/// <summary> /// Registers a new user. The PasswordHash property should be the actual password. /// </summary> /// <param name="user">A user with a raw password which is turned into a password hash as part of registration.</param> /// <param name="duration">The amount of time that the initial session will be valid.</param> /// <param name="ipAddress">The internet address where the user is connecting from.</param> /// <param name="result">A ExecutionResults instance to add applicable /// warning and error messages to.</param> /// <returns>A boolean indicating success (true) or failure (false).</returns> public override UserIdentity RegisterUser(User user, UserSessionDurationType duration, String ipAddress, ExecutionResults result) { string password = user.PasswordHash; if (!ValidateName(user.Name, result) || !ValidatePassword(password, result)) { return(new cs.UserIdentity()); } var existing = GetUserByName(user.Name); if (existing != null) { //seed user table with deleted users with names you don't want users to have result.AppendError("The name you specified cannot be used."); return(new cs.UserIdentity()); } if (user.UserID.Equals(Guid.Empty)) { user.UserID = Guid.NewGuid(); } HashProvider hasher = HashManager.SelectProvider(); var salt = new UserSalt { PasswordSalt = hasher.GetSalt(), UserID = user.UserID, HashGroup = new Random(DateTime.Now.Second).Next(HashGroupMinimum, HashGroupMaximum), HashName = hasher.Name }; user.PasswordHash = hasher.Hash(salt.PasswordSalt, password, salt.HashGroup + BaseHashIterations); using (var scope = new System.Transactions.TransactionScope()) { //starts as a lightweight transaction SaveUser(user); //enlists in a full distributed transaction if users and salts have different connection strings SaveUserSalt(salt); } return(AuthenticateUser(name: user.Name, password: password, duration: duration, ipAddress: ipAddress, checkHistory: false, allowUpdateHash: false, result: result)); }
public ActionResult SubmitCngPass(EmailsVM evm) { DataLayer dl = new DataLayer(); User oldUser = (from x in dl.users where x.Email.ToUpper() == evm.selectedEmail.ToUpper() select x).ToList <User>().FirstOrDefault(); Encryption encryption = new Encryption(); string hashAndSalt = encryption.CreateHash(evm.password); string[] split = hashAndSalt.Split(':'); UserSalt us = (from u in dl.userSalt where u.Email.ToUpper() == oldUser.Email select u).ToList <UserSalt>().FirstOrDefault(); UserPass up = (from u in dl.userPass where u.Email.ToUpper() == oldUser.Email select u).ToList <UserPass>().FirstOrDefault(); dl.userSalt.Remove(us); dl.userPass.Remove(up); us = new UserSalt() { Email = oldUser.Email, Salt = split[0] }; up = new UserPass() { Email = oldUser.Email, Password = split[1] }; dl.userSalt.Add(us); dl.userPass.Add(up); dl.SaveChanges(); ViewData["msg"] = "User's password changed!"; evm.emails = (from u in dl.users select u.Email).ToList <string>(); return(View("RestorePassword", evm)); }
private void SaveUserSalt(UserSalt salt) { using (var cn = new SqlConnection(ConnectionStringUserSalt)) { cn.Open(); using (var cmd = new SqlCommand()) { cmd.Connection = cn; cmd.CommandType = System.Data.CommandType.Text; if (salt.RecordID == 0) { cmd.CommandText = @"insert into Security.UserSalt (UserID, PasswordSalt, HashGroup, HashName) Values (@UserID, @PasswordSalt, @HashGroup, @HashName)"; cmd.Parameters.AddWithValue("UserID", salt.UserID); cmd.Parameters.AddWithValue("PasswordSalt", salt.PasswordSalt); cmd.Parameters.AddWithValue("HashGroup", salt.HashGroup); cmd.Parameters.AddWithValue("HashName", salt.HashName); } else { cmd.CommandText = @"update Security.UserSalt set PasswordSalt = @PasswordSalt, ResetCode = @ResetCode, ResetCodeExpiration = @ResetCodeExpiration, HashGroup = @HashGroup, HashName = @HashName where UserID = @UserID"; cmd.Parameters.AddWithValue("PasswordSalt", salt.PasswordSalt); cmd.Parameters.AddWithValue("ResetCode", salt.ResetCode); cmd.Parameters.AddWithValue("ResetCodeExpiration", salt.ResetCodeExpiration); cmd.Parameters.AddWithValue("HashGroup", salt.HashGroup); cmd.Parameters.AddWithValue("HashName", salt.HashName); cmd.Parameters.AddWithValue("UserID", salt.UserID); } cmd.ExecuteNonQuery(); } } }
public ActionResult SubmitDeleteUser(EmailsVM evm) { DataLayer dl = new DataLayer(); List <string> email = (from u in dl.users where u.Email.ToUpper() == evm.selectedEmail.ToUpper() select u.Email).ToList <string>(); List <string> emails = (from u in dl.users select u.Email).ToList <string>(); evm.emails = emails; if (email.Count == 1) { string eml = email.FirstOrDefault().ToUpper(); User usr = (from u in dl.users where u.Email.ToUpper() == eml select u).ToList <User>().FirstOrDefault(); UserSalt us = (from u in dl.userSalt where u.Email.ToUpper() == eml select u).ToList <UserSalt>().FirstOrDefault(); UserPass up = (from u in dl.userPass where u.Email.ToUpper() == eml select u).ToList <UserPass>().FirstOrDefault(); dl.userSalt.Remove(us); dl.userPass.Remove(up); dl.users.Remove(usr); dl.SaveChanges(); ViewData["msg"] = "User deleted!"; return(View("DeleteUser", evm)); } ViewData["msg"] = "User does not exist!"; return(View("DeleteUser", evm)); }
public ActionResult SubmitUser(User user) { if (ModelState.IsValid) { DataLayer dl = new DataLayer(); List <User> userToCheck = (from u in dl.users where u.Email.ToUpper() == user.Email.ToUpper() select u).ToList <User>(); if (userToCheck.Count >= 1) { ViewData["msg"] = "Username already exists!"; return(View("AddUser", user)); } Encryption encryption = new Encryption(); string hashAndSalt = encryption.CreateHash(user.Pass); string[] split = hashAndSalt.Split(':'); UserSalt us = new UserSalt() { Email = user.Email, Salt = split[0] }; UserPass up = new UserPass() { Email = user.Email, Password = split[1] }; dl.users.Add(user); dl.userPass.Add(up); dl.userSalt.Add(us); dl.SaveChanges(); ViewData["msgsc"] = "User added!"; return(View("AddUser", new User())); } return(View("AddUser", user)); }
private cs.UserIdentity AuthenticateUser(string name, string password, UserSessionDurationType duration, string ipAddress, bool checkHistory, bool allowUpdateHash, ExecutionResults result) { if (checkHistory) { var recentFailures = GetRecentFailedUserNameAuthenticationCount(name); if (recentFailures > AllowedFailuresPerPeriod) { return(FailAuthenticateUser(name, ipAddress, result)); } } User user = GetUserByName(name); if (user == null) { return(FailAuthenticateUser(name, ipAddress, result)); } UserSalt salt = GetUserSalt(user.UserID); if (salt == null) { return(FailAuthenticateUser(name, ipAddress, result)); } //this should get a named hashProvider used to originally hash the password... // fallback to 'default' provider in legacy case when we didn't store the name. HashProvider hasher = !string.IsNullOrEmpty(salt.HashName) ? HashManager.Providers[salt.HashName] : HashManager.DefaultProvider; var passwordHash = hasher.Hash(salt.PasswordSalt, password, salt.HashGroup + BaseHashIterations); if (user.PasswordHash != passwordHash) { return(FailAuthenticateUser(name, ipAddress, result)); } var session = new UserSession { CreatedDate = DateTime.UtcNow, ExpirationDate = DateTime.UtcNow.AddMinutes(duration == UserSessionDurationType.PublicComputer ? PublicSessionDuration : ExtendedSessionDuration), UserID = user.UserID, RenewalToken = Guid.NewGuid() }; var history = new AuthenticationHistory { IPAddress = ipAddress, IsAuthenticated = true, UserName = name, UserSession = session }; using (var scope = new System.Transactions.TransactionScope()) { if (allowUpdateHash && (hasher.IsObsolete || user.PasswordHashUpdatedDate < DateTime.UtcNow.AddMonths(-1))) { //update hashes on regular basis, keeps the iterations in latest range for current users, and with a 'current' hash provider. hasher = HashManager.SelectProvider(); salt.PasswordSalt = hasher.GetSalt(); salt.HashGroup = new Random(DateTime.Now.Second).Next(HashGroupMinimum, HashGroupMaximum); salt.HashName = hasher.Name; user.PasswordHash = hasher.Hash(salt.PasswordSalt, password, salt.HashGroup + BaseHashIterations); user.PasswordHashUpdatedDate = DateTime.UtcNow; //starts as a lightweight transaction SaveUser(user); //enlists in a full distributed transaction if users and salts have different connection strings SaveUserSalt(salt); } //either continues distributed transaction if applicable, // or creates a new lightweight transaction for these two commands SaveUserSession(session); InsertUserHistory(history); } return(new cs.UserIdentity(history, this.Name)); }
/// <summary> /// Saves a user salt, insert or update. /// </summary> /// <param name="salt"></param> protected override void SaveUserSalt(UserSalt salt) { TableProxyUserSalt.InsertOrUpdate(salt); }
protected override void SaveUserSalt(UserSalt salt) { throw new NotImplementedException(); }