Click here to Skip to main content
15,860,844 members
Articles / Mobile Apps / Windows Mobile

Manually validating an ASP.NET user account with a SHA1 hashed password

Rate me:
Please Sign up or sign in to vote.
4.78/5 (5 votes)
16 Jan 2009CPOL 33.4K   3   16   5
How to manually validate an ASP.NET Roles and Membership password using SHA1.

Introduction

Recently, I came across a situation where I needed to provide the same authentication service provided by the ASP.NET Roles and Membership provider, but on a mobile device. A mobile device would sync to a backend database, pulling down all the aspNet_XXXX tables. The user of the mobile device would then be able to validate their account against the mobile device using their existing ASP.NET Roles and Membership credentials.

Using the code

The code below first demonstrates checking for a username match, and then comparing the password hash originally generated by the user to the hash created with the password they have supplied the program.

In the last lines of the program, I persist the user data so that it is available to the rest of the program.

C#
public bool LogonUser(string userName, string passWord)
{
    Guid userID = Guid.Empty;
    string originalHash = "";
    string saltValue = "";
    DataLayer dataLayer = new DataLayer();

    // first check for a username
    try
    {
        string SQL =
        " Select    aspnet_Membership.UserId, "
        + "        Password, "
        + "         PasswordSalt "
        + " From    aspnet_Membership inner join  "
        + "         aspnet_Users on aspnet_Membership.UserID" 
        + " = aspnet_Users.UserID "
        + " Where    LoweredUserName = @p1 ";

        SqlCeCommand sqlCeCommand = new SqlCeCommand(SQL, 
                     dataLayer.GetOpenConnection);
        SqlCeParameter param1 = 
          sqlCeCommand.Parameters.Add("p1", 
                       System.Data.SqlDbType.NVarChar);
        param1.Value = userName.ToLower();

        SqlCeDataReader reader = sqlCeCommand.ExecuteReader();
        while (reader.Read())
        {
            userID = reader.GetGuid(0);
            originalHash = reader.GetString(1);
            saltValue = reader.GetString(2);
            break;
        }

        reader.Close();
    }
    catch (Exception ex)
    {
        new Logger().Log(ex);
        throw ex;
    }
    finally
    {
        dataLayer.CloseSQLConnection();
    }

    // username exists
    if (userID.CompareTo(Guid.Empty) != 0)
    {

        // compare password hashes
        byte[] bIn = Encoding.Unicode.GetBytes(passWord);
        byte[] bSalt = Convert.FromBase64String(saltValue);
        byte[] bAll = new byte[bSalt.Length + bIn.Length];
        byte[] bRet = null;

        Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
        Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);

        HashAlgorithm s = HashAlgorithm.Create("SHA1");

        bRet = s.ComputeHash(bAll);
        string newHash = Convert.ToBase64String(bRet);

        // check the hash in the datbase matched the new hash we generated
        if (originalHash != newHash)
            throw new Exception("Incorrect Username/Password" + 
                                " combination. Please try again");

    }
    else
    {
        throw new Exception("Incorrect Username/Password" + 
                            " combination. Please try again");
    }

    // store the users credentials in the config object for app instance use
    Config.UserID = userID;
    Config.UserName = userName;
    Config.PassWord = passWord;

    return true;

}

It took me a while to get this, so hopefully, this will save someone else scratching their head!

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Software Developer (Senior) www.malcolmswaine.com
Thailand Thailand
Professional freelance business software developer working from Thailand.

Comments and Discussions

 
QuestionThank you! Pin
BR920-Aug-18 2:05
BR920-Aug-18 2:05 
GeneralMy vote of 5 Pin
AssemblySoft26-Nov-12 5:33
AssemblySoft26-Nov-12 5:33 
QuestionThanks. Worked great. Pin
Paul Brown16-Nov-12 9:03
Paul Brown16-Nov-12 9:03 
GeneralCheers Pin
Giles Park9-Sep-09 23:03
Giles Park9-Sep-09 23:03 
Generalif saltValue is empty Pin
Haozes16-Jan-09 16:23
Haozes16-Jan-09 16:23 
this method does not work very well or very strong if "saltValue" is empty,isn't it?

welcome to my blog:http://solo.cnblogs.com

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.