Backport of r159166

svn path=/branches/mono-2-6/mcs/; revision=159167

2 files changed, 38 insertions, 9 deletions

diff --git a/mcs/class/System.Web/System.Web.Security/ChangeLog b/mcs/class/System.Web/System.Web.Security/ChangeLog
index 60579ea3dec..2cb7daa8584 100644
--- a/mcs/class/System.Web/System.Web.Security/ChangeLog
+++ b/mcs/class/System.Web/System.Web.Security/ChangeLog
@@ -1,3 +1,8 @@
+2010-06-19  Marek Habersack  <mhabersack@novell.com>
+
+	* FormsAuthentication.cs: Authenticate must compare stored and
+	newly hashed passwords case-insensitively. Fixes bug #601727
+
 2010-04-29  Marek Habersack  <mhabersack@novell.com>
 
 	* FormsAuthentication.cs: set authentication/expiry cookie
diff --git a/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs b/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs
index b10508c66b7..2ece40789df 100644
--- a/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs
+++ b/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs
@@ -220,19 +220,24 @@ namespace System.Web.Security
 			if (stored == null)
 				return false;
 
+			bool caseInsensitive = true;
 			switch (config.PasswordFormat) {
 			case FormsAuthPasswordFormat.Clear:
+				caseInsensitive = false;
 				/* Do nothing */
 				break;
 			case FormsAuthPasswordFormat.MD5:
-				password = HashPasswordForStoringInConfigFile (password, "MD5");
+				password = HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5);
 				break;
 			case FormsAuthPasswordFormat.SHA1:
-				password = HashPasswordForStoringInConfigFile (password, "SHA1");
+				password = HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5);
 				break;
 			}
-
-			return (password == stored);
+#if NET_2_0
+			return String.Compare (password, stored, caseInsensitive ? StringComparison.OrdinalIgnoreCase : StringComparison.Ordinal) == 0;
+#else
+			return String.Compare (password, stored, caseInsensitive, Helpers.InvariantCulture) == 0;
+#endif
 		}
 
 #if NET_2_0
@@ -491,6 +496,28 @@ namespace System.Web.Security
 			return new string (result);
 		}
 
+		static string HashPasswordForStoringInConfigFile (string password, FormsAuthPasswordFormat passwordFormat)
+		{
+			if (password == null)
+				throw new ArgumentNullException ("password");
+			
+			byte [] bytes;
+			switch (passwordFormat) {
+				case FormsAuthPasswordFormat.MD5:
+					bytes = MD5.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
+					break;
+
+				case FormsAuthPasswordFormat.SHA1:
+					bytes = SHA1.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
+					break;
+
+				default:
+					throw new ArgumentException ("The format must be either MD5 or SHA1", "passwordFormat");
+			}
+
+			return GetHexString (bytes);
+		}
+		
 		public static string HashPasswordForStoringInConfigFile (string password, string passwordFormat)
 		{
 			if (password == null)
@@ -499,16 +526,13 @@ namespace System.Web.Security
 			if (passwordFormat == null)
 				throw new ArgumentNullException ("passwordFormat");
 
-			byte [] bytes;
 			if (String.Compare (passwordFormat, "MD5", true, Helpers.InvariantCulture) == 0) {
-				bytes = MD5.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
+				return HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5);
 			} else if (String.Compare (passwordFormat, "SHA1", true, Helpers.InvariantCulture) == 0) {
-				bytes = SHA1.Create ().ComputeHash (Encoding.UTF8.GetBytes (password));
+				return HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.SHA1);
 			} else {
 				throw new ArgumentException ("The format must be either MD5 or SHA1", "passwordFormat");
 			}
-
-			return GetHexString (bytes);
 		}
 
 		public static void Initialize ()