Authentication and passwords
Authentication and passwords
I'm building an external web service for an AC7 site so that it can be managed from an iPad. The only hangup I'm having is if I want to authenticate though the service using the usernames and passwords that are in the AC7 site database. From reading other posts, it seems as though passwords are a sha1 hash of pw + salt which is then encoded as base64. How does AC7 determine and store the salt in order to recompute password hashes when a user logs in?
In other words, if I have a password of jason to send in to my web service, how can I determine which salt value to use so that I can hash the result, encode it, and then compare to the password stored in the AC site database?
In other words, if I have a password of jason to send in to my web service, how can I determine which salt value to use so that I can hash the result, encode it, and then compare to the password stored in the AC site database?
Re: Authentication and passwords
You don't have to Jason. Able can do it for you.
The User class has a method that validates a string value against the current password for the user:
The User class has a method that validates a string value against the current password for the user:
Code: Select all
User _User = UserDataSource.LoadForEmail("foo@foo.com");
if (_User.CheckPassword("stringpassword"))
// password matched
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: Authentication and passwords
Well the thing is: this isn't a .net web service. So no classes. I am querying the database directly.
Re: Authentication and passwords
The encryption used by Able is machine-specific and generated by ASP.Net. It cannot be decrypted outside of ASP.Net.
Otherwise, it wouldn't be much of a security feature.
Otherwise, it wouldn't be much of a security feature.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: Authentication and passwords
So, is it just using the machinekey as the salt?
I can always add columns to the table to extend and do my own auth - just thought it would be easier to use what is already there.
I can always add columns to the table to extend and do my own auth - just thought it would be easier to use what is already there.
Re: Authentication and passwords
Able implements a custom version of the ASP.Net security provider. It uses a combination of application-generated key and machine-specific key.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: Authentication and passwords
Ok, I guess I'll have to roll my own then. Are there any plans to add any sort of API/web services functionality? Other shopping cart solutions have had this for a while now.
Not having the source code, I can only hope that Able does not use the same salt for every user account.
Not having the source code, I can only hope that Able does not use the same salt for every user account.
- ForumsAdmin
- AbleCommerce Moderator
- Posts: 399
- Joined: Wed Mar 13, 2013 7:19 am
Re: Authentication and passwords
I don't know what you are looking for but the standard approach would be what Joe explained above. If you are accessing the database directly, outside .NET then it will be up to you to implement the same authentication. If you want to make use of AC builtin functionality you can simply add a handler and implement the above code in it.
If you have an AuthenticateACUser.ashx file access at
https://www.mystore.com/AuthenticateACUser.ashx
you can either send user name, password as query parametrs or form parameters.
https://www.mystore.com/AuthenticateACU ... encoded_pw]
You will retrieve the user name and password in yor handler and use the above code as described by Joe
If you have an AuthenticateACUser.ashx file access at
https://www.mystore.com/AuthenticateACUser.ashx
you can either send user name, password as query parametrs or form parameters.
https://www.mystore.com/AuthenticateACU ... encoded_pw]
You will retrieve the user name and password in yor handler and use the above code as described by Joe
Code: Select all
string userName = "xxxx"; //retrieved from query parameter or form parameter
string password = "xxxx"; //retrieved from query parameter or form parameter
User _User = UserDataSource.LoadForEmail(userName);
if( _User == null)
{
// user does not exist
return;
}
if (_User.CheckPassword("stringpassword"))
{
// authenticated
}
else
{
// not authenticated
}