Using custom MembershipProvider and Roleprovider in IIS 7.0

1.1k views Asked by At

I'm writing a ASP.NET MVC 3 web site. This is my custom MembershipProvider (only ValidateUser realized):

public class RFMMembershipProvider : MembershipProvider
{
    IUserService userService = new UserService();

    public override bool ValidateUser(string username, string password)
    {
        return password.GetHashCode().ToString() == userService.GetUser(username).Pass;
    }
...
}

and my Roleprovider (realized only GetRolesForUser)

public class RFMRoleProvider : RoleProvider
{
    IUserService userService = new UserService();

    public override string[] GetRolesForUser(string username)
    {
        return new string[] { userService.GetRolesForUser(username).Name };
    }
...
}

my web.config part

...
<system.web>

<roleManager enabled="true" defaultProvider="RFMRoleProvider">
  <providers>
    <clear/>
    <add name="RFMRoleProvider" type="RFMSite.WebUI.RFMRoleProvider, RFMSite"/>
  </providers>
</roleManager>

<membership defaultProvider="RFMMembershipProvider"
            >
  <providers>
    <clear/>
    <add name="RFMMembershipProvider"
         type="RFMSite.WebUI.RFMMembershipProvider, RFMSite"
         />
  </providers>
</membership>

<authentication mode="Forms" >
  <forms loginUrl="~/Account/LogOn" timeout="2880">
  </forms>
</authentication>

on LogOn action:

...
 if (Membership.ValidateUser(username, password))
            {
                FormsAuthentication.SetAuthCookie(username, true);
                return RedirectToAction("Files", "Admin");
            }
...
return View();

So the question is Why when I publish site on IIS 7.0 Membership.ValidateUser(username, password) always returns false? It works NORMAL on local asp.net development server. The connection with MSSQL Server is OK (I can get any data and display it when website deployed)? No exception happens, just always returns false...

2

There are 2 answers

3
Michael Edenfield On BEST ANSWER

Are you sure you're calling the exact same code locally and in production? I'm suspicious that your code will ever work except by accident.

Specifically, I doubt that String.GetHashCode() will ever return something that matches a password from your database, unless your users are in the habit of using long random numbers for their passwords. GetHashCode is for building hash tables, not for securing passwords. I think you are confusing it with HashPasswordForStoringInConfigFile, or something similar.

EDIT for clarity:

I don't know for sure that GetHashCode is your problem but I don't see anything else obviously wrong. It would be easy enough to test: log your hash codes to a log file, since they're temporary anyway (as you noted in the comment).

And yes, GetHashCode could easily change when you deployed; if you are running a different architecture, for example, or against a newer version of the Framework, the exact value that gets returned from GetHashCode can definitely be different.

0
Ladislav Mrnka On

Don't use GetHashCode for this purpose! Use MD5 or SHA1 security hashes which are always the same. GetHashCode can return different values between different versions of .NET framework. It also returns different values when used on 32-bit and 64-bit system.