Migrating from ASP.NET Membership to SimpleMembership in MVC4 RTM

27
votes

The new MVC4 RTM internet application templates use the SimpleMembership providers as descibed here SimpleMembership

My existing MVC website uses the ASP.Membership framework and ideally I would like to migrate the user data in these tables to the new SimpleMembership tables. My reasons for wanting to do this are:

  1. Cleaner integration with the rest of the my database which uses EF
  2. Support for Azure and OAuth out of the box
  3. Use latest MVC4 RTM Controllers/Views without needing to modify
  4. I've always felt the existing membership implementation was a little bloated for what I needed

So I wrote a SQL script today to migrate the data in the existing ASP.Net Membership tables into the new Simple Membership tables. This can be found here

Testing the login in my MVC 4 website the password verification is failing. I believe the SimpleMembership uses a different password algo than the old Membership framework as new passwords created under the SimpleMemberShip framework look a lot longer.

So my question is since I was using the "hashed" password format in the old ASP.Net membership providers and the users original password is irretrievable, what options do I have to get the SimpleMembership provider working.

I guessing some options are:

  1. Get my users to reset their passwords
  2. Getting the SimpleMembership provider to use the same password algo as the old ASP.Net Membership providers.
  3. Revert the new MVC 4 RTM internet application templates to use the old ASP.Net MemberShip providers. This is the least desirable options for me as I would like to use the SimpleMemberShip framework.

I would suspect many people are also looking to migrate their existing membership databases to the new SimpleMemberShip provider.

Any help greatly appreciated.

Cheers

Jim

3
asp.netasp.net-mvcasp.net-mvc-3asp.net-membershipasp.net-mvc-4
Here's a post on migration that handles the difference in hashing transparently. pretzelsteelersfan.blogspot.com/2012/11/…PretzelSteelersFan
Thanks Paul, this is by far best solution I've seen. I'm going to adopt this.Jim Culverwell

3 Answers

12
votes

I'd like to surface Paul's comment in case anyone misses it and suggest his solution is the best I've seen.

http://pretzelsteelersfan.blogspot.com/2012/11/migrating-legacy-apps-to-new.html

Thanks Paul

11
votes

You have access to the plain text password when the user logs in, which gives you another option:

  1. Keep the old passwords in a separate table
  2. On login, first use the SimpleMembership method
  3. If that fails, check against the old password table using the old hash algorithm (you'll need to make sure the plain text password is still in the context)
  4. If that succeeds, update the SimpleMembership tables, and remove from the old password table

The users wouldn't need to know about the change, and the active users would have a more secure hash. If you'd like to force the security upgrade in the future, you can warn the users that their accounts will be deleted after a year of inactivity, and just retire the two-step system.

7
votes

I had a similar issue, I should have written a tutorial / blog post on doing this, but my solution was to add the following to my web.config (this corresponds to option #2):

<system.web>

    <membership hashAlgorithmType="SHA1" defaultProvider="DefaultMembershipProvider">
      <providers>
        <add name="DefaultMembershipProvider" etc.../>
      </providers>
    </membership>
    <machineKey validation="SHA1" />
    ...
</system.web>

The interesting part of the code above is the "hashAlgorithmType". Setting that to SHA1 will use the old asp.net memberships hashing algorithm.

I'm also in a similar position -- I either have to ask my users to update their passwords or keep with the specific hash algorithm.

Hope this helps! -Sig