tags:

views:

118

answers:

3
+1  Q: 

Multiple Security Questions in ASP.NET Membership

We are using the ASP.NET Membership Provider for managing the users in our application.

All was fine until when we had a new requirement. Users should be able to select multiple security questions and give answers to the same.

While recovering the password, the user will be presented with one of the security questions and if the user answers correctly the password will be sent.

By default ASP.NET Membership provides only one security question and one security answer. Is there is any way to make it use multiple ones?

A: 

Why are you storing your password in a decryptable format?

Malfist  2010-01-06 21:25:33
He may have just phrased that clumsily. The out-of-the-box membership provider will *reset* a password, not *resend* it. I agree that sending the original password would be a security hole.
Craig Stuntz  2010-01-06 21:31:12
sorry if i did mentioned it otherwise.I am storing the password in hashed format only.
kans  2010-01-08 11:07:26
Are they salted too?
Malfist  2010-01-08 14:15:29
A: 

You could customize the default ASP.NET Membership provider to your specific requirements by subclassing it.

Nathan Taylor  2010-01-06 21:25:46
I think he's asking how to do just that. :)
Craig Stuntz  2010-01-06 21:35:34
A: 

Hey,

Creating your own custom ASP.NET membership provider would be the key. Additionally, you'd have to create a custom template for the .NET login controls that use the password Q's, so that you can display multiple question/answer sections.

You may have to set the membership provider to not use the password question/answer, but programmably manage it yourself. By default, it uses that single Q/A to manage security; but since you need multiple, it may be easier to use custom logic to manage this.

EDIT: the only other thing I can think of is have two provider definitions, each with their own password question/answer, so that you are effectively storing two records in the database per user. The thing is that the UI controls won't work with that approach, so you would need to custom build the UI.

HTH.

Brian  2010-01-07 02:48:15
Brian,This is exactly what i was trying to avoid.Already i had deviated much from ASP.NET Membership, that if i am also do that i am using the provider only to do SP Insert/Update :)Was trying to see if there is another option available to have multiple questions/answers rather than the default one each.Thanks for looking into the question
kans  2010-01-08 11:10:32
Sure, but there is not out of the box; you have to deviate. the only other thing I can think of is added to the post above.
Brian  2010-01-08 13:37:06

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?