I'm writing a ASP.NET MVC 3 web site. This is my custom MembershipProvider (only ValidateUser realized):
public class RFMMembershipProvider : MembershipProvider
{
IUserService userService = new UserService();
public override bool ValidateUser(string username, string password)
{
return password.GetHashCode().ToString() == userService.GetUser(username).Pass;
}
...
}
and my Roleprovider (realized only GetRolesForUser)
public class RFMRoleProvider : RoleProvider
{
IUserService userService = new UserService();
public override string[] GetRolesForUser(string username)
{
return new string[] { userService.GetRolesForUser(username).Name };
}
...
}
my web.config part
...
<system.web>
<roleManager enabled="true" defaultProvider="RFMRoleProvider">
<providers>
<clear/>
<add name="RFMRoleProvider" type="RFMSite.WebUI.RFMRoleProvider, RFMSite"/>
</providers>
</roleManager>
<membership defaultProvider="RFMMembershipProvider"
>
<providers>
<clear/>
<add name="RFMMembershipProvider"
type="RFMSite.WebUI.RFMMembershipProvider, RFMSite"
/>
</providers>
</membership>
<authentication mode="Forms" >
<forms loginUrl="~/Account/LogOn" timeout="2880">
</forms>
</authentication>
on LogOn action:
...
if (Membership.ValidateUser(username, password))
{
FormsAuthentication.SetAuthCookie(username, true);
return RedirectToAction("Files", "Admin");
}
...
return View();
So the question is Why when I publish site on IIS 7.0 Membership.ValidateUser(username, password)
always returns false? It works NORMAL on local asp.net development server.
The connection with MSSQL Server is OK (I can get any data and display it when website deployed)? No exception happens, just always returns false...
Are you sure you're calling the exact same code locally and in production? I'm suspicious that your code will ever work except by accident.
Specifically, I doubt that
String.GetHashCode()
will ever return something that matches a password from your database, unless your users are in the habit of using long random numbers for their passwords.GetHashCode
is for building hash tables, not for securing passwords. I think you are confusing it withHashPasswordForStoringInConfigFile
, or something similar.EDIT for clarity:
I don't know for sure that
GetHashCode
is your problem but I don't see anything else obviously wrong. It would be easy enough to test: log your hash codes to a log file, since they're temporary anyway (as you noted in the comment).And yes, GetHashCode could easily change when you deployed; if you are running a different architecture, for example, or against a newer version of the Framework, the exact value that gets returned from GetHashCode can definitely be different.