Iron Speed Technical Forums
Sign up Latest Topics
 
 
 


Reply
  Author   Comment  
mgroesink

Registered:
Posts: 22
Reply with quote  #1 

I store my user passwords encrypted in my database, I guess like everyone does.

 

If I want to use the forgotten password option they receive the encrypted password and of course that isn't any help for my users.

Where do I have to decrypt the password so the users receives his real password by mail?

 

Thanks in advance for any help.

JimiJ

Avatar / Picture

MVP Developer
Registered:
Posts: 1,962
Reply with quote  #2 
What normally being for encrypted lost password is to reset it and give them a random password that they can change as they log on.

Cheers,
Jimi J

__________________

  Jaime Jegonia
[jts_logo]

Iron Speed MVP Developer
 

". . . and whoever sows generously will also reap generously" 2 Cor 9:6

akeshgupta

Avatar / Picture

Iron Speed MVP
Design, Develop & Deliver

Registered:
Posts: 1,095
Reply with quote  #3 

If you are encrypting the password, you need to encrypt the random password and then store it in the database while sending the user unencrypted random password.


__________________
Akesh Gupta
Light Speed Solutions, LLC.
If I rest, I will rust !   Let's share the knowledge !
mgroesink

Registered:
Posts: 22
Reply with quote  #4 

Thanks for the advices but since version 9 the user can retrieve his password so why do I have to create a new password?

I guess it should be possible to decrypt the password somewhere before it is sent to the user.

 

I send the emailaddress to the database and get the username and password back somewhere.  Between receiving it from the server and sending it via mail to the user I can decrypt it. But I cannot find a suitable place where to do this. In which procedure is the password received from the server and where is it ready to be sent to the user.

 

Beneath I show the code of the method SendEmailToUser() that is generated by ISD. I suppose that somewhere in this method the password is received from the database so I can decrypt it before it is sent to the user.

 

//Send the user password to the user email

//If link button was removed from the page this method has empty content.

private void SendPasswordToUser()

{

//if there is a user identity table, with an email address field,

//then send the user name and password to the user email

if (!(this.Page.IsValid))

{

Exception exc =

new Exception(this.recaptcha.ErrorMessage);

throw exc;

return;

}

// The email address is required by validation

string uemail = this.Emailaddress.Text;

// lookup the email address in the user identity table and abort if not present

// send the login info to the user email

BaseClasses.Utils.MailSenderInThread email =

new BaseClasses.Utils.MailSenderInThread();

email.AddFrom(uemail);

email.AddTo(uemail);

email.SetSubject(GetResourceValue(

"Txt:GetSignin"));

// Be sure the URL is processed for substitution and encryption

string uarg = ((BaseApplicationPage)this.Page).Encrypt(uemail, false);

string cultarg = System.Threading.Thread.CurrentThread.CurrentUICulture.Name;

if (! (string.IsNullOrEmpty(cultarg)))

{

cultarg = System.Web.HttpUtility.UrlEncode(cultarg);

cultarg = BaseClasses.Web.UI.BasePage.APPLICATION_CULTURE_UI_URL_PARAM +

"=" + cultarg;

}

string SendEmailContentURL = null;

string pgUrl = BaseClasses.Configuration.ApplicationSettings.Current.SendUserInfoEmailUrl;

if (pgUrl.StartsWith("/"))

{

pgUrl = pgUrl.Substring(

1);

}

SendEmailContentURL = pgUrl +

"?Email=" + System.Web.HttpUtility.UrlEncode(uarg);

if (! (string.IsNullOrEmpty(cultarg)))

{

SendEmailContentURL +=

"&" + cultarg;

}

email.AreImagesEmbedded =

true;

email.SetIsHtmlContent(

true);

email.SetContentURL(SendEmailContentURL,

this);

try

{

email.SendMessage();

}

catch (Exception ex)

{

string msg = GetResourceValue("Msg:SendToFailed") + " " + uemail + "
"
+ ex.Message;

Exception exc =

new Exception(msg);

throw exc;

return;

}

this.ForgotUserInfoLabel.Visible = true;

this.ForgotUserInfoLabel.Text = GetResourceValue("MsgwdEmailed") + " " + uemail;

this.ForgotUserErrorLabel.Text = "";

this.ForgotUserErrorLabel.Visible = false;

this.EnterEmailLabel.Visible = false;

this.Emailaddress.Visible = false;

this.FillRecaptchaLabel.Visible = false;

this.recaptcha.SkipRecaptcha = true;

this.recaptcha.Visible = false;

this.SendButton.Visible = false;

}

akeshgupta

Avatar / Picture

Iron Speed MVP
Design, Develop & Deliver

Registered:
Posts: 1,095
Reply with quote  #5 

Did you encrypt the password using the Database setting on Initialization?  I tried it.  The password is getting encrypted but I can't login somehow.

 

Any feedback.


__________________
Akesh Gupta
Light Speed Solutions, LLC.
If I rest, I will rust !   Let's share the knowledge !
mgroesink

Registered:
Posts: 22
Reply with quote  #6 

Yes I did encrypt the password using the database setting on Initialization.

I used Encryptdata when adding or updating a record and tried to use Decryptdata when reading. That didn't work for me.

 

I changed the CS file and are able to login now. But I guess there must be a better and easier way.

 

// Login methods perform user authentication, log user in and set roles for user using values in username and password text boxes.

// These values could be entered by user or stored in cookie and populated from cookie. Password is stored in encrypted form.

// You may overwrite Login methods here with your functionality

public void Login(string redirectUrl)

{

this.Password.Text = BaseFormulaUtils.EncryptData(this.Password.Text);

this.Login_Base(redirectUrl);

}

akeshgupta

Avatar / Picture

Iron Speed MVP
Design, Develop & Deliver

Registered:
Posts: 1,095
Reply with quote  #7 

Marcel:

 

If you go to the database settings and click on the Password field, you can type the formula for Initialize When Reading Record to =DecryptData(Password).  It should do the trick as Iron Speed will read the data layer to fetch the record and this will be decrypted.

 

HTH,


__________________
Akesh Gupta
Light Speed Solutions, LLC.
If I rest, I will rust !   Let's share the knowledge !
akeshgupta

Avatar / Picture

Iron Speed MVP
Design, Develop & Deliver

Registered:
Posts: 1,095
Reply with quote  #8 

I have validated the encryption of password and it is all working fine.  Just make sure the following are done:

 

In the Database Tab for the Password Field (assuming Password is the name of the field in the database):

 

On the Formula Tab:

 

  Initialize On Reading: DecryptData(Password)

  Initialize On Inserting: EncryptData(Password)

  Initialize On Updating: EncryptData(Password)

 

On the Sign In Page, add one additonal line of code on OkButton_Click before the base call:

 

  VB:

  Me.Password.Text = BaseFormulaUtils.EncryptData(Me.Password.Text)

 

  C#:

  this.Password.Text = BaseFormulaUtils.EncryptData(this.Password.Text)

 

This made the login work perfectly as well as the inserting/updating of password work consistently.  The Email notification of password is coming quite well too.

 

Hope this helps someone out there who needs this functionality.

 


__________________
Akesh Gupta
Light Speed Solutions, LLC.
If I rest, I will rust !   Let's share the knowledge !
mgroesink

Registered:
Posts: 22
Reply with quote  #9 

Yes, I am able to login but my original problem is still the same. The encrypted password is send to the user and not the decrypted password.

 

So I still have the same question: where can I decrypt the password.

akeshgupta

Avatar / Picture

Iron Speed MVP
Design, Develop & Deliver

Registered:
Posts: 1,095
Reply with quote  #10 

The core function to build the message is located at the bottom of SendUserInfo.aspx in Security folder.  If you have Visual Studio, you can try to troubleshoot.  In my case, I did not write any custom code and the password is coming back unencrypted.  Please validate that you have the all three Initializations populated in the Database tab for the Password field.


__________________
Akesh Gupta
Light Speed Solutions, LLC.
If I rest, I will rust !   Let's share the knowledge !
mgroesink

Registered:
Posts: 22
Reply with quote  #11 

Akesh, thanks for all your help.

 

I know now what my problem was. I have several tables with person information. One for teachers, one for students and one for other logins (like administration).

I join them all in a view with a union and my problem was that I only decrypted the password in the logins table. After decryptin the password in the other tables the password is sent correctly to the users.

 

Again, thanks a lot for your help. It was very useful for me.

Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.

Download Iron Speed Designer

Terms of Service Privacy Statement