I am using asp.net membership provider with mysql and iis7, and had no problem for a long time with users logging in. But now suddenly users can't log in. I'm not sure what happend. Some points of interest are:
-I was trying to implement the change password and reset password features when this happened. All I did was dragged and dropped the controls for those features and set up smtp. When those reset passwords weren't working I added an additional membership tag as outlined here: http://peterkellner.net/2007/02/15/resetpasswordaspnet/. But I removed it and as far as I know, my web.config is the same as it was before.
-I've read that this could happen if the application name is not specified in web.config. My web.config has applicationName="/"
-I'm not sure how to use Event Viewer to help figure out the problem. I don't see any failed login attempts at the time I try to login. Maybe I'm not looking in the right place
-The users trying to log in are not locked out
-If I create a new account, I cannot log in to that account either!
-This is wierd but there is an account I created a long time ago, and I CAN log in to that one!
-This is the part of my web.config that may be of relevance:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880"/>
</authentication>
<membership defaultProvider="MySQLMembershipProvider">
<providers>
<clear/>
<remove name="MySQLMembershipProvider"/>
<add name="MySQLMembershipProvider" type="MySql.Web.Security.MySQLMembershipProvider, MySql.Web, Version=6.3.6.0, Culture开发者_开发问答=neutral, PublicKeyToken=c5687fc88969c44d" applicationName="/" description="MySQL default application" connectionStringName="LocalMySqlServer" writeExceptionsToEventLog="True" autogenerateschema="True" enablePasswordRetrieval="False" enablePasswordReset="True" requiresQuestionAndAnswer="False" requiresUniqueEmail="True" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
Please help! I've been pulling my hair over this for a couple of days now! Thanks for your interest!
Let's work through this:
- The membership provider will use a salted SHA1 hash of the password.
- The salt and the hash are stored in the table aspnet_Membership, assuming you've not implemented a custom provider (BTW - this is why the hashed values are different - the salts are different)
- On login, the membership provider will pull back the membership record, hash the password you entered with the salt from the record then compare the results
What you need to remember is that hashing is deterministic so every time you hash the same input (plain text password plus hash), you get the same output. What's obviously happening in your case is that you're either not creating the same hashed password (possibly the wrong salt), or you're not comparing the hashed output to the correct value. When I say "you", it's obviously the membership provider which takes care of this, it's just behaving a little differently due to a configuration change.
So where can this go wrong? Here are some things to check:
- Is the correct membership record actually being pulled back from MySql? Check this using a MySql profiler.
- If you try manually hashing the password using the correct salt for the account, does it match the password in the database? Refer to this question to reproduce the hashing process.
Basically, just break the process down into smaller units and validate that each one is working correctly. Good luck!
精彩评论