FormsAuthentication.Authenticate vs Membership.ValidateUser

FormsAuthentication.Authenticate can be used with clear passwods to check user authentication:
if(FormsAuthentication.Authenticate(Username.Text, Password.Text))
FormsAuthentication.RedirectFromLoginPage(Username.Text, false);

This doesn't work if the password format is not clear. Asp.NET membership provider offers you Clear, MD5 or SHA1 represented passwords.
In case of using MD5 or SHA1 (specified in web.config, SHA1 is default for hashed passwords) the checking for user credentials should be done by Membership.ValidateUser which delivers the provider model for user authentication.

if( Membership.ValidateUser(curentUserName, pwd)){
FormsAuthentication.RedirectFromLoginPage(Username.Text, chkPersistent.Cheked);

The other things of authentication process can be left to the Asp.Net provider.

See also for web.config: authentication and authorization, machine key generation, password format, password salt ...

No comments:

Post a Comment