Security

Re: Remove Security Question and Answer

march11 — Sat, 12 Sep 2009 17:03:17 GMT

My scenario is not much different from everyone elses here. I think it would be wise for MS to consider that some passwrod systems operate as such....

An organization may wish to open an account for an outside entity, but may not have the applicable sec Q & A desired by the outside entity available at the time the account is created.

The Account Create wizard should allow for the Sec Q&A to be shut off for the account create step, yet the developer be able to create a first time log on page so that the outside client can complete account creation, by specifying a Sec Q&A, at first log on, perhaps with credentials emailed when the organization first issues user name and password to the outside entity.

My plan was to hide Sec Q & A for the new account, from within the wizard and push nulls to the Membership Table. I am still trying to figure out how to allow for the Sec Q&A to be updated on users first logon when Sec Q&A is Null in the Membership table.

Re: Remove Security Question and Answer

planza — Wed, 29 Oct 2008 15:25:35 GMT

It looks like 3.5 fixes this problem. If you have RequireSecurityQ&A set to false in your membership provider config, it hides the security q&a boxes and does not prompt for them.

hth

Re: Remove Security Question and Answer

sara55 — Wed, 02 Jul 2008 18:02:26 GMT

Passing securityQuestion and securityAnswer null insted of empty string does the trick.

MembershipUser muUser = Membership.CreateUser(userName, password, email, securityQuestion, securityAnswer, true, out result);

switch (result)

{

case MembershipCreateStatus.InvalidUserName:

lblMessage.Text = "The username format was invalid. Please enter a different username.";

break;

case MembershipCreateStatus.InvalidPassword:

lblMessage.Text = "The password format was invalid. Please enter a new password.";

break;

case MembershipCreateStatus.InvalidEmail:

lblMessage.Text = "The email format was invalid. Please enter a different email.";

break;

case MembershipCreateStatus.DuplicateUserName:

lblMessage.Text = "The username is already in use. Please enter a new username.";

break;

case MembershipCreateStatus.Success:

break;

default:

lblMessage.Text = "An error occurred while creating the user.";

break;

}

Re: Remove Security Question and Answer

guru_sarkar — Wed, 02 Jul 2008 16:08:53 GMT

may be something like this

MembershipUser user = Membership.CreateUser(userName, password, email);if (user != null)

{

MembershipCreateStatus status = MembershipCreateStatus.Success;

return status;

}

Re: Remove Security Question and Answer

sara55 — Wed, 02 Jul 2008 15:58:55 GMT

I have the exact problem. If i use Membership.CreateUser(userName, password, email), how do i check the MembershipCreateStatus of success,

MembershipCreateStatus result;

Membership.CreateUser(userName, password, email, securityQuestion, securityAnswer, true, out result)

the last argument result is not avialable in the former method.

Any help appreciate.

Re: Remove Security Question and Answer

Freakyuno — Thu, 19 Apr 2007 17:19:26 GMT

I'm not sure I understand, but I would like to help you through this issue. Unfortunaly it does not seem like your expectations are realistic for the development of the tools you are using.

Re-examining what you are saying: You dont want a question and answer, but you really do want a question and answer, and it's stupid of the Microsoft developers to assume, that if you set question and answer to false, that you really wanted it that way....

False should mean true (sometimes) and True should mean false (sometimes)

Microsoft has provided you with a compiler, and a development enviroment - any time what microsoft has provided you doesnt fit your needs you're more than welcome to extend it, override it, or start from scratch and write rules like "False = sometimes" I personally like the products and technologies that they provide me to have clear deffinitions like False = False

Re: Remove Security Question and Answer

royhiggs — Wed, 18 Apr 2007 16:04:04 GMT

Unfortunately, I need to call the overload with the question because my provider needs the providerUserKey. However, I'm currently not implementing question and answer so I would like to pass in an empty string for the question. Unfortunately, the ASP.NET team made an assumption that even though I set requiresquestionandanswer to false I actually really want question and answer. How nice of them to make that assumption for me.

I guess for now I'l have to provide a dummy question to the call to create user but I feel so dirty with such a hack.

Re: Remove Security Question and Answer

Noremac — Mon, 13 Nov 2006 22:25:48 GMT

I've been banging my head over this the last little while.

Go to the web.config file, set requiresQuestionAndAnswer="false"

Create a condition statement in the code:

        String userName = tUserName.Text;
        String password = tPassword.Text;
        String cPassword = tCPassword.Text;
        String email = tEmail.Text;
        String question = tSecurityQuestion.Text;
        String answer = tSecurityAnswer.Text;
        MembershipCreateStatus status = new MembershipCreateStatus();
        MembershipUser newUser;

        try
        {
            if (question != "")
            {
                newUser = Membership.CreateUser(userName, password, email, question, answer, true, out status);
            }
            else
            {
                newUser = Membership.CreateUser(userName, password, email);
            }

...

The recover password will then not ask for the question / answer, but just for the username and e-mail the password.

This little condition statement works great for making the security question optional

Re: Remove Security Question and Answer

sfbarron — Tue, 24 Oct 2006 20:57:34 GMT

I got the Question / Answer text boxes to come out of the CreateUserWizard. But how can I get the PasswordRecovery to e-mail the password out with just the username?

Re: Remove Security Question and Answer

markman — Fri, 20 Oct 2006 18:46:37 GMT

after adding this (requiresQuestionAndAnswer="false") to the membership provider in the web.config I was able to see that

Membership.RequiresQuestionAndAnswer

is set to false (which is correct) right before I call

Membership.CreateUser(...)

However CreateUser always comes back with an InvalidQuestion status. In order to get it to work every user has a dummy question and answer. I looked at the source code of CreateUser:

http://www.koders.com/csharp/fid18F654F5669AC847044652212BDE35542A876301.aspx

and it seems to be impossible that I am getting an InvalidQuestion status with RequiresQuestionAndAnswer set to false.

Re: Remove Security Question and Answer

codequest — Sat, 16 Sep 2006 02:55:56 GMT

Challenges in customizing the wizard, described in the responses to this

http://forums.asp.net/thread/1399854.aspx

Basically, you have to work to dig the custom field data out....

http://aspnet.4guysfromrolla.com/articles/062806-1.aspx <<< I'm thinking if there had been a better way, these guys would have found it...

Re: Remove Security Question and Answer

codequest — Fri, 15 Sep 2006 16:50:50 GMT

http://msdn2.microsoft.com/en-us/library/ms178342.aspx << basic customization

http://msdn2.microsoft.com/en-us/library/82xx2e62.aspx << here's where I saw that similar code

http://odetocode.com/Articles/427.aspx << "ERD" for membership...nice to see

http://weblogs.asp.net/scottgu/archive/2006/04/22/443634.aspx << a key thing to catch, apparently, in deployment

http://aspnet.4guysfromrolla.com/articles/120705-1.aspx <<< always a big help

http://aspnet.4guysfromrolla.com/articles/040506-1.aspx <<< ditto

Re: Remove Security Question and Answer

codequest — Fri, 15 Sep 2006 16:42:47 GMT

Thanks for tip on password. The code's good...(looks like an excerpt from MSDN I ran across :-0)

I used "customize create user step" on front of createuserwizard to make the security question and answer fields hidden.

Once I wrapped my head around the wiring and the options, and particularly walking through all the use cases that I needed to implement, the membership utilities started to make sense...

Still couldn't get custom fields inside the wizard to work, though...but I'm not going that direction anymore; fully custom collection works fine.

Re: Remove Security Question and Answer

Freakyuno — Fri, 15 Sep 2006 15:12:21 GMT

Hello to you both,

Sorry that the code provided seems like a monumental task. If your looking at a customization, the best way to use this, is to put it into a custom usercontrol and drop it onto any page you need it.

To get the password box to do the "no see um" trick as you call it. You actually work with the properties of the text box, which has nothing to do with the user login portion at all. Simply set it's type (you have three possible options) to password. The other two options being Single Line, Multi-Line.

The Membership system, which your still incorportating will handle the password encryption before it's stored in the membership table. Really this set of code is barely a customization. Your just providing your own "collection" method and letting the membership framework do the rest, just as it always did.

Re: Remove Security Question and Answer

codequest — Fri, 15 Sep 2006 04:56:39 GMT

Hi,

The solution above looks like just what I need, since I don't want to put in the security question, and have seen similar code in another example (so it's not that scary.)

One thing I don't understand, though, is what happens to the password field. If I write my own data capture page for the registration info, how do I:

A) get the password to do that little "no-see-um" trick when it's being typed in, and

B) get the password to do the encrypting/decrypting etc.

Any guidance with this would be appreciated.

(Also, Greg, I found your response to be completely in tune with what I ran into today. I'd like to use the membership functions for the password control, and as little as possible, otherwise.)