0

I'm writing a ASP.NET MVC 3 web site. This is my custom MembershipProvider (only ValidateUser realized):

public class RFMMembershipProvider : MembershipProvider
{
    IUserService userService = new UserService();

    public override bool ValidateUser(string username, string password)
    {
        return password.GetHashCode().ToString() == userService.GetUser(username).Pass;
    }
...
}

and my Roleprovider (realized only GetRolesForUser)

public class RFMRoleProvider : RoleProvider
{
    IUserService userService = new UserService();

    public override string[] GetRolesForUser(string username)
    {
        return new string[] { userService.GetRolesForUser(username).Name };
    }
...
}

my web.config part

...
<system.web>

<roleManager enabled="true" defaultProvider="RFMRoleProvider">
  <providers>
    <clear/>
    <add name="RFMRoleProvider" type="RFMSite.WebUI.RFMRoleProvider, RFMSite"/>
  </providers>
</roleManager>

<membership defaultProvider="RFMMembershipProvider"
            >
  <providers>
    <clear/>
    <add name="RFMMembershipProvider"
         type="RFMSite.WebUI.RFMMembershipProvider, RFMSite"
         />
  </providers>
</membership>

<authentication mode="Forms" >
  <forms loginUrl="~/Account/LogOn" timeout="2880">
  </forms>
</authentication>

on LogOn action:

...
 if (Membership.ValidateUser(username, password))
            {
                FormsAuthentication.SetAuthCookie(username, true);
                return RedirectToAction("Files", "Admin");
            }
...
return View();

So the question is Why when I publish site on IIS 7.0 Membership.ValidateUser(username, password) always returns false? It works NORMAL on local asp.net development server. The connection with MSSQL Server is OK (I can get any data and display it when website deployed)? No exception happens, just always returns false...

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
Dmitriy Shapar
  • 128
  • 1
  • 11

2 Answers2

0

Are you sure you're calling the exact same code locally and in production? I'm suspicious that your code will ever work except by accident.

Specifically, I doubt that String.GetHashCode() will ever return something that matches a password from your database, unless your users are in the habit of using long random numbers for their passwords. GetHashCode is for building hash tables, not for securing passwords. I think you are confusing it with HashPasswordForStoringInConfigFile, or something similar.

EDIT for clarity:

I don't know for sure that GetHashCode is your problem but I don't see anything else obviously wrong. It would be easy enough to test: log your hash codes to a log file, since they're temporary anyway (as you noted in the comment).

And yes, GetHashCode could easily change when you deployed; if you are running a different architecture, for example, or against a newer version of the Framework, the exact value that gets returned from GetHashCode can definitely be different.

Michael Edenfield
  • 28,070
  • 4
  • 86
  • 117
  • ok, when i write a pass data to database i do pass.GetHashCode().ToString() and actually thi string writes to database. I understand that is bad idea - such solution is temporary. And you mean that GetHashCode() method returns different string when delpoyed on IIS? – Dmitriy Shapar Jan 16 '12 at 21:54
  • I mean that the GetHashCode implementation is not something you ought to rely on; different versions, editions, architectures, etc. of the Framework can (and have) changed it. It's entirely an internal, implementation-level detail. Besides which, those hash codes aren't even unique: collisions are a normal part of a hash table, so it would be easy to construct multiple passwords that hash to the same bucket. – Michael Edenfield Jan 17 '12 at 16:08
  • yeah, great thanx!! you really was right! GetHashCode() fjr same string returns different values when web site hosted on iis and on asp.net webdev server – Dmitriy Shapar Jan 17 '12 at 19:24
0

Don't use GetHashCode for this purpose! Use MD5 or SHA1 security hashes which are always the same. GetHashCode can return different values between different versions of .NET framework. It also returns different values when used on 32-bit and 64-bit system.

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670