0

So, I'm building a site that needs to access a database which was created originally for asp.net. I want to use the same username and password as the asp.net site used, which is already in the database. The developer mentioned that the default authentication was used in asp.net.

Example Password from the database: sYWPXNvJlVNs8EVZvIQOSaWfQ4I=

Example PasswordSalt from the database: ruNTdhelY57ghQsTFz/TIg==

Here is what I have tried:

<cfquery name="auth" datasource="ct">
SELECT userid, Password, PasswordSalt from dbo.aspnet_Membership
WHERE userid = '#auth1.userid#'
</cfquery>

<cfset cfHash = toBase64(hash(auth.PasswordSalt & cookie.password, "SHA1"))>

<cfif cfHash eq auth.Password> ...then authenticate etc.

I've tried a few iterations of this, but no go, the resulting cfHash ends up too long, like this:

OUJBOUJENjI0MzEzNjM3M0EwQjk3Nzc3ODIzNUVGMkJCODczOEI0Qg==

Any ideas?

Improve this question
5
  • Something like this came up about 3 months ago tagged coldfusion. Check the ASP security settings to see which scheme was used. There's an encryption and a hashing implementation I think. Commented Nov 9, 2012 at 17:41
  • I lied, it wasn't tagged coldfusion at all, but it was in my activity feed: stackoverflow.com/questions/2547397/… Commented Nov 9, 2012 at 17:43
  • Yeah, I've seen that code, and was trying to replicate in coldfusion, to no avail... Commented Nov 9, 2012 at 17:56
  • ASP is using the hash method, instead of encryption... Commented Nov 9, 2012 at 17:57
  • 1
    This thread might be what you are after. Commented Nov 9, 2012 at 18:00

1 Answer 1

Reset to default
1

(Edit: Original answer did not work in all cases. Substantially revised ...)

This thread might be what you are after. In summary, the two key differences are:

<cfscript>
    thePassword = "password12345";
    base64Salt = "l+g9MUcs+cLExeDTNy8M+A==";
    // extract bytes of the salt and password
    saltBytes = binaryDecode(base64Salt, "base64");
    passBytes = charsetDecode(thePassword, "UTF-16LE" );

    // next combine the bytes. note, the returned arrays are immutable, 
    // so we cannot use the standard CF tricks to merge them    
    ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
    dataBytes = ArrayUtils.addAll( saltBytes, passBytes );

    // hash binary using java
    MessageDigest = createObject("java", "java.security.MessageDigest").getInstance("SHA-1");
    MessageDigest.update(dataBytes);    
    theBase64Hash = binaryEncode(MessageDigest.digest(), "base64");

    WriteOutput("theBase64Hash= "& theBase64Hash &"<br/>");
</cfscript>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.