Imagine being paid to improve your favorite CMS!

It could be you! Umbraco HQ are hiring and are looking for both talents and senior developers. Wonderful workplace, friendly colleagues and competitive salary.

Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Garth Egbert 4 posts 74 karma points
    Aug 09, 2017 @ 13:48
    Garth Egbert
    0

    Creating new members - password is stored as plain text

    When creating new members through the MemberService, or by creating a new Member() and calling member.Save(), the password appears in the database in plain text.

    These two methods appear to be the most intuitive ways to create a new member, yet these methods do not hash the password, despite the config setting (i.e. passwordFormat="Hashed")

    If I use MemberService.SavePassword() it does hash the password, but this approach requires me to modify the config setting: allowManuallyChangingPassword="true" which violates best recommended practice.

    I am very new to Umbraco, what is the correct workflow for creating new members and assigning a temporary password (hashed) so they can login?

  • jeffrey.schoemaker@perplex.nl 219 posts 806 karma points mvp c-trib
    Aug 10, 2017 @ 06:46
    jeffrey.schoemaker@perplex.nl
    0

    Hi Garth,

    welcome to Our!

    This sounds a bit strange, because I would have expected that if you create the Member the password is stored according to the settings on the MembershipProvider.

    A few questions that could help answering your question:

    • Which version of Umbraco are you using?
    • Can you share some code that you're using
    • Can you copy paste the web.config MembershipProvider line that you are using?

    And then we will try to solve this!

    Thanks,

    Jeffrey

  • Garth Egbert 4 posts 74 karma points
    Aug 10, 2017 @ 12:49
    Garth Egbert
    0

    Which version of Umbraco are you using?

    Currently we are on v7.6.4

    Can you share some code that you're using

    I have tried many variations of creating a new member with a default password. Here is a very simple version, two lines:

                    cmsMember = new Member(parms.lastName + ", " + parms.firstName, parms.email, parms.email, tempPassword, cmsMemberType);
                    membersvc.Save(cmsMember);
    

    Can you copy paste the web.config MembershipProvider line that you are using?

    [add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="10" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="false" /]

    As you can see in the "UmbracoMembershipProvider, "passwordFormat" is set to "Hashed". Execute the code above, with this "UmbracoMembershipProvider" definition, and the password will be stored in plain text.

    If this information is not clear in any way, please ask for additional clarification.

  • Sebastiaan Janssen 4460 posts 12341 karma points admin mvp hq
    Aug 11, 2017 @ 11:22
    Sebastiaan Janssen
    0

    First off, please make members in the following way:

            var member = memberService.CreateMember("test@test.com", "test@test.com", "Test", "Member");
            memberService.Save(member);
            memberService.SavePassword(member, "test123456");
    

    Second: there does seem to be a bug here, when saving the password you get This provider does not support manually changing the password. We should indeed fix that!

  • Garth Egbert 4 posts 74 karma points
    Aug 11, 2017 @ 14:27
    Garth Egbert
    0

    Sebastiaan, thank you for your reply. The code you provide is the way I am doing it for now now, as it will store the password hashed, but requirese that I modify the following config value:

    allowManuallyChangingPassword="true"

    I'm sorry if I wasn't clear, but I'm looking for a way to assign a temporary password, "HASHED", without changing the config, and the code I provided allows me to set the password with the recommended config value:

    allowManuallyChangingPassword="false"

    I hope that helps to clarify what I'm looking for:

    How can I store a hashed password without setting the allowManuallyChangingPassword value to false?

    Thank you for your response, I am very glad to see I am on the right track : )

  • Sebastiaan Janssen 4460 posts 12341 karma points admin mvp hq
    Aug 12, 2017 @ 09:56
    Sebastiaan Janssen
    0

    You can't do what you want to do right now, it's a bug we need to fix. For now allowManuallyChangingPassword needs to be false if you want to save someone's password. :)

  • Garth Egbert 4 posts 74 karma points
    Aug 12, 2017 @ 15:41
    Garth Egbert
    0

    Sebastiaan, thank you again for responding, I know now not to beat my head against the wall, which I really appreciate : )

  • Shannon Deminick 1399 posts 4663 karma points core hq
    Aug 29, 2017 @ 02:14
    Shannon Deminick
    1

    Hi all, there's some important things to know here:

    The IMemberService (just like all other services) is used to persist data to the database. So yes, setting a password directly on the member will go directly to the database, that is what it is designed to do. The IMemberService is not intended to wrap things like membership or ASP.NET identity implementations that are responsible for controlling things like passwords, it is designed to write to the database. In fact, the membership providers wrap the IMemberService ... we can't have both wrapping each other

    There are various ways to create members. The simplest way is to to use the MembershipHelper.RegisterMember which is what the razor macro snippets will use (i.e. create a partial view macro and use the Register one, this is what executes in the POST https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Controllers/UmbRegisterController.cs#L25)

    Alternatively, you can create a Member directly via the ASP.NET MembershipProvider which handles the passwords and this is what the MembershipHelper will also do https://github.com/umbraco/Umbraco-CMS/blob/dev-v7/src/Umbraco.Web/Security/MembershipHelper.cs#L161

    This IMemberService.SavePassword method shouldn't really exist, but i it does so for now I've updated it's logic. See this issue for full details: http://issues.umbraco.org/issue/U4-10361 . With this update (coming in 7.6.6) you can use this method if:

    • You have AllowManuallyChangingPassword is true - this is not recommended since it exists for legacy reasons only and makes the APIs insecure
    • You've created a member without any password value (i.e. string.Empty)

    That said, I would recommend using the MembershipHelper or membeship provider APIs to create your members. Any password manipulation must be done via these APIs.

    In 7.8 we'll be porting in the UmbracoIdentity project https://github.com/shazwazza/umbracoidentity so that members are governed by ASP.NET Identity just like Users are now. We will maintain compat with old membership provider APIs too (just like Users are now) and this IMemberService.SavePassword will be obsoleted.

  • Sebastiaan Janssen 4460 posts 12341 karma points admin mvp hq
    Sep 01, 2017 @ 12:48
    Sebastiaan Janssen
    1

    FYI: memberService.SavePassword(member, "test123456"); will be possible again in v7.6.6.

    See http://issues.umbraco.org/issue/U4-10361

  • Shannon Deminick 1399 posts 4663 karma points core hq
    Sep 04, 2017 @ 06:02
    Shannon Deminick
    0

    So long as

    You've created a member without any password value (i.e. string.Empty)

    as per above

Please Sign in or register to post replies

Write your reply to:

Draft