YAFLogo

Posted by: herman_herman - Friday, 4 January 2008 10:16:56
The security answer in password retrieval section does not work and keep saying "[color=red]Your answer could not be verified. Please try again.[/color]" Regards Touradg

Posted by: Jaben - Friday, 4 January 2008 17:49:02
Do you know what your answer is?

Posted by: herman_herman - Friday, 4 January 2008 22:57:44
:cheesy: kidding me..?:wink:

Posted by: Jaben - Friday, 4 January 2008 23:15:55
You are using the YAF provider? And I'm not trying to be obvious -- but maybe verify the exact answer in your database and copy and paste to see if it still fails.

Posted by: Mek - Saturday, 5 January 2008 01:41:08
If its using our provider or MS's it'll be hashed. But please provide which provider you are using (pun intended)? :-)

Posted by: herman_herman - Saturday, 5 January 2008 06:20:13
Hi Everythings default and untouched from package.I cheched the database as Jaben said and here is its screenshot.but stii it fails.as you can see only the last one (admin) is hashed! [IMG]http://i8.tinypic.com/89hfsw7.jpg[/IMG]

Posted by: Mek - Saturday, 5 January 2008 08:57:57
Ok now I'm confused... I'll look into it :-) You didn't change the web.config provider hash options after you installed did you?

Posted by: Ederon - Saturday, 5 January 2008 09:31:23
I can confirm this, it doesn't work for me with out-of-box default settings.

Posted by: Jaben - Saturday, 5 January 2008 12:50:13
Yeah, I noticed this... it didn't work then it did. Not sure what changed. I think it might be the provider code though.

Posted by: Mek - Saturday, 5 January 2008 13:04:09
okay okay I get the hint :-) I'll sort it tomorrow.

Posted by: herman_herman - Saturday, 5 January 2008 20:46:35
[quote=Mek]Ok now I'm confused... I'll look into it :-) You didn't change the web.config provider hash options after you installed did you? [/quote] Nop

Posted by: test2005 - Sunday, 6 January 2008 03:34:15
DOH!!!!

Posted by: Mek - Sunday, 27 January 2008 03:55:58
Yeah twigged this one, it doesn't hash when it creates a user but will hash the security answer when a user changes their own password.... working on a fix but at least we have the why :-)

Posted by: Mek - Sunday, 27 January 2008 04:09:54
k this was easy, on YafMembershipProvider.cs line 498 it called the DB.CreateUser with the unencrypted version of the passwordanswer string.. subsituting for the correct one solves the problem. Comitted to SVN. [code] // Encode Password Answer string encodedPasswordAnswer = YafMembershipProvider.EncodeString( passwordAnswer, ( int )this.PasswordFormat, salt, this.UseSalt ); // Process database user creation request DB.CreateUser(this.ApplicationName, username, pass, salt, (int)this.PasswordFormat, email, passwordQuestion, passwordAnswer, isApproved, providerUserKey); [/code] changed to: [code] // Encode Password Answer string encodedPasswordAnswer = YafMembershipProvider.EncodeString( passwordAnswer, ( int )this.PasswordFormat, salt, this.UseSalt ); // Process database user creation request DB.CreateUser(this.ApplicationName, username, pass, salt, (int)this.PasswordFormat, email, passwordQuestion, encodedPasswordAnswer, isApproved, providerUserKey); [/code]

Posted by: herman_herman - Sunday, 27 January 2008 06:12:59
Mek, Thanks for fix.I will apply it to mine.

Posted by: kocka - Thursday, 5 November 2009 05:49:40
Hello, I have problems with security answer (1.9.3) (hashed passwordFormat) - I think, if I change password, then password salt is changed but security answer is not changed and is not readable after change password? I changed it this way: public bool IsCorrectAnswer( string answerToCheck ) { return this.PasswordAnswer.Equals( ( YafMembershipProvider.EncodeString( answerToCheck, this.PasswordFormat, this.PasswordSalt, false /*change*/, this.HashHex, this.hashCase, this.hashRemoveChars, this.msCompliant) ) ); } and all instances of encode answer to: newPasswordAnswer = YafMembershipProvider.EncodeString(newPasswordAnswer, currentPasswordInfo.PasswordFormat, currentPasswordInfo.PasswordSalt, false /*change*/, this.HashHex, this.HashCase, this.HashRemoveChars, this.MSCompliant); Pavel [quote=herman_herman]Mek, Thanks for fix.I will apply it to mine. [/quote]