Greetings,

I am using ASP.NET 1.1 and I'm playing around with md5 encryption to encrypt values from a username and textbox fields and comparing it to a value in my web.config file.  Here's a snippet of my code:

String sHashedUsername = FormsAuthentication.HashPasswordForStoringInConfigFile(txtUserName.Text,"MD5");

String sHashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(txtPassword.Text,"MD5");

if

(FormsAuthentication.Authenticate(sHashedUsername,sHashedPassword ))
ShowError("Successful!");
else
{
ShowError("Invalid login information.&nbsp;&nbsp;Please try again.<br>(Fields are case-sensitive)");
return;
}

In my web.config file I have the following info set up:

<

authentication mode="Forms">
<forms timeout="30">
<credentials passwordFormat="MD5">
<user name="E3AFED0047B08059D0FADA10F400C1E5" password="D41D8CD98F00B204E9800998ECF8427E"/>
</credentials>
</forms>
</authentication>

Having my passwordFormat field set to MD5 as shown above takes me to my "Invalid login info" error message.  However, as soon as I change the value of passwordFormat to Clear my login functionality works.  Is this the correct behavior?  Isn't it supposed to be working as shown above?

Thanks in advance,

Rob

Do you have to hash UserName? User name like E3AFED0047B08059D0FADA10F400C1E5 doesn't make sense.

The more important thing here is: don't pass hashed password as parameter to FormsAuthentication.Authenticate method. Instead you just need to authenticate against the original password string. So the code should be:

if
(FormsAuthentication.Authenticate(txtUserName,txtPassword ))
ShowError("Successful!");
else
{
ShowError("Invalid login information.&nbsp;&nbsp;Please try again.<br>(Fields are case-sensitive)");
return;
}


The FormsAuthentication.HashPasswordForStoringInConfigFile method just produces a hash password suitable for storing in a configuration file based on the specified password and hash algorithm. The purpose is to prevent someone from getting clear password directly from web.config.