UserManager CheckPassword() rehash the password in .net core 3.1 and can’t sign in from asp.net MVC Project

by

I’m using asp.net Identity for signing in users in asp.net MVC Project and It’s working fine.
I’ve created new .net core 3.1 API project and used the Microsoft.Extensions.Identity.Core for checking usernames and passwords to generate tokens.

The problem is that the .net core project rehashes the password and I’m not able to login from the old asp.net MVC project

This is my code:

var user = _userManager.Users.FirstOrDefault(e => e.UserName == UserName);

bool result = await _userManager.CheckPasswordAsync(user, password);
Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I had this problem too but I’ve searched a lot about it. when password come from view to controller you use CreateAsync(model.username, model.password) and this method change the real password to hash password and you can’t use it by yourself expect of using in action methods that have real password param in their input. forexample the code below give a string from user. check it by UserManager.FindAsync() and put it in some variable.

 public ActionResult Login(string username, string password)
    {
      var findUser = UserManager.FindAsync(email, password);
    }

and in your example you can take input and check:

public ActionResult Login(string username, string password)
    {
      var IsUserExist = UserManager.CheckPasswordAsync(email, password);
    }

Method 2

Your old application hashed using options PasswordHasherCompatibilityMode.IdentityV2and when you migrated to new application the default is PasswordHasherCompatibilityMode.IdentityV3 and when you have password hashed with IdentityV2 and then you start using IdentityV3, ASP.NET identity rehashes it by default (source code). You should use PasswordHasherCompatibilityMode.IdentityV2 in new app also, something like:

services.Configure<PasswordHasherOptions>(o => o.CompatibilityMode = PasswordHasherCompatibilityMode.IdentityV2);

Method 3

I ended up using PasswordHasher.VerifyHashedPassword() method to verify the user current hashed password and avoid rehashing and it works successfully.

My Code:

var verigyResult = _userManager.PasswordHasher.VerifyHashedPassword(user, user.PasswordHash, password);

if (verigyResult != PasswordVerificationResult.Failed) // either verigyResult equal to SuccessRehashNeeded or Success
{
    //handle success login...
}
else
{
    //handle invalid login credentials...
}


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x