none
Entity Framework - User identity as entity RRS feed

  • Question

  • Hi

    I am designing user as entity, but I realized there might be some security concerns

    The entity class is as followed:

     

    	public class UserIdentity
    	{
    		public string Name { get; set; }
    		public string Username { get; set; }
    
    		// TODO: security alert - user's password/hash would exist in memory snapshot for extended amount of time
    		[NotMapped]
    		public string Password { get; set; }
    
    		string m_pwhash;
    		public string PasswordHash
    		{
    			get
    			{
    				Debug.Assert(Password == null ^ m_pwhash == null);
    
    				if (m_pwhash == null)
    				{
    					m_pwhash = Algorithms.Hash(Password);
    					Password = null;
    				}
    
    				return m_pwhash;
    			}
    			set
    			{
    				Debug.Assert(Password == null);
    				m_pwhash = value;
    			}
    		}
    	}


     

    If I recall correctly, this is dangerous because the user's password or hash can exist in memory dump. I thought it might be safer if the password hash field can be persisted as the password field is being set and let the password to be out of scope right away. The same with retrieving the hash field. I want to have a "GetPasswordHash()" method and make it explicitly query the database and forget about it right away. (Ideally the caller would not hang on to this variable long enough for this operation to be dangerous)

    So, is there a way for me to do what I want to achieve here? (P.S. I looked into the Membership framework, it has its own problem. It it a static class and it requires its own connection string which make it virtually impossible for me to pool connections even if I write my own MembershipProvider over EF. I prefer to implement as much as my solution in EF if possible)


    • Edited by Xusword Wednesday, December 21, 2011 8:10 PM
    Wednesday, December 21, 2011 8:09 PM

Answers

  • Hi Xusword,

    Not very sure about your question? There is not need to store or retrieve the user's password. When a user login, we just need to check the name and password if they are mapping and remember the UserId which we often stored in Seesion.

    bool login= db.Users.FirstorDefault(u=>u.Name==loginname&&u=>Password==loginpassword)?true:false;

    BTW, store the hash value for password is a good way.

    Have a nice day.


    Alan Chen[MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Xusword Thursday, December 29, 2011 6:08 PM
    Monday, December 26, 2011 1:29 PM
    Moderator

All replies

  • Hi Xusword,

    Welcome to MSDN Forum.

    I'm doing research on the issue, it may need some time, I'll come back as soon as possible.

    Best Regards

     


    Allen Li [MSFT]
    MSDN Community Support | Feedback to us
    Sunday, December 25, 2011 12:39 PM
    Moderator
  • Hi Xusword,

    Not very sure about your question? There is not need to store or retrieve the user's password. When a user login, we just need to check the name and password if they are mapping and remember the UserId which we often stored in Seesion.

    bool login= db.Users.FirstorDefault(u=>u.Name==loginname&&u=>Password==loginpassword)?true:false;

    BTW, store the hash value for password is a good way.

    Have a nice day.


    Alan Chen[MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Xusword Thursday, December 29, 2011 6:08 PM
    Monday, December 26, 2011 1:29 PM
    Moderator
  • Yes, I am aware that the password should not be saved in the object.

    However, what I am trying to achieve is that when the user is created, we can do something like the following

    UserIdentity newUser = new UserIdentity() {
    
      Name = "Homer Simpson",
      Username = "hsimpson",
      Password = "iamsosmart"
    
    };
    
    context.add(newUser);
    

     

    I was confused before but now I realize I should not have the password property on this object at all. There should be a PasswordHash property and a SetPassword() method instead.

     

    thanks for both your replies

    Thursday, December 29, 2011 6:20 PM