U4-6566 - Membership provider `useLegacyEncoding` should default to `false`

Created by Sebastiaan Janssen 29 Apr 2015, 10:02:28 Updated by Stephan 15 Mar 2017, 11:37:17

Tags: Unscheduled

Currently we ship with useLegacyEncoding="true" for backwards compatibility reasons (make it easier for people to upgrade and merge their config files without having to remember not to touch this setting for an existing site).

1 Attachments

Comments

Shannon Deminick 26 Aug 2015, 10:07:51

We should also update the installer to generate a machine key that is stored in the web.config before the user is created. We could also perhaps have an 'advanced' option during the user creation to turn off machine key generation. Of course if there's already a machine key in there, it wouldn't do anything.


Shannon Deminick 31 Aug 2015, 12:19:49

Have created a PR for this in case people want to review:

https://github.com/umbraco/Umbraco-CMS/pull/783


Shannon Deminick 07 Sep 2015, 18:13:51

Postponing this until 7.4 because:

  • Until we have proper OAuth working for securing REST calls between instances for Courier, this can cause issues if not handled correctly
  • It's too late for 7.3 to include a larger change like this


Shannon Deminick 14 Mar 2017, 06:13:34

@sebastiaan are you still looking into this or do you want me to update it (i.e. pull it in and remove that machine key install step) ?


Sebastiaan Janssen 14 Mar 2017, 06:57:11

On it today! :)


Sebastiaan Janssen 14 Mar 2017, 16:10:33

PR: https://github.com/umbraco/Umbraco-CMS/pull/1796

I'm also added allowManuallyChangingPassword="false" so that it's harder for a XSS attack to reset people's password (we still have the "reset password" checkbox on members and users to still give people the ability to change anybody's password (tested, works great, generates random password, beautiful, see screenshot)

Other than that I've read this with great interest: https://blog.codinghorror.com/password-rules-are-bullshit/ It seems reasonable to set the minimum password length to 10 characters, especially for those people who will be able to log into the backoffice. Any objections to making the default 10 chars?

Note that this only applies to brand new installs, upgrades do not (and can't) force these new settings.


Stephan 15 Mar 2017, 11:36:55

happy with this, mergin


Priority: Normal

Type: Bug

State: Fixed

Assignee:

Difficulty: Easy

Category:

Backwards Compatible: False

Fix Submitted:

Affected versions:

Due in version: 7.6.0

Sprint: Sprint 54

Story Points:

Cycle: