I stored salt and hash values of password during user registration... But during their login i then salt and hash the password given by the user, what happens is a new salt and a new hash is generated....
string password = collection["Password"];
reg.PasswordSalt = CreateSalt(6);
reg.PasswordHash = CreatePasswordHash(password, reg.PasswordSalt);
These statements are in both registration and login....
salt and hash during registration was eVSJE84W
and 18DE22FED8C378DB7716B0E4B6C0BA54167315A2
During login it was 4YDIeARH
and 12E3C1F4F4CFE04EA973D7C65A09A78E2D80AAC7
..... Any suggestion....
public static string CreateSalt(int size)
{
//Generate a cryptographic random number.
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number.
return Convert.ToBase64String(buff);
}
public static string CreatePasswordHash(string pwd, string salt)
{
string saltAndPwd = String.Concat(pwd, salt);
string hashedPwd =
FormsAuthentication.HashPasswordForStoringInConfigFile(
saltAndPwd, "sha1");
return hashedPwd;
}
Right now you are generating a different salt upon registration and login. You need to use the same salt for hashing or you will get different hashes. That is to say you need store the salt into the database along with the password and reuse it to hash when the user tries to login later.
Steps: