如何以编程方式验证散列的ASP.NET服务密码?

时间:2009-10-14 04:50:44

标签: encryption asp.net-membership

我有一个网站,我将会员资格从ASP.NET服务迁移到自定义提供程序。我想迁移现有用户,而无需更改密码。

用户的密码目前使用单向加密存储。对我来说,唯一的选择是使用与ASP服务相同的salt和密码,并使用我的自定义提供程序对它们进行验证。

以下是用于当前使用ASP.NET服务散列密码的配置。

<membership defaultProvider="AspNetSqlMembershipProvider" userIsOnlineTimeWindow="15" hashAlgorithmType="">
        <providers>
            <clear/>
            <add connectionStringName="dashCommerce" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="dashCommerce" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression="" minRequiredPasswordLength="4" minRequiredNonalphanumericCharacters="0" name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
        </providers>
</membership>

我一直在努力编写验证密码以防止此配置生成的哈希所需的代码。

这是我到目前为止所拥有的。任何帮助将不胜感激。

private static string CreatePasswordHash(string Password, string Salt)
{
    return FormsAuthentication.HashPasswordForStoringInConfigFile(Password + Salt, "SHA1");
}

2 个答案:

答案 0 :(得分:2)

我挖掘反射器并找到用于计算哈希值的代码。

private static string CreatePasswordHash(string Password, string Salt)
{
    string passwordFormat = SettingManager.GetSettingValue("Security.PasswordFormat");
    if (String.IsNullOrEmpty(passwordFormat))
        passwordFormat = "SHA1";
    byte[] bytes = Encoding.Unicode.GetBytes(Password);
    byte[] src = Convert.FromBase64String(Salt);
    byte[] dst = new byte[src.Length + bytes.Length];
    byte[] inArray = null;
    Buffer.BlockCopy(src, 0, dst, 0, src.Length);
    Buffer.BlockCopy(bytes, 0, dst, src.Length, bytes.Length);

    HashAlgorithm algorithm = HashAlgorithm.Create(passwordFormat);
    inArray = algorithm.ComputeHash(dst);

    return Convert.ToBase64String(inArray);
}

这很有用。

答案 1 :(得分:2)

//string hashOldPassword = utl.generateHash(txtpassword.Text);
string hashOldPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(txtpassword.Text,"SHA1");

//string hashOldPassword = Membership.Provider.GetPassword(Page.User.Identity.Name.ToString(), string.Empty);
MembershipUser user = Membership.GetUser();
//string hashOldPassword = user.GetHashCode(

    if (txtnewpassword.Text.Length < 7)
    {

    }
    var userId = user.ProviderUserKey;
    var user1 = Membership.GetUser();

    MembershipPasswordFormat passwordFormat;
    string passwordSalt;
    string password;
    SqlConnection sqlconn = new SqlConnection(Connect.Connection());
    //var cstring = ConnectionStrings[Connect.Connection()];
    using (var conn = new SqlConnection(sqlconn.ConnectionString))
    {
        using (var cmd = conn.CreateCommand())
        {
            cmd.CommandText = "select PasswordFormat,PasswordSalt,Password from aspnet_Membership where UserId=@UserId";
            cmd.Parameters.AddWithValue("@UserId", userId);
            conn.Open();

            using (var rdr = cmd.ExecuteReader())
            {
                if (rdr != null && rdr.Read())
                {
                    passwordFormat = (MembershipPasswordFormat)rdr.GetInt32(0);
                    // passwordFormat = rdr.GetString(0);
                    passwordSalt = rdr.GetString(1);
                    password = rdr.GetString(2);

                    if (hashOldPassword == password)
                    {
                        user.ChangePassword(txtpassword.Text, txtnewpassword.Text);
                    }
                    else
                    {
                    }
                    //if(password.ToString()!=txtpassword)
                }
                else
                {
                    throw new Exception("An unhandled exception of type 'DoesntWorkException' has occured");
                }
            }
相关问题
最新问题