MD5 Encryption Problem (ASP.NET VB)
Hi,
I am trying to use MD5 Encryption for passwords in my application but I need help sorting out a data conversion issue... I think.
I have figured out how to convert an entered password at user registration and store the MD5 equivalent. Now my problem is, the core of my application was generated from ASP.NET Maker and the password is stored in a cookie / session string and is checked through out the system.
It looks something like this in login.aspx
' *************************
' * Handler for Page Load
' *************************
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
Dim md5Hasher as New MD5CryptoServiceProvider()
Dim hashedBytes as Byte()
Dim encoder as New UTF8Encoding()
hashedBytes = md5Hasher.ComputeHash(encoder.GetBytes(LoginControl.Password))
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Page.ClientScript.RegisterClientScriptInclude("ewv", "ewv.js")
Advsecu.LoadUserLevel()
If (CustomProfile.GetGlobal(Share.ProjectName).Message IsNot Nothing) Then
lblMessage.Text = CustomProfile.GetGlobal(Share.ProjectName).Message
pnlMessage.Visible = True
CustomProfile.GetGlobal(Share.ProjectName).Message = Nothing
End If
If (Not IsPostBack) Then
If (Advsecu.IsLoggedIn()) Then 'User already logged in
If (CustomProfile.GetGlobal(Share.ProjectName).Message Is Nothing) Then
Response.Redirect("default.aspx") 'Redirect to default page
Return
End If
Else
' Check auto login
If (Request.Cookies(Share.ProjectName) IsNot Nothing AndAlso _
Request.Cookies(Share.ProjectName)("autologin") IsNot Nothing AndAlso _
Request.Cookies(Share.ProjectName)("autologin") = "autologin") Then
Dim strUsername As String = Request.Cookies(Share.ProjectName)("username")
Dim strPassword As String = IIf(Not String.IsNullOrEmpty(Request.Cookies(Share.ProjectName)("password")), hashedBytes, String.Empty)
If (Not String.IsNullOrEmpty(strUsername) AndAlso Not String.IsNullOrEmpty(strPassword)) Then
If (ValidateUser(strUsername, strPassword)) Then
FormsAuthentication.RedirectFromLoginPage(strUsername, False)
Return
Else ' invalid username or password
ClearCookies()
End If
Else ' empty username or password
ClearCookies()
End If
End If
' Initial username
If (Request.Cookies(Share.ProjectName) IsNot Nothing AndAlso _
Request.Cookies(Share.ProjectName)("username") IsNot Nothing) Then
LoginControl.UserName = Request.Cookies(Share.ProjectName)("username")
End If
' Inital rememberme option
Dim autoLoginValue As String = "n"
If (Request.Cookies(Share.ProjectName) IsNot Nothing AndAlso _
Request.Cookies(Share.ProjectName)("autologin") IsNot Nothing) Then
If (Request.Cookies(Share.ProjectName)("autologin") = "autologin") Then
autoLoginValue = "a"
ElseIf (Request.Cookies(Share.ProjectName)("autologin") = "rememberUsername") Then
autoLoginValue = "u"
End If
End If
Dim rememberme As RadioButtonList = TryCast(LoginControl.FindControl("RememberMe"), RadioButtonList)
If (rememberme IsNot Nothing) Then
rememberme.SelectedIndex = -1
For Each item As ListItem In rememberme.Items
If (item.Value = autoLoginValue) Then
item.Selected = True
Exit For
End If
Next
End If
End If
End If
If (LoginControl.FindControl("UserName") IsNot Nothing) Then
Page.Form.DefaultFocus = LoginControl.FindControl("UserName").ClientID
End If
End Sub
I would like to replace the password with "hashedBytes" so that it compares the encrypted password with the encrypted data in the database. However I have the issue of the password being represented as a string in the generated script, where "hashedBytes" is an array of type Byte. How can I fix this problem so that I don't need to change too much in the code? Please help.
The relevant membership provider code is as follows:
Public Overloads Overrides Function ValidateUser(ByVal username As String, ByVal password As String) As Boolean
Dim booValid As Boolean = False
Try
Dim userProfile As UserProfile = GetUserProfile(username)
If (userProfile IsNot Nothing) Then
Return IIf((_boolIsPasswordCaseSensitive),(userProfile.Password.Trim = password.Trim),(userProfile.Password.ToLower.Trim = password.ToLower.Trim))
Else
Return False
End If
Catch
Return False
End Try
End Function
I hope it is clear... let me know if you need more info.
Thanks in advance.
Mel