tags:

views:

12

answers:

1
Q: 

Make password case unsensitive in shared ASP.Net membership tables web ap

Hi all, i have two webapps.. that share ASP.Net membership tables.

Everything works fine except i cannot remove case-sensitivity in one of the apps the way i am doing it in the other.

in the non-working app

void Login1_LoggingIn(object sender, LoginCancelEventArgs e)
{
    string username = Login1.UserName.Trim();
    if (!string.IsNullOrEmpty(username))
    { 
        MembershipUser user = Membership.GetUser(username);
        if (user != null)
        {
            // Only adjust the UserName if the password is correct.  This is more secure
            // so a hacker can't find valid usernames if we adjust the case of mis-cased
            // usernames with incorrect passwords.
            string password = Login1.Password.ToUpper();
            if (Membership.ValidateUser(user.UserName, password))
            { 
                Login1.UserName = user.UserName;
            }
        }
    }
}

is not working. the password is stored as all upper case. Converted at the time the membership user is created!

So if the password is PASSWORD, typing PASSWORD allows me to authenticate. but typing password does not! Even though i can see the string being sent is PASSWORD (converted with toUpper()).

I am at a complete loss on this.. in the other app i can type in lower or upper or mixed and i am able to authenticate. In the other app i am not using the textboxes from the login control though.. not sure if this is making the difference??

A: 

You are simply validating the user with the ucased password, you are not logging them in, this happens in a later stage of the process.

once you verify the ucased password, update the Login1's password textbox with the ucased password in the same place you are updating the username.

I seem to recall that password is readonly so you will need to use something like this:

((TextBox)Login1.FindControl(view source to find the login inputs id)).Text = password;

That should give you the results that you are looking for.

Sky Sanders  2010-07-19 15:19:39

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision