Q
Problem solve Get help with specific problems with your technologies, process and projects.

Migrating users and passwords to ASP.NET 2.0

Password migration to ASP.NET 2.0 can be a difficult undertaking. Expert Dan Cornell explains how to manage user migration from ASP.NET 1.1 to 2.0.

I have been reading about how to share authentication tickets etc but I cannot find anything on what I consider to be a basic question.

We are replacing a 1.1 app with a 2.0 ASP.NET application. The original used forms authentication and the new app is using forms authentication from 2.0. Is there any way we can migrate the users and their passwords across to the new version/tables without having them having to reset all their passwords? Should I make it clear I wish to drop the old application eventually so sharing is not required?

That will depend on how you have user information stored in your ASP.NET 1.1 member database. You can programmatically...

access the membership providers that are used to support the ASP.NET 2.0 membership and authentication controls. Therefore, it should be possible to write a script that would access your ASP.NET 1.1 user data store, retrieve the users and migrate their information to the ASP.NET 2.0 data store using methods such as CreateUser(). You could probably reverse engineer the table structure of the ASP.NET 2.0 membership data store, but you are better off using the provider methods to help ensure that the new ASP.NET 2.0 users are properly set up.

If you have hashed the passwords in the ASP.NET 1.1. user data store such that they are unrecoverable, then you have a more challenging migration situation. In order to move the users into the new ASP.NET 2.0 data store you could assign all users a new password and email them their new login information. This is not a terribly attractive approach because emails are unencrypted and subject to interception and other eavesdropping. Also, given the rise of phishing attacks savvy users are likely to be spooked by these suspicious-looking emails.

If you have stored password recovery questions and answers for your ASP.NET 1.1 users, you could migrate the users as mentioned above, giving them random, unknown passwords. When the user tries to log in to your application again they could present the answer to the password recovery question and re-set their password for use on the new system. This is a somewhat awkward approach that could be improved with the appropriate warnings in the login page to help coach existing users through their first login to the new system.

More information:
This was last published in February 2007

Dig Deeper on Building security into the SDLC (Software development life cycle)

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchMicroservices

TheServerSide.com

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

DevOpsAgenda

Close