Current Umbraco Version - Umbraco version 7.5.3
We have an Umbraco Project that uses a Custom Membership Provider to authenticate members (front-end) to certain protected page(s). This membership provider has worked fine until we had to upgrade the system that our members are authenticated via. After upgrading the external system our Membership Provider now has a strange issue that I'm struggling to resolve. The issue is as follows:
1 - User attempts to login with their correct details (via Umbraco Login Form) and receives an 'Incorrect Username & Password Error'
2 - User then uses our 'Reset Password' functionality, which sends them a 'PIN' that they enter into an Umbraco Form. If the PIN matches, they're then presented with a Form to enter a new Password.
3 - The user is now able to log via the newly created Username & Password (into Umbraco Protected Areas).
4 - Now, the user goes to our External system and enters their username and password (created via the Umbraco Form). This also logs them in successfully. (This seems to change the password of the user?)
5 - User now tries to re-login to Umbraco Protected Page but again receives an incorrect Username & Password.
6 - However the Username and Password still works on the external system.
After some research we have come to the conclusion that our external system now seems to use a different Encryption method that Umbraco isn't compatible with?
I'm really struggling to figure out how/why this is now happening and what I need to change to ensure that the passwords both match and that the members can access the protected pages.
Here is what I believe is running the Login/Password Reset Logic:
namespace Profile.Controllers
{
[PluginController("Profile")]
public class SecurityController : SurfaceController
{
public string RandomString(int length)
{
var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
var stringChars = new char[length];
var random = new Random();
for (int i = 0; i < stringChars.Length; i++)
{
stringChars[i] = chars[random.Next(chars.Length)];
}
return new String(stringChars);
}
[ChildActionOnly]
public ActionResult SecurityForm()
{
var model = new SecurityModel();
return PartialView("SecurityForm", model);
}
[HttpPost]
public ActionResult UpdateUsername(SecurityModel viewModel, FormCollection form)
{
iboAdmin.InitializeSystem();
try
{
CContactUser user = CContactUser.LoginByWebLogin(User.Identity.Name);
user.ChangeWebLogin(viewModel.ChangeUsername.NewUsername, viewModel.ChangeUsername.Password);
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.Message);
}
if (ModelState.IsValid)
{
TempData["SuccessMessage"] = "Your username has been changed successfully";
return RedirectToCurrentUmbracoPage();
}
else
{
return CurrentUmbracoPage();
}
}
[HttpPost]
public ActionResult UpdatePassword(SecurityModel viewModel, FormCollection form)
{
bool legacyCode = false;
try
{
if (legacyCode)
{
iboAdmin.InitializeSystem();
CContactUser user = CContactUser.LoginByWebLogin(User.Identity.Name);
user.ChangePassword(viewModel.ChangePassword.CurrentPassword, viewModel.ChangePassword.NewPassword);
}
else
{
if (!iboAdmin.IsSystemInitialized)
{
iboAdmin.InitializeSystem();
}
CContactUser user = CContactUser.LoginByWebLogin(User.Identity.Name);
var contact = new CContact(CStaffUser.GetDefaultStaffUser(), user.ContactId);
contact.UserSecurity.ChangePassword(viewModel.ChangePassword.CurrentPassword, User.Identity.Name, viewModel.ChangePassword.NewPassword);
contact.Save();
if (contact.ErrorsCount > 0)
ModelState.AddModelError("", "An error occured when setting the password: " + contact.Errors.PrimaryErrorMessage);
}
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.Message);
}
if (ModelState.IsValid)
{
TempData["SuccessMessage"] = "Your password has been changed successfully";
return RedirectToCurrentUmbracoPage();
}
else
{
return CurrentUmbracoPage();
}
}
[HttpPost]
public ActionResult LoginReminder(string Email)
{
iboAdmin.InitializeSystem();
try
{
CContactUser user = CContactUser.LoginByWebLogin("manager");
CContact contact = CContact.GetContacts(user, "", "AND Name.EMAIL = @email", new SqlParameter[] { new SqlParameter("email", Email) }).First();
string ksamHelpline = (ConfigurationManager.AppSettings.AllKeys.Contains("KSAMHelpline") ? ConfigurationManager.AppSettings["KSAMHelpline"] : "01625 664500");
if (contact == null)
{
throw new Exception("There are no users on our system with that e-mail address registered. Please contact the administration office on " + ksamHelpline + " to access your account.");
}
string userName = contact.UserSecurity.WebLoginId;
if(string.IsNullOrEmpty(userName))
{
throw new Exception("A username has not been found for your email address. Please contact the administration office on " + ksamHelpline + ".");
}
else
{
SmtpClient smtpClient = new SmtpClient();
MailMessage mail = new MailMessage();
string messageBody = System.IO.File.ReadAllText(Server.MapPath("~/emails/LoginReminder.html"));
HtmlDocument htmldoc = new HtmlDocument();
htmldoc.LoadHtml(messageBody);
mail.To.Add(new MailAddress(contact.EmailAddress));
mail.Subject = htmldoc.DocumentNode.SelectSingleNode("//head/title").InnerText;
messageBody = messageBody.Replace("[USERNAME]", userName);
mail.Body = messageBody.Replace("[FIRST_NAME]", contact.FirstName);
mail.IsBodyHtml = true;
smtpClient.Send(mail);
TempData["SuccessMessage"] = "A reminder e-mail containing your username has been sent to " + Email;
}
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.Message);
}
if (ModelState.IsValid)
{
return RedirectToCurrentUmbracoPage();
}
else
{
return CurrentUmbracoPage();
}
}
[HttpPost]
public ActionResult PasswordResetRequest(string username)
{
Session["ResetUser"] = "";
iboAdmin.InitializeSystem();
try
{
CContactUser user = CContactUser.LoginByWebLogin(username);
CContact contact = new CContact(user,user.ContactId);
if (contact.EmailAddress == "")
{
throw new Exception("There is no email address registered to that username. Please contact the administration office to access your account.");
}
Session["PIN"] = RandomString(5);
Session["ResetUser"] = username;
TempData["PINSent"] = true;
SmtpClient smtpClient = new SmtpClient();
MailMessage mail = new MailMessage();
string messageBody = System.IO.File.ReadAllText(Server.MapPath("~/emails/ResetPasswordPin.html"));
HtmlDocument htmldoc = new HtmlDocument();
htmldoc.LoadHtml(messageBody);
mail.To.Add(new MailAddress(contact.EmailAddress));
mail.Subject = htmldoc.DocumentNode.SelectSingleNode("//head/title").InnerText;
mail.Body = messageBody.Replace("[PIN]", Session["PIN"].ToString());
mail.IsBodyHtml = true;
smtpClient.Send(mail);
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.Message);
}
if (ModelState.IsValid)
{
return RedirectToCurrentUmbracoPage();
}
else
{
return CurrentUmbracoPage();
}
}
[HttpPost]
public ActionResult PasswordResetVerify(string PIN)
{
iboAdmin.InitializeSystem();
try
{
if (Session["PIN"].ToString() == PIN)
{
TempData["Verified"] = true;
}
else
{
throw new Exception("Verification codes do not match");
}
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.Message);
}
if (ModelState.IsValid)
{
return RedirectToCurrentUmbracoPage();
}
else
{
return CurrentUmbracoPage();
}
}
[HttpPost]
public ActionResult PasswordReset(string password)
{
iboAdmin.InitializeSystem();
try
{
CContact contact;
bool legacyCode = false, success = false;
if (legacyCode)
{
CContactUser user = CContactUser.LoginByWebLogin(Session["ResetUser"].ToString());
user.ChangePassword(password, "REMOVED", "REMOVED");
contact = new CContact(user, user.ContactId);
}
else
{
// Jeremy suggested code v1.
//
/*if (!iboAdmin.IsSystemInitialized)
{
iboAdmin.InitializeSystem();
}
CContactUser user = CContactUser.LoginByWebLogin(Session["ResetUser"].ToString());
contact = new CContact(user, user.ContactId);
contact.UserSecurity.ChangePassword(password, "REMOVED", "REMOVED");
contact.Save();
if (contact.ErrorsCount > 0)
ModelState.AddModelError("", "An error occured when setting the password: " + contact.Errors.PrimaryErrorMessage);*/
// Jeremy suggested code v2.
//
if (!iboAdmin.IsSystemInitialized)
{
iboAdmin.InitializeSystem();
}
CContactUser user = CContactUser.LoginByWebLogin(Session["ResetUser"].ToString());
contact = new CContact(CStaffUser.GetDefaultStaffUser(), user.ContactId);
var membershipUser = Membership.GetUser(contact.UserSecurity.WebLoginId, false);
string oldPassword = membershipUser.ResetPassword();
success = membershipUser.ChangePassword(oldPassword, password);
}
SmtpClient smtpClient = new SmtpClient();
MailMessage mail = new MailMessage();
string messageBody = System.IO.File.ReadAllText(Server.MapPath("~/emails/ResetPasswordSuccess.html"));
HtmlDocument htmldoc = new HtmlDocument();
htmldoc.LoadHtml(messageBody);
mail.To.Add(new MailAddress(contact.EmailAddress));
mail.Subject = htmldoc.DocumentNode.SelectSingleNode("//head/title").InnerText;
mail.Body = messageBody.Replace("[FIRST_NAME]", contact.FirstName);
mail.IsBodyHtml = true;
smtpClient.Send(mail);
TempData["Success"] = true;
TempData["SuccessMessage"] = "Your password has been reset successfully.";
}
catch (Exception ex)
{
ModelState.AddModelError("", ex.Message);
}
if (ModelState.IsValid)
{
return RedirectToCurrentUmbracoPage();
}
else
{
return CurrentUmbracoPage();
}
}
}
}
