Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Garth Egbert 4 posts 74 karma points
    1 week ago
    Garth Egbert
    0

    Creating new members - password is stored as plain text

    When creating new members through the MemberService, or by creating a new Member() and calling member.Save(), the password appears in the database in plain text.

    These two methods appear to be the most intuitive ways to create a new member, yet these methods do not hash the password, despite the config setting (i.e. passwordFormat="Hashed")

    If I use MemberService.SavePassword() it does hash the password, but this approach requires me to modify the config setting: allowManuallyChangingPassword="true" which violates best recommended practice.

    I am very new to Umbraco, what is the correct workflow for creating new members and assigning a temporary password (hashed) so they can login?

  • jeffrey.schoemaker@perplex.nl 211 posts 748 karma points mvp c-trib
    1 week ago
    jeffrey.schoemaker@perplex.nl
    0

    Hi Garth,

    welcome to Our!

    This sounds a bit strange, because I would have expected that if you create the Member the password is stored according to the settings on the MembershipProvider.

    A few questions that could help answering your question:

    • Which version of Umbraco are you using?
    • Can you share some code that you're using
    • Can you copy paste the web.config MembershipProvider line that you are using?

    And then we will try to solve this!

    Thanks,

    Jeffrey

  • Garth Egbert 4 posts 74 karma points
    1 week ago
    Garth Egbert
    0

    Which version of Umbraco are you using?

    Currently we are on v7.6.4

    Can you share some code that you're using

    I have tried many variations of creating a new member with a default password. Here is a very simple version, two lines:

                    cmsMember = new Member(parms.lastName + ", " + parms.firstName, parms.email, parms.email, tempPassword, cmsMemberType);
                    membersvc.Save(cmsMember);
    

    Can you copy paste the web.config MembershipProvider line that you are using?

    [add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="10" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="false" /]

    As you can see in the "UmbracoMembershipProvider, "passwordFormat" is set to "Hashed". Execute the code above, with this "UmbracoMembershipProvider" definition, and the password will be stored in plain text.

    If this information is not clear in any way, please ask for additional clarification.

  • Sebastiaan Janssen 4421 posts 12127 karma points admin mvp hq
    1 week ago
    Sebastiaan Janssen
    0

    First off, please make members in the following way:

            var member = memberService.CreateMember("test@test.com", "test@test.com", "Test", "Member");
            memberService.Save(member);
            memberService.SavePassword(member, "test123456");
    

    Second: there does seem to be a bug here, when saving the password you get This provider does not support manually changing the password. We should indeed fix that!

  • Garth Egbert 4 posts 74 karma points
    1 week ago
    Garth Egbert
    0

    Sebastiaan, thank you for your reply. The code you provide is the way I am doing it for now now, as it will store the password hashed, but requirese that I modify the following config value:

    allowManuallyChangingPassword="true"

    I'm sorry if I wasn't clear, but I'm looking for a way to assign a temporary password, "HASHED", without changing the config, and the code I provided allows me to set the password with the recommended config value:

    allowManuallyChangingPassword="false"

    I hope that helps to clarify what I'm looking for:

    How can I store a hashed password without setting the allowManuallyChangingPassword value to false?

    Thank you for your response, I am very glad to see I am on the right track : )

  • Sebastiaan Janssen 4421 posts 12127 karma points admin mvp hq
    6 days ago
    Sebastiaan Janssen
    0

    You can't do what you want to do right now, it's a bug we need to fix. For now allowManuallyChangingPassword needs to be false if you want to save someone's password. :)

  • Garth Egbert 4 posts 74 karma points
    6 days ago
    Garth Egbert
    0

    Sebastiaan, thank you again for responding, I know now not to beat my head against the wall, which I really appreciate : )

Please Sign in or register to post replies

Write your reply to:

Draft