0

I am trying to start up an ASP.NET website with MongoDB. The starting ASP.NET project implements a user authorization schema with a connection string to a sql database.

I have a website working with Mongo DB to work off of...but that website seems to have implemented the automatically generated user login system, and somehow changed settings so that the user login data is deposited to the Mongo database instead. Rather than trust Microsoft to handle everything, I would like to build a user login system based on my own libraries (with the end goal being to handle as much as possible in F#).

I am trying to figure out how the user authorization code puts the user information into the database. It seems to be a black box. The code, 

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterViewModel model)
{
    if (ModelState.IsValid)
    {
        var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
        var result = await UserManager.CreateAsync(user, model.Password);

more specifically, 

var result = await UserManager.CreateAsync(user,model.Password);

yields a function specified in metadata upon inspection.

Am I just supposed to copy the settings from the working website I have until it automagically works, or is there a way to manually reproduce the user login system? Is it impossible to reverse engineer the process from the generated code? Is there a tutorial or guide to best practices for creating a secure user login system from scratch?

Improve this question

1 Answer 1

Reset to default
1

This is one of those things that is usually best left to a tried and proven library. However, this could be a fun little project. The typical high-level description of a secure user login is along the lines of: Generate a random salt, append it to the user's input, run the result of that through a secure hash algorithm (e.g. SHA-256) and store both the salt and the hashed result. Checking a login then becomes: Retrieve the salt and the hash from the database, append salt to the user's input, hash that result, compare to the result from the database. However, beware of timing attacks. Some comparison algorithms stop running once they encounter a mismatch. A "secure" comparer should always take the same amount of time to run, regardless of how close the inputs are.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.