I'm using an ASP.Net Membership provider to handle user accounts on my website and I've set the DeleteUser() function to only delete data from the aspnet_Membership table as I'd like to keep the user ID and details in aspnet_Users for auditing.
I've encountered a problem whereby if I delete a user "bob", when someone creates a new user with the same username, then instead of creating a new aspnet_Users record with a new UserId (it's a GUID by default) it will instead link the new aspnet_Membership table record to the previously created "bob" account.
This means rather than creating a new user that happens to have the same username, it's re-activating the old user and linking their activity history together.
Is there a way to force ASP.Net membership to create a new aspnet_users record instead of hijacking the old one?
Thanks!
Unfortunately it seems that the ASP.Net Membership SQL Provider generates the User ID GUID using the username as a seed. This means that without deleting the user (which you wouldn't want to do if you were keeping an audit history) there is no clean way of creating another user with the same User ID.
To resolve my issue I have done the following:
Allowed ASP.Net Membership to assign a membership record to the asp_user record as it does by default
Added an audit record to my audit table explicitly specifying that a user has been re-created
This will allow me to check when writing audit queries whether the user performing an action was once removed, and hence whether they're likely to be the same person or not.
Related
I am making a WebAPI service. I just used the ASP.NET WebAPI template with authentication. I was wondering how can we restrict DB entity access for those users who are already logged in. With [Authorize] we can restrict unauthorized users, which I have done. After login, they can access anything right now. Eg: I have a table Bill. With BillId, users who are authorized can access any entry in Bill table. How to restrict this? Currently Bill table has no relation with UserIdentity tables!!.
After thinking about the scenario, I have a solution [Not sure the best]. In all my controllers I can get the Userid [Authenticated user's id]. When a user adds data to any entity, I will add userid as a column to that entity and store userid. When any user looks for a resource, he will get only those resources which are of his Userid. I am not giving any relation to any user table but just adding the userid to all entities as a new column.
We are creating a new web app that will update/migrate an existing DB, including the user information. Since the passwords are SHA encrypted in the user table, I would need to migrate during runtime, as the users log in.
In order to do this, I want to hook into the user validation code - if the user exists in the new Identity user table, good - we're done - use it. Else check the old user table (and validate the password with the old password validation mechanism), create a user in the new Identity table, delete the old user from the old table (or flag as migrated), then return that new Identity user.
Is this a reasonable approach? Are there any examples of this I could use as a starting point?
Note: I would like to use the standard ASP.NET Identity 2.0 table structure with the exception that user ids will be int - since the existing schema relies on an int user id.
Edit: The existing web app will go away and we will replace it with the new web app (with ASP.NET Identity) but we will still point to the existing DB (containing the old user table and other data). The addition to the DB will be the new ASP.NET Identity tables and any updates to join to those tables instead of the old user table.
A a good way to deal with legacy password hashes described in the official migration guide: http://www.asp.net/identity/overview/migrations/migrating-an-existing-website-from-sql-membership-to-aspnet-identity
On that page search for SQLPasswordHasher and see how they do the password matching.
Basically the idea is simple - when you update your system to Identity you copy all the old users and their hashes (and salts) into new Identity table. Then you tell identity to use the above-mentioned SQLPasswordHasher to try to match either the old SHA hash or (for already updated users) the new-style hash. And (optionally) you can update the hash for freshly logged in users to the new-style.
I have done this with a few projects and there was not a single problem.
Looks like a good place would be in ApplicationOAuthProvider:GrantResourceOwnerCredentials, where we are doing a userManager.FindAsync() to look for user (with pw) in new User table. If that fails (user == null check), I'll add the code to look for user in old User table and if there (and password passes hash test), will create user in new User table with old User table data and new password hash - and then mark old User table record as "migrated" or "upgraded"
Right now we have several databases, each individual database has its own aspnet membership tables. We want to centralize all the membership to one database. For instance a main login page where they will specify the database, username and password. Then we would check on the centralized database and authenticate and redirect them to their account based on the database name they inputed on the textbox.
What is the best way to do this?, there maybe multiple usernames that are the same in different databases and this is my challenge.
ASP.Net Membership has Applications table. As long as you have different application name for different website, you can merge them into one big database; chances of duplicating user id (which is stored as uniqueid) is very low.
When user logins, you need the following 3 fields -
Application (this can be DropDownLis)
Username
Password
Create Own Validation
You cannot use custom Membership Provider to validate user which only accept username and password.
// ValidateUser method doesn't take any additional parameter
public bool ValidateUser(string username, string password)
So you need to implement own validation method to validate user from Merged Database.
Note
If you are redirecting to different website, please take a note of Form Authentication's limitation. For example, it cannot transfer authentication cookie from www.one.com to www.two.com
Are you able to assume that "user123" in database1 and "user123" in database2 are the same individual?
If so, you can just merge as DJ KRAZE suggested. If not, you'll have to create new users for the duplicated user names. You could write a fairly simple SQL script to do this by appending a number to the end of the ID.
Like.... found "john" in database 1, create "john1" user. As I recall, the aspnet_membership database comes with a pretty robust set of stored procedures for creating users and so forth that create all the proper table entries. I would definitely use those, rather than trying to freestyle insert/update statements, if you end up going that route
i believe you can select the database to connect to on your logincontrol. so create a dropdown where users can select the database to connect to and then use that selection as your database. have a look at number 4 on http://forums.asp.net/t/1403132.aspx/1
the selection can be the connectionstring name that specifies the database.
Based on my experience, the best thing you can do is prefix the usernames based on the source database on duplicates and delegate the consolidation to the end-user.
I am in the middle of a little project website where I have decided to create a basic messageboard that allows logged in users to write a comment (using a textbox) to which is added to the messageboard database and then displayed using a gridview.
When a user writes a comment I also want to display their username to the post (showing they are the poster) as well as the date (which I have managed to do already using GetDate()).
So far I have this.
I have a ASP.NETDB.MDF database which uses the .NET login functions to allow a user to sign up to my site and login. The default database creates IDNumber, Username etc fields.
I have a messageboard database which has the following fields. ID, UserName, Time, Comment.
So just to recap. When the user is logged in I want him to have the ability to go to the messageboard webpage and type in a comment using a textbox.
When he clicks the submit button the message typed will be added to the database and then shown through the gridview. His username and time of post needs to automatically be added to the post (which can be determined through the user being logged in to a unique login account (how I do this I have no idea!).
Should I join the tables? (i.e Username (from login table) with Username from messageboard table? Is there a better way to go about all of this?
Sorry for being noobish..! I am kind of new at this.
You should join the tables if there is data in the "login" Table that you need to show next to the comment that does not exist in the "messageboard" table.
For Example if you want to show UserName,Message then you don't need a join because username is already stored in the messageboard table. However, if you want to display FullName,Message and FullName is in the login table and message is in the messageboard table, you will need a join.
Try looking for some examples of what you are trying to do on the internet. There should be a lot out there, I have seen quite a few blog style examples with ASP.NET MVC.
Good Luck
Hi all i'm completely new to ASP.Net and C# so will explain as best as I can what I am after. I am using Visual Studio 2010 Ultimate (MSDNAA)
Basically I have setup up user registration and login using the wizard with the user data stored in aspnet_users table in the database ASPNETDB.MDF. I have also created in the data base a table called UserProfile with the fields, UserID, Address, Telephone, etc.
I have then created a relationship between the aspnet_users table and the UserProfile table by linking UserID.
What I am trying to do is create a profile page where users can insert and update their profile information. I have therefore created a page called userinfo.aspx and after following several tutorials, which often seem to be revolving around asp2, I have dragged in the FormView Option, and created a link to the database.
What I am stuck on is how I can get the current UserID that is logged on and display their information. My problem is under the WHERE option I cannot get it to use a current user as the source or is this totally wrong?
If you could advise me I would be grateful.
Matt
Session["USER_NAME"] = txt_uname.Text;
You have two forms userregistration and login form.
In user Registration you are inserting the details into database.
In Login Form, from textbox u will get the username and password. Check the username and password matching the Database. If it match then you have to maintain the username into session variable.