17

User is logged in and wants to do something major and I want them to re-enter their password so I can make sure that they are the user that is logged in.

How can I confirm that this password is for the account holder?

Would be happy to know how to do it via ASP.NET Identity or how to set up a stored proc to go against the AspNetUsers table or how to do it via Entity Framework.

A-Sharabiani
  • 17,750
  • 17
  • 113
  • 128
Reid
  • 3,170
  • 2
  • 23
  • 37

4 Answers4

20

How can I confirm that this password is for the account holder?

how to do it via ASP.NET Identity

To reverify the password of currently logged in user, provide the user VerifyView to enter password and use the following method to check if the user exists.

var user = await UserManager.FindAsync(User.Identity.Name,VerifyViewModel.Password)

If the user is found, the current request is the same from the account holder.

Membership.ValidateUser is from earlier version of Membership framework, not from ASP.NET Identity.

jd4u
  • 5,789
  • 2
  • 28
  • 28
  • For some reason I expected CheckPassword to do this. It does not.. This works great thanks. – Bobby Dec 02 '14 at 03:20
  • Today we can't use method FindAsync. See this question: https://stackoverflow.com/questions/35041826/usermanager-findasyncusername-password-not-available-in-asp-net-5-identity – Boris Makhlin Feb 08 '21 at 15:09
10

You can also use UserManager.CheckPassword() extension function:

UserManagerExtensions.CheckPassword Method

string id = User.Identity.GetUserId();
var user = UserManager.FindById(id);
if(!UserManager.CheckPassword(user, model.Password))
{
    ModelState.AddModelError("Password", "Incorrect password.");
}
A-Sharabiani
  • 17,750
  • 17
  • 113
  • 128
5

With Identity framework you never want to hit the database directly. Always use the API provided. The database structure has changed several times in the past few years, so introducing dependencies (e.g. on a data context) is adding work for no reason.

For async usage, see the answer already provided by jd4u.

For synchronously identifying that the password matches the current user, you need to first include:

using Microsoft.AspNet.Identity;

as this brings in a number of synchronous extension methods for identity framework.

You can then check with Find on the UserManager like this:

var user = UserManager.Find(User.Identity.Name, password);
if (user != null)
{
    // It is them!
}

If the user is not null, then you have a match of password and current username.

iCollect.it Ltd
  • 92,391
  • 25
  • 181
  • 202
1

You can use UserManager to do that:

if(UserManager.PasswordHasher.VerifyHashedPassword("hashedPassword", "password") 
    != PasswordVerificationResult.Failed)
{
    // password is correct 
}

For more information see the link: How to check password manually in Asp.Net identity 2?

Community
  • 1
  • 1
Ricardo França
  • 2,923
  • 2
  • 18
  • 18