BUG Membership Provider - EncodePassword methods

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
4/20/2012 9:16:52 AM
Simone Sanfilippo
Gravatar
Total Posts 11
View Posts
Simone Sanfilippo

Membership Provider - EncodePassword methods

Hi at all,
today me and my colleague found a serious problem in EncodePassword method.

We work on a project were we can import user and data from another web system, and we use the simple method public string EncodePassword(string pass, SiteSettings site), in mojoMembershipProvider.cs, but this method isn't the same method that the mojoPortal call when create a new user or update it self. This method that we use create a password without the concatenation of password salt and password, and our password are all not recognized in login system.

I think that is better way to refactor this method as private method, or declare it obsolete, because can create confusion in more application that use mojoPortal as storage for external application.

Best regards,
Simone Sanfilippo

4/20/2012 9:41:15 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: BUG Membership Provider - EncodePassword methods

Hi Simone,

I'm sorry our change to a stronger encryption with salt caused a problem for your custom code but it is not a bug and that method is not obsolete, it can be and is still used from our password reset page so it cannot be made private but the salt has to be concatenated with the password before passing it into that method. I will update the description on that method to indicate that the password salt should be concatenated with the password before passing it into this method.

These security updates were announced in the release notes for version 2.3.8.1

Best Regards,

Joe

4/20/2012 10:12:22 AM
Simone Sanfilippo
Gravatar
Total Posts 11
View Posts
Simone Sanfilippo

Re: BUG Membership Provider - EncodePassword methods

Hi Joe,

thanks for quick reply. Sorry for report as bug when isn't a bug or obsolete method.

Probably the best way is the summary section that describe the correct mode to use it.

Best regards,

Simone Sanfilippo

You must sign in to post in the forums. This thread is closed to new posts.