|
Group: Forum Members
Last Active: Wed 22 Jul 2020
Posts: 153,
Visits: 874
|
I'd like to write a routine to import massively customers (from csv file or from an SQL table, previously extracted from an ERP) in [tblKartrisUsers] table.
Giving a look to the table I found that the minimal info I should supply to an insert command are:
[U_EmailAddress],[U_Password],[U_AccountHolderName],[U_LanguageID],[U_SaltValue]
having that the rest of fields in SQL database have a default value or are not needed to let then the user access the site.
The problem are [U_Password] and [U_SaltValue] values: I don't understand how they work because it seems to me that every record in [tblKartrisUsers] table has its [U_SaltValue] as if every password has its personal decrypting key (randomly generated?).
Furthermore, even [U_SaltValue] seems encrypted itself... maybe using Hash Salt String defined in install process and stored in web.config.file?
May you summarize to me how it works the relationship between [U_Password] and [U_SaltValue] (and eventually web.config's Hash Salt String)?
And then may you suggest to me a modus operandi to reach my goal?
Thank you a lot
|
|
Group: Administrators
Last Active: Tue 10 Sep 2024
Posts: 807,
Visits: 2,748
|
Suggest as a starting point you look at the UsersBLL.vb, and in particular the _Add function
Public Shared Function _Add(ByVal U_AccountHolderName As String, ByVal U_EmailAddress As String, ByVal U_Password As String, ByVal U_LanguageID As Integer, _
ByVal U_CustomerGroupID As Integer, ByVal U_CustomerDiscount As Double, ByVal blnUserApproved As Boolean, _
ByVal blnUserAffiliate As Boolean, ByVal U_AffiliateCommission As Double, ByVal U_SupportEndDate As Date, ByVal U_Notes As String) As Integer
Try
Dim dtNull As Nullable(Of DateTime) = Nothing
Dim strRandomSalt As String = Membership.GeneratePassword(20, 0)
Return CustomerDetailsAdptr._Add(U_AccountHolderName, U_EmailAddress, EncryptSHA256Managed(U_Password, strRandomSalt), U_LanguageID, U_CustomerGroupID, U_CustomerDiscount, blnUserApproved, _
blnUserAffiliate, U_AffiliateCommission, IIf(U_SupportEndDate = Nothing Or U_SupportEndDate = "#12:00:00 AM#", dtNull, U_SupportEndDate), U_Notes, strRandomSalt)
Catch ex As Exception
ReportHandledError(ex, Reflection.MethodBase.GetCurrentMethod())
Return Nothing
End Try
End Function
This references the EncryptSHA256Managed function, from which you can see how the password in Kartris is hashed:
ConfigurationManager.AppSettings("hashsalt") & ClearString & SaltString
ConfigurationManager.AppSettings("hashsalt") is a value created when you install Kartris, and is written into an appsetting near the top of your web.config file. The SaltString is a random code up to 20 chars long created for each record. The ClearString is the cleartext password.
So if a user chooses 'mypassword123' as their password, then to get the hashed value you see in the users table we do
[hashsalt-from-user-record] & "mypassword123" & [hash-from-web-config]
Then we sha-256 this, and base64 encode the result.
For the purposes of your script to import usernames, you could use the same hashsalt for each user, but it's not a good idea, it's best to generate a random one for each user. Then you need the hashsalt value from your web.config file too, a sha-256 function and base64 function.
btw, the reason we have a global hashsalt as well as one in web.config is for additional security - the db alone doesn't contain all the information you'd need to hash a password guess, so it increases the number of attempts you'd need to make to get a hit massively. It also means if you take a Kartris db from one site and put it on another one, the password logins won't work unless you make sure the web.config hashsalt value matches.
--
If my post solves your issue, can you 'Mark as Answer' so it's easier for other users to find in future.
If you would like to be informed of new features, new releases, developments and occasional special bonuses, please sign up to our mailing list: http://bit.ly/19sKMZb
|
|
Group: Administrators
Last Active: Wed 18 Nov 2020
Posts: 148,
Visits: 3,450
|
Also, adding a hash salt for each separate password record makes brute force attacks more difficult... if we didn't do that an attacker could attack all the passwords at once. If you have thousands of user accounts his chances of breaking a few are very high, but with a separate salt per password, it means he realistically can only attack one at a time, making a brute force attack much more difficult.
|
|
Group: Forum Members
Last Active: Wed 22 Jul 2020
Posts: 153,
Visits: 874
|
Thank you a lot
I'll keep updated you on my progress!
|
|
Group: Forum Members
Last Active: Wed 22 Jul 2020
Posts: 153,
Visits: 874
|
Ok let's say I inserted a record in [tblKartrisUsers] table and now my user could already enter the site logging in.
Now I have to insert his address, etcetera in [tblKartrisAddresses] table.
In KartrisClassess.vb there's an interesting [AddUpdate] function... I think I should use this one, can you please confirm and explain me values I can assign to ADR_Type?
If I understand correctly, after insertion this function returns ADR_ID, is it right?
Thu 30 Jul 2015 by
Supermac
|
|
Group: Forum Members
Last Active: Wed 22 Jul 2020
Posts: 153,
Visits: 874
|
I could use a thing like this?
Dim idcliente = userBLL._Add(U_AccountHolderName, U_EmailAddress, U_Password, U_LanguageID, U_CustomerGroupID, U_CustomerDiscount, blnUserApproved, blnUserAffiliate, U_AffiliateCommission, U_SupportEndDate, U_Notes)
'userBLL._Add may return nothing if something goes wrong
if not isnothing(idcliente) then
'create address object with data from file
Dim addr = New KartrisClasses.Address(<name of customer>, <company>, <address>, <city>, <P.O.code>, <destination.D_ID of customer's country>, <phone>
'insert new address
Dim addrID = KartrisClasses.Address.AddUpdate(addr, idcliente, True)
end if
???
|
|
Group: Forum Members
Last Active: Wed 22 Jul 2020
Posts: 153,
Visits: 874
|
YEAH IT WORKS! :-)
Added a page to backend that loads csv file and do all job using K's classes/methods...
Now I've only to save passwords in a file (I create them randomly as clear strings and save them in a temporary table with relative customer name) and prompt it to the user, otherwise nobody will know how to access website :-)
Fri 31 Jul 2015 by
Supermac
|