standard functionality that is just required by any full-featured user account system with activations, etc. Is there a better design for the system than what I am doing? Am I using IsApproved in the wrong way?

Thanks for the help.

Edit: This seems to have caused some confusion. I have created a user account, it has a password that meets the complexity requirements etc. What I want to do is, when the user submits a form with their username and password in it, check that they password they have provided matches the password on the account. I just want to know if they gave the right password. From my investigation of the framework, this seems impossible to do without also checking whether their account is active.

danpalmer
  • 2,163
  • 4
  • 24
  • 41
  • Why do you want to check if their password is valid by using a `ValidateUser()` method? When creating a user (with `IsApproved = false`) `Membership` will always validate the password. If the password meets all the requirements then the user will be added. This should suggest to you that the password is valid. Unless if you have a different definition of "`valid`"? – RealSollyM Jun 27 '13 at 10:41
  • Creating the user validates that the password meets certain requirements. I want to check that a submitted password is the correct password for a user account. – danpalmer Jun 27 '13 at 13:41
  • Password should be validated before an account is created. Now you are going backward. ***Is there a reason not to validate the password before creating an account? For example, password cannot be 123456*** – Win Jun 27 '13 at 17:46
  • What criteria do u use to determine if the password is correct for the user? Why not do all that before you create an account? That is if you don't want to use what Membership Provider is giving you? – RealSollyM Jun 28 '13 at 06:52
  • I've added a clarification of the problem. – danpalmer Jul 05 '13 at 14:32

1 Answers1

0

Now I understand you. My suggestion is to temporarily store their password in the Membership Profile and match that before hand. Once matched, activate the account and clear the Profile. NOTE: the profile will store the password in plain text. I am doing a similar thing.

RealSollyM
  • 1,530
  • 1
  • 22
  • 35
  • 2
    Thanks for the answer. I've accepted it appears to be the only way to do it. But I will not be implementing this functionality. Under absolutely no circumstances will I ever store a password in plain text, purely on principle, let alone because of requirements of the project. I could hash+salt the password manually and store in the `MembershipProfile`, but by that point I'm really starting to re-implement functionality in `SqlMembershipProvider`. Ultimately, MS need to make a better API for this available, it's normal behaviour, not an edge case. – danpalmer Jul 12 '13 at 09:48
  • I do agree with you there. I have done something similar but from the ColdFusion side where I hash+salt the password then do a straight comparison with the Membership table. – RealSollyM Jul 12 '13 at 11:01
  • A simple addition to this is to encrypt the password in the Profile table. – RealSollyM Aug 06 '13 at 11:04
  • You wouldn't want to encrypt the password, hashing it would be much more secure. – danpalmer Aug 06 '13 at 12:12
  • The point I was trying to make was that instead of working directly with Membership password, one could store a "secure" password in the profile then read it from there, which is simpler than hashing it then compare it with Membership table. – RealSollyM Aug 06 '13 at 13:19