手动密码更新以明文形式存储新密码，而不是哈希

Question

I want to update the password for a single user when he tries to reset his password.

Instead of using Membership.Provider.ResetPassword function, I want to have more control on the password that is being generated. The generated password may only contain upper and lowercase letters and numbers.

So I tried:

web.config

  <providers>
    <clear />
    <add name="MyMembershipProvider" 
         type="Sample.MyMembershipProvider" 
         connectionStringName="conn1" 
         requiresQuestionAndAnswer="false" 
         applicationName="/wedding" 
         minRequiredPasswordLength="6" 
         enablePasswordRetrieval="false" 
         enablePasswordReset="true" 
         requiresUniqueEmail="true" 
         minRequiredNonalphanumericCharacters="0" passwordFormat="Hashed" />
  </providers>

resetpassword.aspx.vb

Dim newpassword As String = GlobalFunctions.CreateNewPassword(8)'this generated the password in the format I want

Dim myConnection As SqlConnection = GetConnection()

            Dim cmd As New SqlCommand("SELECT au.username, aa.ApplicationName, password, passwordformat, passwordsalt " & _
                "FROM aspnet_membership am " & _
                "INNER JOIN aspnet_users au " & _
                "ON (au.userid = am.userid) " & _
                "INNER JOIN aspnet_applications aa " & _
                "ON (au.applicationId = aa.applicationid) " & _
                "WHERE am.email=@email", myConnection)
            cmd.Parameters.Add(New SqlParameter("@email", Email))

Then use this to update the password using a standard ASP.NET stored procedure:

    Public Shared Function SetMemberPassword(ByVal ApplicationName As String, ByVal UserName As String, _
                    ByVal NewPassword As String, ByVal PasswordSalt As String, ByVal CurrentTimeUtc As DateTime, _
                    ByVal PasswordFormat As Integer) As Boolean
        Dim result As Boolean
        Dim myConnection As SqlConnection = GetConnection()
        Dim cmd As New SqlCommand("aspnet_Membership_SetPassword", myConnection)
        cmd.CommandType = CommandType.StoredProcedure
        cmd.Parameters.Add(New SqlParameter("@ApplicationName", ApplicationName))
        cmd.Parameters.Add(New SqlParameter("@UserName", UserName))
        cmd.Parameters.Add(New SqlParameter("@NewPassword", NewPassword))
        cmd.Parameters.Add(New SqlParameter("@PasswordSalt", PasswordSalt))
        cmd.Parameters.Add(New SqlParameter("@CurrentTimeUtc", CurrentTimeUtc))
        cmd.Parameters.Add(New SqlParameter("@PasswordFormat", PasswordFormat))
        Try
            myConnection.Open()
            result = CBool(cmd.ExecuteScalar)
        Catch ex As Exception

    Finally
            myConnection.Close()
        End Try
        Return result
    End Function

Besides that the new password does not even work (probably because I have password format "Hashed" in my membershiprovider in web.config), the password is also stored in clear text, which I don't want.

So, how can I update the user's password and store the password hashed?

Answer 1

Why you need to call direct stored procedure? ASP.NET Membership provider takes care of everything and you need to just use update user method of asp.net provider for updating everything except password.

See all methods available in ASP.NET and SQL Membership provider in following link. http://msdn.microsoft.com/en-us/library/ff648345.aspx

You just need to use following code to update user information method. with other information required.

Membership.UpdateUser

For updating password method. You can use change password method.

http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.changepassword(v=vs.110).aspx

Membership.Provider.ChangePassword(User.Identity.Name, "OldPassword", "NewPassword");

Right now its happening because you are directly calling asp.net membership provider stored procedure so it will directly update password without encrypting it.

While inbuilt method will encrypt it and then it will stored this.