Hello. I have the following problem, and I can't understand why this
is happenning (I must be missing smth): I store the salted password
and the salt in the db.
When authenticating, I take the given password, I salt it, and I
compare. The comparison is ALWAYS false, even if the password is
correct, and the saving/retrieval is fine.
What am I doing wrong ? Thank you very much.
-------------------------------------------------------------------------------------------------------------------------------------------
private class User
{
public int ID { get; set; }
public string Username { get; set; }
public string Salt { get; set; }
public String Pass { get; set; }
}
-------------------------------------------------------------------------------------------------------------------------------------------
public bool insertUser(String username, string password)
{
try
{
bool success = true;
RNGCryptoServiceProvider objRng = new
RNGCryptoServiceProvider();
int intSaltSize = 16;
byte[] objByte = new byte[intSaltSize];
objRng.GetBytes(objByte);
string salt = Convert.ToBase64String(objByte);
string encryptedPassword =
FormsAuthentication.HashPasswordForStoringInConfigFile(salt +
password,
System.Web.Configuration.FormsAuthPasswordFormat.SHA1.ToString());
user newUser = new User
{
Username = username,
Salt = salt,
Pass = encryptedPassword
};
db.AddObject("user", newUser);
success = (db.SaveChanges() > 0);
return success;
}
catch (Exception ex)
{
throw (new Exception("Data error in the DAL layer,
method 'insertUser':", ex));
}
}
--------------------------------------------------------------------------------------------------------------------------------------
public bool authenticateUser(String username, string password)
{
try
{
bool success;
operationModelNamespace.user foundUser = (from u in
db.users where (u.UserName.ToUpper() == username.ToUpper()) select
u).FirstOrDefault();
if (foundUser == null)
{
success = false;
}
else
{
string salt = foundUser.Salt;
string givenPassword =
FormsAuthentication.HashPasswordForStoringInConfigFile(salt +
password,
System.Web.Configuration.FormsAuthPasswordFormat.SHA1.ToString());
string storedPassword = foundUser.Pass;
success = (storedPassword == givenPassword);
}
return success;
}
catch (Exception ex)
{
throw (new Exception("Data error in the DAL layer,
method 'authenticateUser':", ex));
}
}
