I created a Membership login system for my client, now they do NOT want the user to use one of his 5 last passwords when it comes time to create a new one.
Is that something that is build in or how could I accomplish that?
Thank you,
Steve
+2
A:
This future is not exist on asp.net membership login system. You must implement by your self, on the automatic-creating page of changing password.
You need somewhere to save the previous hash list of your users passwords, and check this list, just before accepting a password change.
Update
Where to start:
Start from the all ready existing password change control.
Here is a password change example.
http://www.asp.net/cssadapters/Membership/ChangePassword.aspx
In this control, (that you can easy drag and drop on your page) capture the events,
<asp:ChangePassword ID="ChangePassword1" runat="server"
onchangingpassword="ChangePassword1_ChangingPassword" ... >...
Make your function to check for old passwords
protected void ChangePassword1_ChangingPassword(object sender, LoginCancelEventArgs e)
{
if (PasswordFoundOnList())
{
... show an error....
e.Cancel = true;
}
}
Now save somewhere the last passwords, for example you can saved them on user profile, or on your database.
here are some more informations for user profile. http://www.asp.net/Learn/Ajax/tutorial-03-cs.aspx
Hope this help you make it.
Aristos
2010-04-06 07:20:15
Profile is a good place to store this data.
Sky Sanders
2010-04-07 00:02:35
Thank you for your help, do you happen to know if anyone has done that before, maybe have some code samples. I am not sure how this would work.
Steve
2010-04-07 13:42:23
Ok, I have update my answer with some more infos.
Aristos
2010-04-07 14:17:10
Thank you very much Aristos. Since the password is encrypted in the database I was wondering how I can get it into another table and later on on compare them to a new password that the user types in. I guess I have to compare them in clear txt? Thank you for your help.
Steve
2010-04-14 15:13:06
@Steve The password is not keepet/exist at all, only the hash value of it, so you compare the hash values, not the passwords. so you save and keep the hash values of the pass. Play a little with the GetHash of a string to see what I mean. How ever passwords did not use the same hash
Aristos
2010-04-14 16:18:44
@Aristos - I must not be doing something right because the 2 hashes are never equal. I made sure that the pwd I pull from the DB is the same that I am testing with. What am I missing?MembershipUser user = Membership.GetUser();String ProviderVar = "AspNetSqlProvider2";String UsrName = user.ToString();MembershipProvider mp = Membership.Providers[ProviderVar];string HashVar = mp.GetHashCode().ToString();string pwd = "test44";string Hash2 = pwd.GetHashCode().ToString();TextBox1.Text = HashVar.ToString();TextBox2.Text = Hash2.ToString();
Steve
2010-04-18 14:37:52
@Steve I check now inside and see that use the MembershipProvider.EncodePassword(string pass, int passwordFormat, string salt), (not the GetHasCode()).Now I must go - create a new question and hopefully some answer sooner than me. Ask witch way you can encode the password before saved on asp.net membership, and get the encode result.
Aristos
2010-04-18 15:28:37
Because the password is hashed and a slat is used, I have no idea how to start comparing what the user is entering to what I have in the table. Anyone have any suggestions?
Steve
2010-04-19 22:06:07
@Steve Make a question not here, no one read this, make the question globally.
Aristos
2010-04-20 05:51:15