I’m in the process of evaluating how my team will upgrade our product from .NET 3.5 SP1 to .NET 4. I expected the upgrade to be pretty smooth with very few, if any, upgrade issues. To my delight, the upgrade wizard said that everything upgraded without a problem. I thought I was home free, until I decided to build and run the application. A big problem was staring me in the face — I couldn’t log on.
Our product is using a custom ASP.NET Membership Provider, but essentially it’s a modified SqlMembershipProvider with some additional properties. And my login was failing during the OnAuthenticate event handler of my ASP.NET Login control, right where it was calling my provider’s ValidateUser method.
After a little digging, it turns out that the password hash that the membership provider was using to compare against the stored password hash in the membership database tables was different. I compared the password hash from the .NET 4 code line, and it was a different generated hash than my .NET 3.5 code line. (Tip — when upgrading, always keep a valid debug copy of your app handy in case you have to step through a lot of code.)
So it was a strange situation, but at least I knew what the problem was. Now the question was, “Why was it happening?”
Turns out that a breaking change in .NET 4 is that the default hash algorithm changed to SHA256. Hey, that’s great — stronger hashing algorithm. But what do I do with all the hashed passwords in my database that were created using SHA1?
Well, you can make two quick changes to your app’s web.config and everything will be OK. Basically, you need to override the default HashAlgorithmType property of your membership provider. Here are the two places to do that:
1. At the beginning of your <system.web>element, add the following <machinekey>element:
<system.web>
<machineKey validation="SHA1" />
...
</system.web>
2. On your <membership> element under <system.web>, add the following hashAlgorithmType attribute
<system.web>
<membership defaultProvider="myMembership" hashAlgorithmType="SHA1">
...
</system.web>
After that, you should be good to go! Hope this helps.