Why are ASP.Net membership credentials stored in a database not portable between (1) web apps and (2) machines?
Two scenarios --
We backup the production database and restore it to the development server. None of the production login credentials work on the development server, even though the underlying data was restored from production seconds before.
We build a new version of the app ("v2," let's call it), and install it on the production database under a different website (alongside the production app -- "v1"), but talking to the same production database. None of the login credentials work on v2 of the app, even though it's talking to the same database and therefore has the exact same membership data.
There is no machine key in the web.config file. If I leave this out, I assume it bubbles up from the machine.config file, which means it should be the same per machine, which means the two webapps talking to the same database on the same machine (the second scenario above) should share credentials, correct?
We also checked the application names and IDs in the databases, and they are identical between machines.
If you reset the passwords, everything works fine (with new passwords). But that means everyone has to reset their passwords, which isn't ideal.
It seems that somehow, the password salt changes from database server to database server and from web app to web app.
Edit:
Using ASP.Net 4.5 and System.Web.Security.SqlMembershipProvider 4.0.
Another Edit:
I have verified the PasswordFormat is "Hashed." Additionally, I have checked the Password and PasswordSalt fields between the two databases. They are identical.
Solution:
The hashing algorithm in the web.config was set differently between the two apps.
The hashing algorithm was different between the two webapps. One was using the default "SHA1," and the other was explicit set to "HMACSHA512."