Home > Ask the Software Quality Experts > Application Security Questions & Answers > Migrating users and passwords to ASP.NET 2.0
Ask The Software Quality Expert: Questions & Answers
EMAIL THIS

Migrating users and passwords to ASP.NET 2.0

Dan Cornell EXPERT RESPONSE FROM: Dan Cornell

Pose a Question
Other Software Quality Categories
Meet all Software Quality Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 08 February 2007
I have been reading about how to share authentication tickets etc but I cannot find anything on what I consider to be a basic question.

We are replacing a 1.1 app with a 2.0 ASP.NET application. The original used forms authentication and the new app is using forms authentication from 2.0. Is there any way we can migrate the users and their passwords across to the new version/tables without having them having to reset all their passwords? Should I make it clear I wish to drop the old application eventually so sharing is not required?

>
EXPERT RESPONSE

That will depend on how you have user information stored in your ASP.NET 1.1 member database. You can programmatically access the membership providers that are used to support the ASP.NET 2.0 membership and authentication controls. Therefore, it should be possible to write a script that would access your ASP.NET 1.1 user data store, retrieve the users and migrate their information to the ASP.NET 2.0 data store using methods such as CreateUser(). You could probably reverse engineer the table structure of the ASP.NET 2.0 membership data store, but you are better off using the provider methods to help ensure that the new ASP.NET 2.0 users are properly set up.

If you have hashed the passwords in the ASP.NET 1.1. user data store such that they are unrecoverable, then you have a more challenging migration situation. In order to move the users into the new ASP.NET 2.0 data store you could assign all users a new password and email them their new login information. This is not a terribly attractive approach because emails are unencrypted and subject to interception and other eavesdropping. Also, given the rise of phishing attacks savvy users are likely to be spooked by these suspicious-looking emails.

If you have stored password recovery questions and answers for your ASP.NET 1.1 users, you could migrate the users as mentioned above, giving them random, unknown passwords. When the user tries to log in to your application again they could present the answer to the password recovery question and re-set their password for use on the new system. This is a somewhat awkward approach that could be improved with the appropriate warnings in the login page to help coach existing users through their first login to the new system.

More information:


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Building security into the SDLC (Software development life cycle)
Web application security and the PCI DSS
PCI DSS compliance: Web application firewalls (WAFs)
PCI DSS compliance: The basics
PCI DSS compliance: Code review
PCI DSS compliance: WAF, code review or both?
Application security careers have bright future
Writing software requirements that address security issues
Software Security Engineering: A Guide for Project Managers -- Chapter 3, Requirements Engineering for Secure Software
PCI DSS compliance: Web application firewall or code review?
Application security enters uncharted regions

Application Security
PCI DSS compliance: WAF, code review or both?
Application security careers have bright future
How to prevent anti-DNS pinning attacks
Open source application security testing tools
Java application security features and measures
Web application security testing basics
Password recovery with .NET 2.O using C#
Free load and performance testing tools
The most effective time to do security testing
Finding backdoor threats within applications

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts