When specifying passwordFormat for credentials in web.config, how do you handle decryption?

If I setup my app to use forms authentication, and I specify the credentials in web.config like this:

<authentication mode="Forms">
  <forms loginUrl="~/LogOn" name=".ASPXAUTH" path="/" defaultUrl="~/AuthArea" timeout="2880">
    <credentials passwordFormat="MD5">
      <user name="user" password="user123" />
    </credentials>
  </forms>
</authentication>

How do I then, in my LogOn Action validate the credentials?

if (FormsAuthentication.Authenticate(mo开发者_开发技巧del.UserName, model.Password)) {

Won't I need to encrypt the user entered password using MD5? And if so, how do you do that?

Thanks.

You do not need to encrypt the password when you are using FormsAuthentication.Authenticate. Your password in the web.config will need to be encrypted in MD5 though. here is the code I use:

public static string EncryptToMD5(this string helper)
        {
            MD5 md5 = new MD5CryptoServiceProvider();
            return BitConverter.ToString(md5.ComputeHash(Encoding.Default.GetBytes(helper)));
        }

You would have to write (or modify) the Security Provider to encrypt the password and compare it against the credentials that are stored. My biggest advice to you is start from an existing security provider like the SqlServerRoleProvider (which is wired up in all the new MVC / Web Forms projects as the default provider).

Details can be found here: http://msdn.microsoft.com/en-us/library/ff649314.aspx

FYI: The security providers that M$ provides handles encryption BY DEFAULT. This means you don't have to custom write it :-) I'd say start with a SQL Server Membership Provider example and database tables and branch out from there.