in CustomSecuritySample/AuthenticationUtilities.cs [114:159]
internal static bool VerifyPassword(string suppliedUserName,
string suppliedPassword)
{
bool passwordMatch = false;
// Get the salt and pwd from the database based on the user name.
// See "How To: Use DPAPI (Machine Store) from ASP.NET," "How To:
// Use DPAPI (User Store) from Enterprise Services," and "How To:
// Create a DPAPI Library" on MSDN for more information about
// how to use DPAPI to securely store connection strings.
using (SqlConnection conn = new SqlConnection(Properties.Settings.Default.Database_ConnectionString))
{
SqlCommand cmd = new SqlCommand("LookupUser", conn);
cmd.CommandType = CommandType.StoredProcedure;
SqlParameter sqlParam = cmd.Parameters.Add("@userName",
SqlDbType.VarChar,
255);
sqlParam.Value = suppliedUserName;
try
{
conn.Open();
using (SqlDataReader reader = cmd.ExecuteReader())
{
reader.Read(); // Advance to the one and only row
// Return output parameters from returned data stream
string dbPasswordHash = reader.GetString(0);
string salt = reader.GetString(1);
// Now take the salt and the password entered by the user
// and concatenate them together.
string passwordAndSalt = String.Concat(suppliedPassword, salt);
// Now hash them
string hashedPasswordAndSalt =
FormsAuthentication.HashPasswordForStoringInConfigFile(
passwordAndSalt, "SHA1");
// Now verify them. Returns true if they are equal
passwordMatch = hashedPasswordAndSalt.Equals(dbPasswordHash);
}
}
catch (Exception ex)
{
throw new Exception(string.Format(CultureInfo.InvariantCulture,
CustomSecurity.VerifyUserException + ex.Message));
}
}
return passwordMatch;
}