Custom MembershipProvider and OnValidatingPassword RSS

• • Reply
  

  Speedbird186

  Member

  200 Points

  49 Posts

  Custom MembershipProvider and OnValidatingPassword

  May 16, 2006 02:32 PM|LINK

  Hi all,

  I have developed a custom MembershipProvider. Except for validating the password strength, it works.

  I call the OnValidatingPassword virtual method as shown in the ODBC sample:

  ValidatePasswordEventArgs args =
          new ValidatePasswordEventArgs(username, newPassword, true);
  
  OnValidatingPassword(args);

  The values for the relevant are:
  Minimum password length: 7
  Minimum non-alphanumeric characters: 1
  Regular expression: (null)

  However, entering "myname" on the ChangePassword control does not cause args.Cancel to be set to true, even though the rules are violated.

  So, I am wondering if the ODBC sample is incomplete and if I need to implement OnValidatingPassword myself? (The ODBC sample does not override the method)

  Thanks for any help,

  SA.

• • Reply
  

  zhuhua1006

  Contributor

  4070 Points

  808 Posts

  Re: Custom MembershipProvider and OnValidatingPassword

  May 17, 2006 03:22 AM|LINK

  From the source code of sqlmembershipprovider (download from http://download.microsoft.com/download/a/b/3/ab3c284b-dc9a-473d-b7e3-33bacfcc8e98/ProviderToolkitSamples.msi), you can see the followinf code in ChangePassword Method.

  if( newPassword.Length < MinRequiredPasswordLength )
              {
                  throw new ArgumentException(SR.GetString(
                                SR.Password_too_short,
                                "newPassword",
                                MinRequiredPasswordLength.ToString(CultureInfo.InvariantCulture)));
              }

              int count = 0;

              for( int i = 0; i < newPassword.Length; i++ )
              {
                  if( !char.IsLetterOrDigit( newPassword, i ) )
                  {
                      count++;
                  }
              }

              if( count < MinRequiredNonAlphanumericCharacters )
              {
                  throw new ArgumentException(SR.GetString(
                                SR.Password_need_more_non_alpha_numeric_chars,
                                "newPassword",
                                MinRequiredNonAlphanumericCharacters.ToString(CultureInfo.InvariantCulture)));
              }

              if( PasswordStrengthRegularExpression.Length > 0 )
              {
                  if( !Regex.IsMatch( newPassword, PasswordStrengthRegularExpression ) )
                  {
                      throw new ArgumentException(SR.GetString(SR.Password_does_not_match_regular_expression,
                                                               "newPassword"));
                  }
              }

              string pass = EncodePassword(newPassword, (int)passwordFormat, salt);
              if ( pass.Length > 128 )
              {
                  throw new ArgumentException(SR.GetString(SR.Membership_password_too_long), "newPassword");
              }

              ValidatePasswordEventArgs e = new ValidatePasswordEventArgs( username, newPassword, false );
              OnValidatingPassword( e );

              if( e.Cancel )
              {
                  if( e.FailureInformation != null )
                  {
                      throw e.FailureInformation;
                  }
                  else
                  {
                      throw new ArgumentException( SR.GetString( SR.Membership_Custom_Password_Validation_Failure ), "newPassword");
                  }
              }

  ________________________________________________________

  You can see this code checks MinRequiredNonAlphanumericCharacters and MinRequiredPasswordLength requirement with two other If block rather than if(e.Cancel).

  I think only when the changepassword action is canceled, the e.Cancel will return true. Other violation will not effect this value.

  http://msdn2.microsoft.com/en-us/library/system.web.security.membershipprovider.onvalidatingpassword.aspx

• • Reply
  

  Speedbird186

  Member

  200 Points

  49 Posts

  Re: Custom MembershipProvider and OnValidatingPassword

  May 17, 2006 03:44 PM|LINK

  Thanks for your reply. This is confusing though. Both the documentation and the ODBC membership provider lead one to believe that OnValidatingPassword will validate it.
• • Reply
  

  monica783

  Member

  2 Points

  1 Post

  Re: Custom MembershipProvider and OnValidatingPassword

  May 12, 2013 04:35 PM|LINK

  Hi,

  You must register the Handler in your Initialize method:

   AddHandler Me.ValidatingPassword, _
      New MembershipValidatePasswordEventHandler(AddressOf OnValidatePassword)

  And implement the method too, for example:

  Public Sub OnValidatePassword(sender As Object, args As ValidatePasswordEventArgs)

              Dim regex As New Regex(pPasswordStrengthRegularExpression)
   
   
              If Not regex.IsMatch(args.Password) Then
                  args.FailureInformation = _
                    New HttpException("Password must be at least 6 characters long and " & _
                                      "contain at least one number and one special character.")
                  args.Cancel = True
              End If
          End Sub

  visit: http://msdn.microsoft.com/en-us/library/system.web.security.membershipprovider.validatingpassword.aspx