MonoX support board

Start the conversation, ask questions and share tips and solutions with fellow developers.

Non-registered users can only browse through our support boards. Please register now if you want to post your questions. It takes a second and it is completely free. Alternatively, you can log in without registration using your credentials at major sites such as Google, Microsoft Live, OpenId, Facebook, LinkedIn or Yahoo.

the default Admin user can be locked out  (Mono Support )

Viewed 19725 time(s), 5 post(s) 7/25/2012 6:03:10 PMby geobirbilis
geobirbilis

geobirbilis

7/25/2012 6:03:10 PM
I tried to log in at a MonoX installation as admin and I entered wrong pwd several times and now it tells me the account is locked!

1) I'd expect the admin account to not be lockable like that (this can be exploited)
2) How can I edit the db or visit some MonoX intallation webpage accessible only from the console (locally) to unlock the admin? Or is there other easier way?
3) If password is totally forgotten, is there a way to make blank (or change) the pwd from the db?
This content has not been rated yet. 
155 Reputation 23 Total posts
denis

denis

7/26/2012 10:31:39 AM
Hi George,
Our usual strategy is to change the name of the admin acount, which makes it more difficult to exploit this feature. You can reset the locking status by switching the value of the IsLockedOut field in the aspnet_Membership table for that particular user. There are several properties in the membership provider that control this behavior, and you can change them in the web.config file - the most important one would be "maxInvalidPasswordAttempts"
Rated 4.00, 1 vote(s). 
7207 Reputation 956 Total posts
geobirbilis

geobirbilis

7/27/2012 10:01:53 AM
Suppose the admin password for the portal has been forgotten, how can it be reset from the DB or other tool?
This content has not been rated yet. 
155 Reputation 23 Total posts
geobirbilis

geobirbilis

7/27/2012 10:12:27 AM
btw, how come the user password is unhashed (plain text) in the dbo.aspnet_Membership table? (the respective username is in dbo.aspnet_Users)
Is it some ASP.net setting?
This content has not been rated yet. 
155 Reputation 23 Total posts
khorvat

khorvat

7/27/2012 1:27:06 PM
Hi,

you should use the password recovery screen available e.g. here, yes passwords are by default unhashed and you can change that setting in the web.config by changing the passwordFormat in Membership and Role provider settings.

e.g.
<membership defaultProvider="AspNetSqlMembershipProvider" hashAlgorithmType="SHA1" >
      <providers>
         <remove name="AspNetSqlMembershipProvider"/>              
             <add connectionStringName="LocalSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="MonoX" requiresUniqueEmail="false" passwordFormat="Clear" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="AspNetSqlMembershipProvider" type="MonoSoftware.MonoX.MonoXMembershipProvider, MonoX" />
        <!-- <add name="ActiveDirectoryMembershipProvider" type="MonoSoftware.MonoX.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" applicationName="MonoX"
         connectionUsername="username@yourdomain"
         connectionPassword="pwd" /> -->
  </providers>
</membership>

Regards
This content has not been rated yet. 
15993 Reputation 2214 Total posts