Question
I'm trying to migrate users from a Joomla database to a custom one using the default asp.net tables and providers. Theoretically I can change the hash type from the default (SHA) to MD5 by changing web.config, however, when logging in it reports an invalid password (or username, but I doubt it's that). Examining the aspnet_Membership table and the Joomla_users table I can see both have the same password and salt values per user (Joomla 1.7 actually stores it as password:salt but that's easy to split into two fields). Both appear to be in base64 format, and adding a user through the ASP default log in control results in a similar pair of fields for the new user (though the salt is randomized I think, so I can't compare with the same known password).
Here's an extract from my web.config:
https://stackoverflow.com/questions/16639257
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<system.web>
<machineKey validation="MD5"/>
...
<membership hashAlgorithmType="MD5">
<providers>
<clear />
<add name="AspNetSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="UserAuth"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordFormat="Hashed"
applicationName="/" />
</providers>
</membership>
</system.web>
One thing I'm not sure on is whether it's md5, Md5, or MD5 (I've seen both the latter in code samples while Googling). However, I can write nonsense instead and the application doesn't appear to bat an eyelid.
I don't particularly wish to write a custom membership provider unless there is no other way.
Here's some PHP that compares the Joomla hashed password with one supplied as a parameter to this function:
$user_id = mysql_result($result, 0, 'id');
$db_password = mysql_result($result, 0, 'password');
$joomla = &New JConfig;
list($md5pass, $saltpass) = split(":", $db_password);
$md5_password = md5($user_password.$saltpass);
if (strcmp($md5_password, $suppliedpass) == 0)
{
return $user_id;
}
Either the ASP version is ignoring my md5 request, or somehow it's storing it in some other way, or I'm not telling it to use md5 correctly, or...? I don't want to tell 4000 users to reset their passwords, though I'm aware md5 is not recommended these days.
Solution
I think I worked it out. In Joomla, from the PHP code, the md5 is applied to pass+salt. In SqlMembershipProvider.cs it's applied to salt+pass.
The SqlMembershipProvider.cs was found via SQLMembershipProvider - source code - maybe not the true source but I see no reason why it should be different from the true source in that particular aspect.
