1

I have been tasked with rebuilding an ancient website which is written in ASP.net and VB on Windows Server 2003 R2. I need to allow users to log into the new site once using their current (old) password before I have them create a new one.

I have access to all the files and code, and the DB of hashes and salts etc., as well as the Web.config and its <machineKey/>.

My question is, how do I hash (currently it's set to "encrypt" in ASP.net, actually) the user's input in another language so that I can compare the hashed values on their first login?

<machineKey/> says validation="SHA1". Web.config has no mention of algorithm elsewhere. The specific .NET method being used to create users in the VB code is System.Web.Security.Membership.CreateUser().How could I mimic that in Node.js, Java, or PHP (I can translate from those langs if I need to)?

EDIT: If any one can decipher this method and tell me what's actually going on, I'd appreciate it.

Craig Wilson
  • 11
  • 2
  • 1
    Can you validate through the existing app and redirect to new one? – damian Nov 20 '19 at 19:07
  • 1
    The reference source code for .NET Framework is available. Perhaps you should [look at it](https://referencesource.microsoft.com/#System.Web/Security/Membership.cs) to see what they're doing. – mason Nov 20 '19 at 19:11
  • 1
    I tried diving into the .NET framework. Once I got a few nested methods deep, into ```System.Web.Configuration.MachineKeySection.EncryptOrDecryptData()```, I got lost. What a nightmare. – Craig Wilson Nov 20 '19 at 21:11
  • 1
    Most likely the OS doesn't matter, and the version of ASP.NET will matter only mildly. A possible alternative is therefore to separate the part of the site that does authentication, encapsulate it in its own service and call it to do the verification. This does mean maintaining a server (possibly virtual) with an ASP.NET installation for as long as the migration needs to happen, which is clumsy, but not as costly as maintaining a whole site on an ancient server, and not as vexing as reverse engineering everything. – Jeroen Mostert Nov 21 '19 at 15:43
  • I don't need to maintain the old site, just use the old (encrypted) passwords to let them log into the new site once before they change it to a new one. – Craig Wilson Nov 22 '19 at 17:22

0 Answers0