i have a site using asp.net membership database tables. i want to import user accounts to nopcommerce how do i do it?
if nopcommerce is using own hash algorithm encryption private key which is not same like asp.net membership tables then how to transfer user accounts without compromising the password??
import user accounts to nopcommerce db from different site? how?
MVP
Certified Developer
- 558
- 6401
- 7/29/2011
- United Kingdom
I guess it depends on how your password are currently stored and whether you have any way of getting them back to their plain text equivalents, are they encrypted or hashed? I think you've got 3 basic options:
1. If you can get the passwords back to their plain text equivalents then you can hash them as part of import back to the database (I can post SQL code I've used to do it in the past).
2. If they're hashed and you can't get them back to plain text then you'd have to look at modifying the nop code to use the same hashing algorithm that you're using with your current membership provider. Then you could just import the password salts and hashes directly into the nop Customer table and they should work.
3. Just import your membership data into the nop Customer table with NULL salts and passwords. All your customers will have to go through the password reset procedure to set a new password on their account.
1. If you can get the passwords back to their plain text equivalents then you can hash them as part of import back to the database (I can post SQL code I've used to do it in the past).
2. If they're hashed and you can't get them back to plain text then you'd have to look at modifying the nop code to use the same hashing algorithm that you're using with your current membership provider. Then you could just import the password salts and hashes directly into the nop Customer table and they should work.
3. Just import your membership data into the nop Customer table with NULL salts and passwords. All your customers will have to go through the password reset procedure to set a new password on their account.
- 467
- 2703
- 5/28/2011
- United States
thank u for answer. in my case the passwords are hashed.
in my current website from where i want to take all the user accounts the hashAlgorithmType is set to SHA1. It is using default asp.net membership and membership provider uses unicode encoding. salt is base64 encoded.
can u plz post sql script anyway and point me where is algorithm in nop for hashing and how to make change?
any help will be appreciated.
in my current website from where i want to take all the user accounts the hashAlgorithmType is set to SHA1. It is using default asp.net membership and membership provider uses unicode encoding. salt is base64 encoded.
<membership defaultProvider="AspNetSqlMembershipProvider" hashAlgorithmType="SHA1">
<add connectionStringName="" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" passwordFormat="Hashed" name="AspNetSqlMembershipProvider" />
can u plz post sql script anyway and point me where is algorithm in nop for hashing and how to make change?
any help will be appreciated.
MVP
Certified Developer
- 558
- 6401
- 7/29/2011
- United Kingdom
pepper wrote:
Sure. This is the SQL code the generates a pseudo random 4 digit salt and uses it to hash a plain text password then inserts a customer in the nop Customer table if there isn't already one using that email address. This assumes you've got a table called MyOldCustomersTable that contains both the email and plain text password but would need adapting to wherever the data was actually coming from:
The nop password hashing is implemented in the CreatePasswordHash method of the EncryptionService.cs class: \src\Libraries\Nop.Services\Security\EncryptionService.cs
It looks like it concatenates the password and salt and uses SHA1 so probably not a million miles from what you've already got. Maybe you'll even get lucky and just be able to import your hashed passwords and salts straight into the Customer table.
Edit: This is all based on v3.6 so it's possible things could be slightly different on other versions, I haven't checked.
can u plz post sql script anyway and point me where is algorithm in nop for hashing and how to make change?
Sure. This is the SQL code the generates a pseudo random 4 digit salt and uses it to hash a plain text password then inserts a customer in the nop Customer table if there isn't already one using that email address. This assumes you've got a table called MyOldCustomersTable that contains both the email and plain text password but would need adapting to wherever the data was actually coming from:
WITH
BinarySaltyUsers AS (
SELECT NewId() AS CustomerGuid
,MyOldCustomersTable.Email
,CAST(RTRIM(MyOldCustomersTable.[Password]) AS varchar(201)) AS [Password]
,CONVERT(varbinary(max), CAST((ABS(CHECKSUM(NewId())) % 90000)+ 9999 AS varchar(100))) AS Salt
FROM MyOldCustomersTable
),
Base64SaltyUsers AS (
SELECT CustomerGuid
,[Password]
,cast('' as xml).value('xs:base64Binary(sql:column("Salt"))', 'varchar(max)') AS PasswordSalt
FROM BinarySaltyUsers
),
PasswordUsers AS (
SELECT CustomerGuid
,PasswordSalt
,[Password]
,UPPER(master.dbo.fn_varbintohexsubstring(0, HashBytes('SHA1', [Password]+PasswordSalt),1,0)) AS HashedPassword
FROM Base64SaltyUsers
)
MERGE AshNop.dbo.Customer AS mTarget
USING (
SELECT CustomerGuid
,PasswordSalt
,[Password]
,HashedPassword
FROM PasswordUsers) AS mSource
ON (mSource.Email = mTarget.Email
)
WHEN NOT MATCHED BY TARGET
THEN INSERT
(CustomerGuid
,Username
,[Password]
,PasswordFormatId
,PasswordSalt
,AdminComment
,IsTaxExempt
,AffiliateId
,VendorId
,HasShoppingCartItems
,Active
,Deleted
,IsSystemAccount
--,SystemName
--,LastIpAddress
,CreatedOnUtc
--,LastLoginDateUtc
,LastActivityDateUtc
--,BillingAddress_Id
--,ShippingAddress_Id
)
VALUES (CustomerGuid
,Email --Username
,HashedPassword
,1 --PasswordFormatId
,PasswordSalt --PasswordSalt
--,AdminComment
,0 --<IsTaxExempt, bit,>
,0 --<AffiliateId, int,>
,0 --<VendorId, int,>
,0 --<HasShoppingCartItems, bit,>
,1 --Active
,0 --<Deleted, bit,>
,0 --<IsSystemAccount, bit,>
--,<SystemName, nvarchar(max),>
--,<LastIpAddress, nvarchar(max),>
,GETUTCDATE() --<CreatedOnUtc, datetime,>
--,<LastLoginDateUtc, datetime,>
,GETUTCDATE() --<LastActivityDateUtc, datetime,>
--,<BillingAddress_Id, int,>
--,<ShippingAddress_Id, int,>
)
OUTPUT $action, inserted.*;
The nop password hashing is implemented in the CreatePasswordHash method of the EncryptionService.cs class: \src\Libraries\Nop.Services\Security\EncryptionService.cs
It looks like it concatenates the password and salt and uses SHA1 so probably not a million miles from what you've already got. Maybe you'll even get lucky and just be able to import your hashed passwords and salts straight into the Customer table.
Edit: This is all based on v3.6 so it's possible things could be slightly different on other versions, I haven't checked.
- 467
- 2703
- 5/28/2011
- United States
thanks so much
on my website asp.net default membership is used so this is the algorithm
http://stackoverflow.com/questions/1137368/what-is-default-hash-algorithm-that-asp-net-membership-uses
how to update algorithm in NC acc to this??
on my website asp.net default membership is used so this is the algorithm
http://stackoverflow.com/questions/1137368/what-is-default-hash-algorithm-that-asp-net-membership-uses
how to update algorithm in NC acc to this??
MVP
Certified Developer
- 558
- 6401
- 7/29/2011
- United Kingdom
pepper wrote:
I guess you just replace the current CreatePasswordHash with that implementation:
Import your current emails, salts and password hashes into the Customer table and see if it lets you login. You'll need to know the password of at least one of the imported customers to test it.
how to update algorithm in NC acc to this??
I guess you just replace the current CreatePasswordHash with that implementation:
byte[] bytes = Encoding.Unicode.GetBytes(pass);
byte[] src = Convert.FromBase64String(salt);
byte[] dst = new byte[src.Length + bytes.Length];
Buffer.BlockCopy(src, 0, dst, 0, src.Length);
Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);
HashAlgorithm algorithm = HashAlgorithm.Create("SHA1");
byte[] inArray = algorithm.ComputeHash(dst);
return Convert.ToBase64String(inArray);
Import your current emails, salts and password hashes into the Customer table and see if it lets you login. You'll need to know the password of at least one of the imported customers to test it.