Login fails after upgrade to ASP.net 4.0 from 3.5

Question

I cannot log in using any of the membership accounts using .net 4.0 version of the app. It fails like it's the wrong password, and FailedPasswordAttemptCount is incremented in my_aspnet_membership table. (I am using membership with mysql membership provider.)

I can create new users. They appear in the database. But I cannot log in using the new user credentials (yes, IsApproved is 1).

One clue is that the hashed passwords in the database is longer for the users created using the asp.net 4.0 version, e.g 3lwRden4e4Cm+cWVY/spa8oC3XGiKyQ2UWs5fxQ5l7g=, and the old .net 3.5 ones are all like +JQf1EcttK+3fZiFpbBANKVa92c=.

I can still log in when connecting to the same db with the .net 3.5 version, but only to the old accounts, not the new ones created with the .net 4.0 version. The 4.0 version cannot log in to any accounts.

I tried dropping the whole database on my test system, the membership tables are then auto created on first run, but it's still the same, can create users, but can't log in.

Answer 1

See: HERE

The default hashing algorithm has changed for .net 4.0. Default Hashing Algorithm Is Now HMACSHA256. Earlier versions of ASP.NET used the older HMACSHA1 algorithm.

To configure an ASP.NET 4 Web application to use the older HMACSHA1 algorithm, add the following setting to the system.web section of the Web.config file:

<machineKey validation="SHA1"/>

Answer 2

I am having the exact same problem. I have my web application in both 3.5 and 4.0 and only the "old" accounts work on the 3.5 instance.

Here's to hoping someone has an answer!

UPDATE:

I changed the passwordFormat to Clear and I was able to create a new user and log in with the 4.0 application. Looks like something has changed with the way the passwords are hashed.

UPDATE 2:

I was able to make one of the "old" accounts work. With the above change to the passwordFormat, I changed the PasswordFormat column in my_aspnet_membership to 0 and set the password manually in the same table. While this is convoluted and messy, it let the account get it. I'm going to try running password reset and see if that fixes the broken accounts.