Security is the most important part of all web application architecture and that’s why nowadays all the customers want high security at the time of user authentication. Audience manager plays a vital role here to maintain the security of the web application. Here I have explained how you can authenticate a user without decrypting their password from AM database.

Before we start writing the code for user authentication let’s discuss the concept of Digest and Salt which helps to encrypt and verify the password using Audience Manager.

Digests: Encrypt passwords using one-way techniques.

In most cases, both MD5 or SHA-1(Used Here as an example) will be preferred choices for password digesting.

As it is one-way techniques, the very next question that arises to our minds usually is: ‘If I cannot decrypt passwords… how will I check if my users entered the right one?‘

Match user input and stored passwords by comparing digests, not unencrypted strings.

Which means that, once our users have entered their passwords at sign in, we will digest their input with the same algorithm we have previously used when storing the password, and then compare both digests. As digest algorithms guarantee that two equal inputs will get equal digests (which is not true in the opposite direction), if digests match then we can consider that the user is valid.

Here the concept of Salt comes into the picture. The salt is a sequence of bytes that is added to the password before being digested. This makes our digests different to what they would be if we encrypt the password alone, and as a result protects us against dictionary attacks. So to achieve that I have created one helper method which helps to digest the end user password–

public static string HashPassword(string valueToEncrypt, string token)
{
     if (string.IsNullOrEmpty(token))
    {
         return System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(valueToEncrypt, System.Web.Configuration.FormsAuthPasswordFormat.SHA1.ToString());
    }
    else
   {
         return System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(token.ToString() + ":" + valueToEncrypt.Trim(), System.Web.Configuration.FormsAuthPasswordFormat.SHA1.ToString());
   }
}

Now here is the code for User Authentication –

Include below namespace in your project.

• Sdl.AudienceManager.ContentDelivery;
• Sdl.AudienceManager.ContentDelivery.Profile;

First you have to query for the contact using the email id provided by end user.

      Contact contact = Contact.FromEmailQueryString(modelEmailId);

Once you get the Contact details. Then extract the password and salt from that.

string password = contact.ExtendedDetails[“Password”].StringValue;
string salt = contact.ExtendedDetails[“Password_salt”].StringValue;

Now call the helper method mentioned above. This method will digest their input with the same algorithm we have previously used when storing the password.

string hashedPassword = HashPassword(modelPassword,salt);

Now compare both the digest.

if (password == hashedPassword)
{
//TODO: Write the code once the authentication is successful.
}

That’s it! You can find the sample source code here.