Click here to Skip to main content
13,352,408 members (60,827 online)
Click here to Skip to main content
Add your own
alternative version


14 bookmarked
Posted 16 Jan 2009

Manually validating an ASP.NET user account with a SHA1 hashed password

, 16 Jan 2009
Rate this:
Please Sign up or sign in to vote.
How to manually validate an ASP.NET Roles and Membership password using SHA1.


Recently, I came across a situation where I needed to provide the same authentication service provided by the ASP.NET Roles and Membership provider, but on a mobile device. A mobile device would sync to a backend database, pulling down all the aspNet_XXXX tables. The user of the mobile device would then be able to validate their account against the mobile device using their existing ASP.NET Roles and Membership credentials.

Using the code

The code below first demonstrates checking for a username match, and then comparing the password hash originally generated by the user to the hash created with the password they have supplied the program.

In the last lines of the program, I persist the user data so that it is available to the rest of the program.

public bool LogonUser(string userName, string passWord)
    Guid userID = Guid.Empty;
    string originalHash = "";
    string saltValue = "";
    DataLayer dataLayer = new DataLayer();

    // first check for a username
        string SQL =
        " Select    aspnet_Membership.UserId, "
        + "        Password, "
        + "         PasswordSalt "
        + " From    aspnet_Membership inner join  "
        + "         aspnet_Users on aspnet_Membership.UserID" 
        + " = aspnet_Users.UserID "
        + " Where    LoweredUserName = @p1 ";

        SqlCeCommand sqlCeCommand = new SqlCeCommand(SQL, 
        SqlCeParameter param1 = 
        param1.Value = userName.ToLower();

        SqlCeDataReader reader = sqlCeCommand.ExecuteReader();
        while (reader.Read())
            userID = reader.GetGuid(0);
            originalHash = reader.GetString(1);
            saltValue = reader.GetString(2);

    catch (Exception ex)
        new Logger().Log(ex);
        throw ex;

    // username exists
    if (userID.CompareTo(Guid.Empty) != 0)

        // compare password hashes
        byte[] bIn = Encoding.Unicode.GetBytes(passWord);
        byte[] bSalt = Convert.FromBase64String(saltValue);
        byte[] bAll = new byte[bSalt.Length + bIn.Length];
        byte[] bRet = null;

        Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
        Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);

        HashAlgorithm s = HashAlgorithm.Create("SHA1");

        bRet = s.ComputeHash(bAll);
        string newHash = Convert.ToBase64String(bRet);

        // check the hash in the datbase matched the new hash we generated
        if (originalHash != newHash)
            throw new Exception("Incorrect Username/Password" + 
                                " combination. Please try again");

        throw new Exception("Incorrect Username/Password" + 
                            " combination. Please try again");

    // store the users credentials in the config object for app instance use
    Config.UserID = userID;
    Config.UserName = userName;
    Config.PassWord = passWord;

    return true;


It took me a while to get this, so hopefully, this will save someone else scratching their head!


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Malcolm Swaine
Software Developer (Senior)
Thailand Thailand
Professional freelance business software developer working from Thailand.

You may also be interested in...


Comments and Discussions

GeneralCheers Pin
Giles Park10-Sep-09 0:03
memberGiles Park10-Sep-09 0:03 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.180111.1 | Last Updated 16 Jan 2009
Article Copyright 2009 by Malcolm Swaine
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid