Mala Implementacion en Forms Authentication

Primero que todo la tabla de usuarios tiene un campo contraseña que es
varchar(40), salt char(10)

El formulario de registrate hace algo como esto

Dim passwordencryptado As String = obj.CreatePasswordhash(contraseña.Text,
salt)

la funcion es

Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal salt

String) As String

Dim saltandpwd As String = String.Concat(pwd, salt)

Dim hashedpwd As String > FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd, "SHA1")

Return hashedpwd

End Function

luego se ingresa el usuario

con esta funcion



Public Function ingresarusuarios(ByVal connstr As String, ByVal login As
String, ByVal nombrereal As String, ByVal contra As String, ByVal email As
String, ByVal ciudad As Int16, ByVal pais As Int16, ByVal sitioweb As
String, ByVal salt As String) As Int32

Dim objcargardatos As Library.datos = New Library.datos

sqlConn.ConnectionString = connstr

sqlConn.Open()

Dim mysqlcommand As SqlCommand = New SqlCommand

mysqlcommand.Connection = sqlConn

mysqlcommand.CommandText = "insertarusuario"

mysqlcommand.CommandType = CommandType.StoredProcedure

mysqlcommand.Parameters.Add("@login", SqlDbType.Char, 10)

mysqlcommand.Parameters("@login").Value = login

mysqlcommand.Parameters.Add("@nombrereal", SqlDbType.Char, 10)

mysqlcommand.Parameters("@nombrereal").Value = nombrereal

mysqlcommand.Parameters.Add("@contraseña", SqlDbType.NVarChar, 40)

mysqlcommand.Parameters("@contraseña").Value = contra

mysqlcommand.Parameters.Add("@email", SqlDbType.Char, 100)

mysqlcommand.Parameters("@email").Value = email

mysqlcommand.Parameters.Add("@ciudad", SqlDbType.Int, 4)

mysqlcommand.Parameters("@ciudad").Value = ciudad

mysqlcommand.Parameters.Add("@pais", SqlDbType.Int, 4)

mysqlcommand.Parameters("@pais").Value = pais

mysqlcommand.Parameters.Add("@sitioweb", SqlDbType.Char, 100)

mysqlcommand.Parameters("@sitioweb").Value = sitioweb

mysqlcommand.Parameters.Add("@salt", SqlDbType.Char, 10)

mysqlcommand.Parameters("@salt").Value = salt

mysqlcommand.Parameters.Add("@numero", SqlDbType.Char, 100)

mysqlcommand.Parameters("@numero").Direction = ParameterDirection.Output

'mysqlcommand.Parameters("@numero").Value = 0

mysqlcommand.ExecuteNonQuery()

Dim generico As Int32 = mysqlcommand.Parameters("@numero").Value

Return generico

End Function





la funcion se llama asi
activationcode = objcargardatos.ingresarusuarios(str, login.Text,
nombrereal.Text, passwordencryptado, email.Text, drciudades.SelectedValue,
drpaises.SelectedValue, sitioweb.Text, salt)



y eso devuelve un codigo de activacion

El codigo de la pagina de login es:



Public Shared Function CreateSalt(ByVal size As Int32) As String

Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider

Dim buff(size) As Byte

rng.GetBytes(buff)

Return Convert.ToBase64String(buff)

End Function

Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal salt

String) As String

Dim saltandpwd As String = String.Concat(pwd, salt)

Dim hashedpwd As String > FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd, "SHA1")

Return hashedpwd

End Function



Private Sub btnlogin_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles btnlogin.Click

Dim passwordverified As Boolean = False

Try

passwordverified = VerifyPassword(login.Text, pass.Text)

Catch ex As Exception

lblmensaje.Text = ex.Message

End Try

If passwordverified = True Then

lblmensaje.Text = " Login exitoso·"

Else

lblmensaje.Text = "Usuario invalido"

End If





End Sub

Private Function VerifyPassword(ByVal suppliedUsername As String, ByVal
suppliedpassword As String) As Boolean

Dim passwordmatch As Boolean = False

Dim str As String = Application("connstring")

Dim sqlconnection1 As sqlconnection

sqlconnection1.ConnectionString = str

Dim mycmd As SqlCommand = New SqlCommand

mycmd.CommandText = "lookupuser"

mycmd.Connection = sqlconnection1

mycmd.Parameters.Add("@login", SqlDbType.Char, 10)

mycmd.Parameters("@login").Value = suppliedUsername

Try

sqlconnection1.Open()

Dim reader As SqlDataReader = mycmd.ExecuteReader()

reader.Read()

Dim dbPasswordHash As String = reader.GetString(0)

Dim salt As String = reader.GetString(1)

reader.Close()

Dim passwordandsalt As String = String.Concat(suppliedpassword, salt)

Dim hashedPasswordAndSalt As String > FormsAuthentication.HashPasswordForStoringInConfigFile(passwordandsalt,
"SHA1")

passwordmatch = hashedPasswordAndSalt.Equals(dbPasswordHash)

Catch ex As Exception

Throw New Exception("Exception verifying password" + ex.Message)

End Try

Return passwordmatch

End Function

+

este es el SP de lookupuser



ALTER PROCEDURE LookupUser

@login varchar(255)

AS

SELECT contraseña, salt

FROM tblusuarios

WHERE login = @login



Yo segui los pasos de:

pero lo pase a Visual Basic.net



cuando trato de logearme me aparece siempre usuario invalido. asi haya
digitado mal la contraseñla