Problem solve Get help with specific problems with your technologies, process and projects.

Migrating users and passwords to ASP.NET 2.0

Password migration to ASP.NET 2.0 can be a difficult undertaking. Expert Dan Cornell explains how to manage user migration from ASP.NET 1.1 to 2.0.

I have been reading about how to share authentication tickets etc but I cannot find anything on what I consider to be a basic question.

We are replacing a 1.1 app with a 2.0 ASP.NET application. The original used forms authentication and the new app is using forms authentication from 2.0. Is there any way we can migrate the users and their passwords across to the new version/tables without having them having to reset all their passwords? Should I make it clear I wish to drop the old application eventually so sharing is not required?

That will depend on how you have user information stored in your ASP.NET 1.1 member database. You can programmatically access the membership providers that are used to support the ASP.NET 2.0 membership and authentication controls. Therefore, it should be possible to write a script that would access your ASP.NET 1.1 user data store, retrieve the users and migrate their information to the ASP.NET 2.0 data store using methods such as CreateUser(). You could probably reverse engineer the table structure of the ASP.NET 2.0 membership data store, but you are better off using the provider methods to help ensure that the new ASP.NET 2.0 users are properly set up.

If you have hashed the passwords in the ASP.NET 1.1. user data store such that they are unrecoverable, then you have a more challenging migration situation. In order to move the users into the new ASP.NET 2.0 data store you could assign all users a new password and email them their new login information. This is not a terribly attractive approach because emails are unencrypted and subject to interception and other eavesdropping. Also, given the rise of phishing attacks savvy users are likely to be spooked by these suspicious-looking emails.

If you have stored password recovery questions and answers for your ASP.NET 1.1 users, you could migrate the users as mentioned above, giving them random, unknown passwords. When the user tries to log in to your application again they could present the answer to the password recovery question and re-set their password for use on the new system. This is a somewhat awkward approach that could be improved with the appropriate warnings in the login page to help coach existing users through their first login to the new system.

More information:

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.