views:

65

answers:

1

I created a Membership login system for my client, now they do NOT want the user to use one of his 5 last passwords when it comes time to create a new one.

Is that something that is build in or how could I accomplish that?

Thank you,

Steve

+2  A: 

This future is not exist on asp.net membership login system. You must implement by your self, on the automatic-creating page of changing password.

You need somewhere to save the previous hash list of your users passwords, and check this list, just before accepting a password change.

Update

Where to start:
Start from the all ready existing password change control.

Here is a password change example.
http://www.asp.net/cssadapters/Membership/ChangePassword.aspx

In this control, (that you can easy drag and drop on your page) capture the events,

<asp:ChangePassword ID="ChangePassword1" runat="server"    
 onchangingpassword="ChangePassword1_ChangingPassword" ... >...

Make your function to check for old passwords

 protected void ChangePassword1_ChangingPassword(object sender, LoginCancelEventArgs e)
 {
  if (PasswordFoundOnList())
  {
   ... show an error....
   e.Cancel = true;
  }
}

Now save somewhere the last passwords, for example you can saved them on user profile, or on your database.

here are some more informations for user profile. http://www.asp.net/Learn/Ajax/tutorial-03-cs.aspx

Hope this help you make it.

Aristos
Profile is a good place to store this data.
Sky Sanders
Thank you for your help, do you happen to know if anyone has done that before, maybe have some code samples. I am not sure how this would work.
Steve
Ok, I have update my answer with some more infos.
Aristos
Thank you very much Aristos. Since the password is encrypted in the database I was wondering how I can get it into another table and later on on compare them to a new password that the user types in. I guess I have to compare them in clear txt? Thank you for your help.
Steve
@Steve The password is not keepet/exist at all, only the hash value of it, so you compare the hash values, not the passwords. so you save and keep the hash values of the pass. Play a little with the GetHash of a string to see what I mean. How ever passwords did not use the same hash
Aristos
@Aristos - I must not be doing something right because the 2 hashes are never equal. I made sure that the pwd I pull from the DB is the same that I am testing with. What am I missing?MembershipUser user = Membership.GetUser();String ProviderVar = "AspNetSqlProvider2";String UsrName = user.ToString();MembershipProvider mp = Membership.Providers[ProviderVar];string HashVar = mp.GetHashCode().ToString();string pwd = "test44";string Hash2 = pwd.GetHashCode().ToString();TextBox1.Text = HashVar.ToString();TextBox2.Text = Hash2.ToString();
Steve
@Steve I check now inside and see that use the MembershipProvider.EncodePassword(string pass, int passwordFormat, string salt), (not the GetHasCode()).Now I must go - create a new question and hopefully some answer sooner than me. Ask witch way you can encode the password before saved on asp.net membership, and get the encode result.
Aristos
Because the password is hashed and a slat is used, I have no idea how to start comparing what the user is entering to what I have in the table. Anyone have any suggestions?
Steve
@Steve Make a question not here, no one read this, make the question globally.
Aristos