Posted by: herman_herman - Friday, 4 January 2008 10:16:56 |
---|
The security answer in password retrieval section does not work and keep saying "[color=red]Your answer could not be verified. Please try again.[/color]" Regards Touradg |
Posted by: Jaben - Friday, 4 January 2008 17:49:02 |
---|
Do you know what your answer is? |
Posted by: herman_herman - Friday, 4 January 2008 22:57:44 |
---|
:cheesy: kidding me..?:wink: |
Posted by: Jaben - Friday, 4 January 2008 23:15:55 |
---|
You are using the YAF provider? And I'm not trying to be obvious -- but maybe verify the exact answer in your database and copy and paste to see if it still fails. |
Posted by: Mek - Saturday, 5 January 2008 01:41:08 |
---|
If its using our provider or MS's it'll be hashed. But please provide which provider you are using (pun intended)? :-) |
Posted by: herman_herman - Saturday, 5 January 2008 06:20:13 |
---|
Hi Everythings default and untouched from package.I cheched the database as Jaben said and here is its screenshot.but stii it fails.as you can see only the last one (admin) is hashed! [IMG]http://i8.tinypic.com/89hfsw7.jpg[/IMG] |
Posted by: Mek - Saturday, 5 January 2008 08:57:57 |
---|
Ok now I'm confused... I'll look into it :-) You didn't change the web.config provider hash options after you installed did you? |
Posted by: Ederon - Saturday, 5 January 2008 09:31:23 |
---|
I can confirm this, it doesn't work for me with out-of-box default settings. |
Posted by: Jaben - Saturday, 5 January 2008 12:50:13 |
---|
Yeah, I noticed this... it didn't work then it did. Not sure what changed. I think it might be the provider code though. |
Posted by: Mek - Saturday, 5 January 2008 13:04:09 |
---|
okay okay I get the hint :-) I'll sort it tomorrow. |
Posted by: herman_herman - Saturday, 5 January 2008 20:46:35 |
---|
[quote=Mek]Ok now I'm confused... I'll look into it :-) You didn't change the web.config provider hash options after you installed did you? [/quote] Nop |
Posted by: test2005 - Sunday, 6 January 2008 03:34:15 |
---|
DOH!!!! |
Posted by: Mek - Sunday, 27 January 2008 03:55:58 |
---|
Yeah twigged this one, it doesn't hash when it creates a user but will hash the security answer when a user changes their own password.... working on a fix but at least we have the why :-) |
Posted by: Mek - Sunday, 27 January 2008 04:09:54 |
---|
k this was easy, on YafMembershipProvider.cs line 498 it called the DB.CreateUser with the unencrypted version of the passwordanswer string.. subsituting for the correct one solves the problem. Comitted to SVN. [code] // Encode Password Answer string encodedPasswordAnswer = YafMembershipProvider.EncodeString( passwordAnswer, ( int )this.PasswordFormat, salt, this.UseSalt ); // Process database user creation request DB.CreateUser(this.ApplicationName, username, pass, salt, (int)this.PasswordFormat, email, passwordQuestion, passwordAnswer, isApproved, providerUserKey); [/code] changed to: [code] // Encode Password Answer string encodedPasswordAnswer = YafMembershipProvider.EncodeString( passwordAnswer, ( int )this.PasswordFormat, salt, this.UseSalt ); // Process database user creation request DB.CreateUser(this.ApplicationName, username, pass, salt, (int)this.PasswordFormat, email, passwordQuestion, encodedPasswordAnswer, isApproved, providerUserKey); [/code] |
Posted by: herman_herman - Sunday, 27 January 2008 06:12:59 |
---|
Mek, Thanks for fix.I will apply it to mine. |
Posted by: kocka - Thursday, 5 November 2009 05:49:40 |
---|
Hello, I have problems with security answer (1.9.3) (hashed passwordFormat) - I think, if I change password, then password salt is changed but security answer is not changed and is not readable after change password? I changed it this way: public bool IsCorrectAnswer( string answerToCheck ) { return this.PasswordAnswer.Equals( ( YafMembershipProvider.EncodeString( answerToCheck, this.PasswordFormat, this.PasswordSalt, false /*change*/, this.HashHex, this.hashCase, this.hashRemoveChars, this.msCompliant) ) ); } and all instances of encode answer to: newPasswordAnswer = YafMembershipProvider.EncodeString(newPasswordAnswer, currentPasswordInfo.PasswordFormat, currentPasswordInfo.PasswordSalt, false /*change*/, this.HashHex, this.HashCase, this.HashRemoveChars, this.MSCompliant); Pavel [quote=herman_herman]Mek, Thanks for fix.I will apply it to mine. [/quote] |