protected virtual bool SetUserPassword(string username, string password, bool expireNow)
{
bool success = false;
if (!String.IsNullOrEmpty(password))
{
Historia.Framework.Security.SecurePassword newpass = new Historia.Framework.Security.SecurePassword(password);
using (SqlConnection conn = new SqlConnection(connectionString))
{
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "pr_Membership_ChangePassword";
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 100).Value = username;
cmd.Parameters.Add("@Password", SqlDbType.VarBinary, 40).Value = newpass.Encrypted;
cmd.Parameters.Add("@ExpireInDays", SqlDbType.Int).Value = (expireNow ? 0 : this.passwordExpirationDays);
try
{
cmd.Connection.Open();
success = (cmd.ExecuteNonQuery() > 0);
}
finally
{
cmd.Connection.Close();
}
}
}
}
return(success);
}
public override bool ChangePassword(string username, string oldPassword, string newPassword)
{
if (String.IsNullOrEmpty(newPassword))
{
throw new ArgumentException("The new password is required.");
}
if (oldPassword != null && newPassword == oldPassword)
{
throw new ArgumentException("The new password must be different than the current password.");
}
if (newPassword.Length < this.MinRequiredPasswordLength)
{
throw new ArgumentException(String.Format("The new password must be at least {0} characters long.", this.MinRequiredPasswordLength));
}
if (System.Text.RegularExpressions.Regex.Replace(newPassword, @"[^\W_]", "").Length < this.MinRequiredNonAlphanumericCharacters)
{
throw new ArgumentException(String.Format("The new password must contain at least {0} symbolic {1}.", this.MinRequiredNonAlphanumericCharacters, (this.MinRequiredNonAlphanumericCharacters == 1 ? "character" : "characters")));
}
if (!String.IsNullOrEmpty(this.PasswordStrengthRegularExpression) && !System.Text.RegularExpressions.Regex.IsMatch(newPassword, this.PasswordStrengthRegularExpression))
{
throw new ArgumentException(String.Format("The new password does not meet the minimum requirements."));
}
string connectionString = ConfigurationManager.ConnectionStrings["HistoriaConnectionString"].ConnectionString;
if (String.IsNullOrEmpty(connectionString))
{
throw new Exception("HistoriaConnectionString is required in the web.config");
}
bool oldPasswordMatched = true;
bool noHistoricalMatch = true;
using (SqlConnection conn = new SqlConnection(connectionString))
{
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "pr_Membership_GetPasswordHistory";
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 100).Value = username ?? "";
cmd.Parameters.Add("@CurrentPassword", SqlDbType.VarBinary, 40).Direction = ParameterDirection.Output;
cmd.Parameters.Add("@MinimumDays", SqlDbType.Int).Value = (this.passwordExpirationDays * this.minPasswordHistory);
try
{
cmd.Connection.Open();
using (SqlDataReader dr = cmd.ExecuteReader())
{
int count = 0;
while (dr.Read() && noHistoricalMatch && (++count <= this.MinPasswordHistory || true.Equals(dr["Restricted"])))
{
Security.SecurePassword lastPass = new Historia.Framework.Security.SecurePassword((byte[])dr["Password"]);
noHistoricalMatch = !lastPass.IsEqual(newPassword);
}
dr.Close();
}
}
finally
{
cmd.Connection.Close();
}
if (!Convert.IsDBNull(cmd.Parameters["@CurrentPassword"].Value))
{
Security.SecurePassword currPass = new Historia.Framework.Security.SecurePassword((byte[])cmd.Parameters["@CurrentPassword"].Value);
oldPasswordMatched = currPass.IsEqual(oldPassword);
}
}
}
if (!oldPasswordMatched)
{
throw new ArgumentException("The current password was not correct.");
}
else if (!noHistoricalMatch)
{
throw new ArgumentException("Please create a new password that has not been used recently.");
}
return(SetUserPassword(username, newPassword, false));
}
public override bool ValidateUser(string username, string password)
{
bool success = false;
using (SqlConnection conn = new SqlConnection(connectionString))
{
Guid userId = Guid.Empty;
Historia.Framework.Security.SecurePassword pw = null;
bool matched = false;
bool lockedOut = false;
bool userActive = true;
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "Membership_ValidateUser";
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 100).Value = username;
cmd.Parameters.Add("@MaxAttempts", SqlDbType.Int).Value = this.MaxInvalidPasswordAttempts;
cmd.Parameters.Add("@LockoutMinutes", SqlDbType.Int).Value = this.PasswordAttemptWindow;
try
{
cmd.Connection.Open();
using (SqlDataReader dr = cmd.ExecuteReader())
{
if (dr.Read())
{
userId = dr.GetGuid(0);
if (!dr.IsDBNull(1))
{
pw = new Historia.Framework.Security.SecurePassword((byte[])dr[1]);
}
lockedOut = true.Equals(dr[2]);
userActive = true.Equals(dr[3]);
}
dr.Close();
}
}
finally
{
cmd.Connection.Close();
}
}
if (pw != null)
{
matched = pw.IsEqual(password);
if (matched)
{
if (pw.Encrypted.Length == 16) // automatically replace the old MD5 version
{
Historia.Framework.Security.SecurePassword newPwd = new Historia.Framework.Security.SecurePassword(pw.Password);
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "pr_Membership_ChangePasswordHashType";
cmd.Parameters.Add("@UserID", SqlDbType.UniqueIdentifier).Value = userId;
cmd.Parameters.Add("@OldPassword", SqlDbType.VarBinary, 40).Value = pw.Encrypted;
cmd.Parameters.Add("@NewPassword", SqlDbType.VarBinary, 40).Value = newPwd.Encrypted;
try
{
cmd.Connection.Open();
cmd.ExecuteNonQuery();
}
finally
{
cmd.Connection.Close();
}
}
}
if (userActive && !lockedOut)
{
success = true;
if (HttpContext.Current != null)
{
try { HttpContext.Current.Session.Abandon(); }
catch { }
}
}
}
}
using (SqlCommand cmd = conn.CreateCommand())
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "Membership_AuditLogin";
//if (BFC.Admin.Web.Page.Current != null) //TODO: re-implement this
cmd.Parameters.Add("@AuditTrailID", SqlDbType.UniqueIdentifier).Value = null; // BFC.Admin.Web.Page.Current.AuditTrailID;
if (HttpContext.Current != null)
{
cmd.Parameters.Add("@IPAddress", SqlDbType.VarChar, 50).Value = HttpContext.Current.Request.UserHostAddress;
}
cmd.Parameters.Add("@UserName", SqlDbType.NVarChar, 100).Value = username;
if (userId != Guid.Empty && !matched) // only store the hash if the user was found and the password didn't match
{
cmd.Parameters.Add("@PasswordHash", SqlDbType.Binary, 16).Value = Historia.Framework.Utility.sha256Hash(password);
}
// NOTE: the order DOES matter here...
byte result = byte.MaxValue;
if (success) // successful login
{
result = 0;
}
else if (userId == Guid.Empty) // user not found
{
result = 1;
}
else if (!userActive)
{
result = 4;
}
else if (lockedOut) // user is temporarily locked out
{
result = 3;
}
else if (!matched) // invalid password
{
result = 2;
}
cmd.Parameters.Add("@Result", SqlDbType.TinyInt).Value = result;
try
{
cmd.Connection.Open();
cmd.ExecuteNonQuery();
}
finally
{
cmd.Connection.Close();
}
}
}
return(success);
}
