I am working on an ASP.Net MVC 4 application where it uses SimpleMembership and I have two types of user one is normal user and an admin. I am trying to add a feature where an admin can reset a normal user's password just by entering a username and type in a new password and then he can manually send the new password to the user.
Is there a good way I can use SimpleMemberShip to get this feature?
Well, you can certainly change the password for a user account to whatever you'd like in code.
To change the password for an account using the any sub class of the MembershipProvider (I.e. WebMatrix.WebData.SimpleMembershipProvider), you must first retrieve (or be supplied) the current password. Assuming you have a way to query the Database, one way is to to get the stored password from the DB. If it is stored as an encrypted value, you can use the provider Decrypt method and convert that resulting byte array to a string value.
How convert byte array to string
Then, using the SimpleMembershipProvider method ChangePassword, supply the username, oldpassword, and the new password. The result of this method is a boolean that indicates if the change was successful.
From a security standpoint, if you are going to make an MVC form view for the Admins to use, I'd make sure the controller action that handles the processing is secure and only allows authenticated Admins to use it. If you've not already done so, you'll need to implement the use of Roles or at least designate specific user names in the [Authorize] attribute of that action.
If you need the code for all this, I suggest starting a bounty.
Related
I want to have a subpage on my website that is password protected. There should be a list of 6-digit passwords that allow access to the site. However, I don't want the user to type in a username. He should only type in one of the 6-digit passwords.
Any ideas, how I can accomplish this?
The default login for TYPO3 uses username and password. If you only needed 1 password you could create 1 user and use a custom template with the username in a hidden field. However, since you want multiple passwords, there is no default way to do it without creating your own authentication service.
It's a bit much to explain how to create an authentication service here, but you can read the documentation here https://docs.typo3.org/m/typo3/reference-coreapi/9.5/en-us/ApiOverview/Authentication/Index.html.
You can also look at an example like https://github.com/tschikarski/shibboleth, which is a but complicated, but you'll mainly need to look at \TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addService in ext_localconf.php and the getUser and authUser functions in Classes/ShibbolethAuthentificationService.php.
With Typo3 mechanism, a password is always associated with a user name, I think you should do it by yourself :
if the content is from one of your extension, you can easily do it
if it's not the case, I think you could use a hook before page is displayed and manage password access in that hook
or you can make a specific template with which you can conditionally manage rendering
Why don't reverse the usage?
Create FE-users with the selected passwords as username, then assign all users the same password.
For the login you change the login form:
The password field gets a default value (the password you had set to
all accounts) and is hidden
The input field for the username is changed into a browser passowrdfield so the input is hidden by asteriks.
Then you might change the errormessages as they would confuse the user about his username so he only enters a "password".
There now exists an extension for that, too:
https://extensions.typo3.org/extension/sessionpassword
With that, you just have to create a specific usergroup for your purpose,
set a password an d include the plugin on the desired page.
Works for me in that case.
Scenario : I am trying to create custom log in functionality for liferay 6.1
In this, first I am asking email to user and I am checking, is this user is existing or new one. If it is existing then I will ask to fill password otherwise will ask him to create account.
My problem is, How to compare user given password and password exist in DB. User given password is plain text and DB saved password is in encoded form.
Any pointers on this will be helpful..Thanks in Advance.
There's a utility class for password comparison.
PasswordTrackerLocalServiceUtil#isSameAsCurrentPassword(userId, newClearTextPwd)
My goal is to be able to read one database without having to authenticate the user, authentication for editing this database should be required. All other databases should only be read/writeable for valid users. And I don't want having to set it for every database I create in the future, authentication required for read/write required should be the default.
I thought I could do this by setting require_valid_user to true, but now CouchDB always asks for username and password, so I need a way to exclude one database. This database should be readable for public and writeable for valid users then.
I get around this problem by authenticating all users through one single database (i.e. /login). That database is public, and contains a design document with an HTML file as an attachment. The user is served this file, fills out their credentials on a form, and I use jQuery.couch.js to authenticate and store a cookie in their browser. Once they've got a valid login, I inspect the userCtx object to check their role, and redirect them to the appropriate database.
It's a hack, but until CouchDB is able to serve a login page instead of a JSON error message whenever you're not logged into a database, it's the only reliable method I've found.
Make sure to protect your public login database with a validate_doc_update key in the design document, so nobody but admins can overwrite anything in it.
Hope this helps.
I have a asp.net application which is using form authentication, as this application is going to be online and we are looking for a secret login page by which we can login to any user account with only his username.
Is that possible?
EDIT
Or if there is any way I can read password from sql server aspnet_Users table, If I can convert it into plain text and use a general method to login. That would work for me
You can't "convert" it back. All hash functions are one-way only so there is no way to get original value.
Edit: There are 'rainbow' tables, which is basically dictionary of text-hash mapping. But they won't help you, because passwords are also salted in default Membership implementation.
I am using jquery.couch.js to do signup/login/logout to a CouchDB _users database in my Sproutcore application. Is anyone aware of a method for changing user _id and password?
As far as I know the user id cannot be changed but the password can.
The CouchDB documentation describes the process of changing a user password in detail, short:
Get the org.couchdb.user:<myuser> document
Add a password field with the plaintext password
Store the document back to the _users database
As soon as the document is in the database, the CouchDB rehashes the plaintext password using PBKDF2 (at least since CouchDB 1.3).
Unfortunately, there is no built-in API to do this. The best thing for now is to read the jquery.couch.js code for account creation and use the same code or algorithms to do account modification.
Specifically, you need to update the password_sha and salt values to change a password. To change a user name, you must make a new document, then delete the old document. Just keep the _id and name values in sync and you'll be okay.