Question
I'm using Membership provider configured in Web.config like this to use SQL CE:
https://stackoverflow.com/questions/21731831
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian <connectionStrings>
<add name="DefaultConnection" connectionString="Data Source=|DataDirectory|\Users.sdf" providerName="System.Data.SqlServerCe.4.0" />
</connectionStrings>
and:
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<clear />
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordFormat="Hashed" applicationName="/" />
</providers>
</membership>
This works correctly if I have no machinekey specified.
If I add a machinekey to the Web.config as follows, then existing users can no longer login. However I can create new users and they can log-in.
<machineKey validationKey="D829F10BE92767EC2F9E9FC53B2CF3952AAD386483D6E81E74B4BD84DBE66F71CA121581598FEA669892DBDE46507DF3C8028BBD8FD4E678557621141945171C" decryptionKey="D14678D1FB1777E10316163F6D97071CDF2A447FA15C172DC9525BA397BB0610" validation="SHA1" decryption="AES" />
<pages enableViewStateMac="true"/>
If I remove the machinekey then originally-created users can log-in again, and newly-created users cannot.
Why does adding a machinekey change whether existing users can log-in, given that the password is hashed not encrypted?
Solution
By default, .Net Framework 4 use SHA256. Please make sure algorithm is same in both places, and try either SHA1 or SHA256.
<membership ... hashAlgorithmType="SHA1">
<providers>
...
</providers>
</membership>
<machineKey ... validation="SHA1" decryption="AES" />
