Authentication and passwords

jason2 · Post by **jason2** » Thu May 23, 2013 11:48 am

I'm building an external web service for an AC7 site so that it can be managed from an iPad. The only hangup I'm having is if I want to authenticate though the service using the usernames and passwords that are in the AC7 site database. From reading other posts, it seems as though passwords are a sha1 hash of pw + salt which is then encoded as base64. How does AC7 determine and store the salt in order to recompute password hashes when a user logs in?

In other words, if I have a password of jason to send in to my web service, how can I determine which salt value to use so that I can hash the result, encode it, and then compare to the password stored in the AC site database?

AbleMods · Post by **AbleMods** » Thu May 23, 2013 2:20 pm

You don't have to Jason. Able can do it for you.

The User class has a method that validates a string value against the current password for the user:

Code: Select all

                User _User = UserDataSource.LoadForEmail("foo@foo.com");
                if (_User.CheckPassword("stringpassword"))
                    // password matched

jason2 · Post by **jason2** » Thu May 23, 2013 2:40 pm

Well the thing is: this isn't a .net web service. So no classes. I am querying the database directly.

AbleMods · Post by **AbleMods** » Thu May 23, 2013 2:55 pm

The encryption used by Able is machine-specific and generated by ASP.Net. It cannot be decrypted outside of ASP.Net.

Otherwise, it wouldn't be much of a security feature.

jason2 · Post by **jason2** » Thu May 23, 2013 7:07 pm

So, is it just using the machinekey as the salt?

I can always add columns to the table to extend and do my own auth - just thought it would be easier to use what is already there.

AbleMods · Post by **AbleMods** » Thu May 23, 2013 7:30 pm

Able implements a custom version of the ASP.Net security provider. It uses a combination of application-generated key and machine-specific key.

jason2 · Post by **jason2** » Fri May 24, 2013 6:23 pm

Ok, I guess I'll have to roll my own then. Are there any plans to add any sort of API/web services functionality? Other shopping cart solutions have had this for a while now.

Not having the source code, I can only hope that Able does not use the same salt for every user account.

ForumsAdmin · Post by **ForumsAdmin** » Mon May 27, 2013 3:52 am

I don't know what you are looking for but the standard approach would be what Joe explained above. If you are accessing the database directly, outside .NET then it will be up to you to implement the same authentication. If you want to make use of AC builtin functionality you can simply add a handler and implement the above code in it.

If you have an AuthenticateACUser.ashx file access at
https://www.mystore.com/AuthenticateACUser.ashx

you can either send user name, password as query parametrs or form parameters.
https://www.mystore.com/AuthenticateACU ... encoded_pw]

You will retrieve the user name and password in yor handler and use the above code as described by Joe

Code: Select all

string userName = "xxxx"; //retrieved from query parameter or form parameter
string password = "xxxx"; //retrieved from query parameter or form parameter

User _User = UserDataSource.LoadForEmail(userName);
if( _User == null)
{
   // user does not exist
   return;
}

if (_User.CheckPassword("stringpassword"))
{
     // authenticated
}
else
{
    // not authenticated
}

AbleCommerce Shopping Cart Software

Authentication and passwords

Authentication and passwords

Re: Authentication and passwords

Re: Authentication and passwords

Re: Authentication and passwords

Re: Authentication and passwords

Re: Authentication and passwords

Re: Authentication and passwords

Re: Authentication and passwords