http://bugzilla.novell.com/show_bug.cgi?id=601727
http://bugzilla.novell.com/show_bug.cgi?id=601727#c0 Summary: Cannot use Web Forms MD5 authentications Classification: Mono Product: Mono: Class Libraries Version: unspecified Platform: All OS/Version: All Status: NEW Severity: Normal Priority: P5 - None Component: Sys.Web AssignedTo: [email protected] ReportedBy: [email protected] QAContact: [email protected] Found By: Customer Blocker: No Description of Problem: I currently use Web Forms authentication in my ASP.NET app. Web.config like the following <authentication mode="Forms" > <forms loginUrl="Login.aspx" protection="All" slidingExpiration="true" timeout="10"> <credentials passwordFormat="MD5"> <user name="admin" password="[md5 hash]" /> </credentials> </forms> </authentication> Under Windows it works fine and I get authenticated. When using Mono, my login gets refused. Could't test the same MD5 credentials with other authentication techniques Steps to reproduce the problem: 1. Configure Web.config like above 2. Create Login.aspx page with at least the following control: <asp:Login ID="loginControl" runat="server" LoginButtonType="Button" Orientation="Vertical" CssClass="fieldlabel" RememberMeSet="false" TitleText="Login" OnAuthenticate="loginControl_Authenticate"> and correspondant code-behind method: protected void loginControl_Authenticate(object sender, AuthenticateEventArgs e) { e.Authenticated = FormsAuthentication.Authenticate(loginControl.UserName, loginControl.Password); } 3. Test with proper credentials Actual Results: Your password is always refused Expected Results: Your password, matching MD5 hash, should be accepted How often does this happen? Always Additional Information: The problem is in the FormsAuthentication.Authenticate(string,string) static method, that should return true but returns false. I looked into Mono code, its implementation seems correct (input password is MD5-hashed if configuration requires hashing, then compared to stored password) but... "return (password == stored);" statement might be the problem. It COULD be a casing problem. If the password is stored as lowercase hex but GetHexString returns uppercase hex or vice versa it could be causing the problem. I looked at GetHexString, and, as I remember, its return value is uppercase judging by ASCII codes involved. My MD5 string in my example is lowercase. Suggested solutions: 1. When comparing passwords, use case insensitive comparison when password is hashed, else use case sensitive (passwords are plaintext) 2. Explicitly uppercase the stored password before comparison with hash -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
