Migrating from ASP.NET Membership to SimpleMembership in MVC4 RTM
Solution 1
I'd like to surface Paul's comment in case anyone misses it and suggest his solution is the best I've seen.
http://pretzelsteelersfan.blogspot.com/2012/11/migrating-legacy-apps-to-new.html
Thanks Paul
Solution 2
You have access to the plain text password when the user logs in, which gives you another option:
- Keep the old passwords in a separate table
- On login, first use the SimpleMembership method
- If that fails, check against the old password table using the old hash algorithm (you'll need to make sure the plain text password is still in the context)
- If that succeeds, update the SimpleMembership tables, and remove from the old password table
The users wouldn't need to know about the change, and the active users would have a more secure hash. If you'd like to force the security upgrade in the future, you can warn the users that their accounts will be deleted after a year of inactivity, and just retire the two-step system.
Solution 3
I had a similar issue, I should have written a tutorial / blog post on doing this, but my solution was to add the following to my web.config (this corresponds to option #2):
<system.web>
<membership hashAlgorithmType="SHA1" defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" etc.../>
</providers>
</membership>
<machineKey validation="SHA1" />
...
</system.web>
The interesting part of the code above is the "hashAlgorithmType". Setting that to SHA1 will use the old asp.net memberships hashing algorithm.
I'm also in a similar position -- I either have to ask my users to update their passwords or keep with the specific hash algorithm.
Hope this helps! -Sig
Related videos on Youtube
Jim Culverwell
Updated on June 05, 2022Comments
-
Jim Culverwell almost 2 years
The new MVC4 RTM internet application templates use the SimpleMembership providers as descibed here SimpleMembership
My existing MVC website uses the ASP.Membership framework and ideally I would like to migrate the user data in these tables to the new SimpleMembership tables. My reasons for wanting to do this are:
- Cleaner integration with the rest of the my database which uses EF
- Support for Azure and OAuth out of the box
- Use latest MVC4 RTM Controllers/Views without needing to modify
- I've always felt the existing membership implementation was a little bloated for what I needed
So I wrote a SQL script today to migrate the data in the existing ASP.Net Membership tables into the new Simple Membership tables. This can be found here
Testing the login in my MVC 4 website the password verification is failing. I believe the SimpleMembership uses a different password algo than the old Membership framework as new passwords created under the SimpleMemberShip framework look a lot longer.
So my question is since I was using the "hashed" password format in the old ASP.Net membership providers and the users original password is irretrievable, what options do I have to get the SimpleMembership provider working.
I guessing some options are:
- Get my users to reset their passwords
- Getting the SimpleMembership provider to use the same password algo as the old ASP.Net Membership providers.
- Revert the new MVC 4 RTM internet application templates to use the old ASP.Net MemberShip providers. This is the least desirable options for me as I would like to use the SimpleMemberShip framework.
I would suspect many people are also looking to migrate their existing membership databases to the new SimpleMemberShip provider.
Any help greatly appreciated.
Cheers
Jim
-
PretzelSteelersFan over 11 yearsHere's a post on migration that handles the difference in hashing transparently. pretzelsteelersfan.blogspot.com/2012/11/…
-
Jim Culverwell over 11 yearsThanks Paul, this is by far best solution I've seen. I'm going to adopt this.
-
Jim Culverwell over 11 yearsThanks Sig, much appreciated, I'm sure other people will find this very useful. In the end I'm going to get the users to reset their passwords using the new SimpleMemberShip hashing. Apparently this is more secure than the old SHA1 algorithm.
-
Vinney Kelly over 11 yearsI like this idea but I'm having a hard time trying to figure out the implementation. Can you provide a little more explanation about how one might switch between Membership contexts?
-
aruno over 11 years@vinney you wouldn't be using two membership contexts - just accessing the raw data from the old table manually. Using two contexts may be possible but if I end up using this approach I'll just access the old table directly
-
Chance about 11 yearsHi, Sig. I tried your solution, but it does not work in my project. <membership hashAlgorithmType="SHA1" defaultProvider="simple"> <providers> <clear/> <add name="simple" type="WebMatrix.WebData.SimpleMembershipProvider, WebMatrix.WebData"/> </providers> </membership> <machineKey validation="SHA1" /> is that correct? Thank you!
-
Sig Myers about 11 yearsHey Chance, that all looks okay to me. Is there a specific error or issue you're running into?
-
Robert McLaws about 11 yearsI should point out that this only works if your passwords are hashed. If they are encrypted, you have to decrypt the password yourself and then save it using Paul's technique. I have to do this for my site, so I will leave a comment on Paul's post when I figure out the code.
-
Robert McLaws about 11 yearsOK, you can find my code to deal with encrypted passwords in addition to hashed passwords here. You have to add my DecryptingSqlMembershipProvider to the Providers list, along with the SimpleMembershipProvider, in order for it to work.