我正在尝试为开发网站上的登录实现一些基本安全性。我正在使用https://crackstation.net/hashing-security.htm
中的代码(C#)由于某些原因它只是不起作用,生成的密码哈希完全按照生成的方式存储在我的数据库中,当我尝试使用ValidatePassword验证密码时,它似乎不起作用(字符串密码, string correctHash)
ValidatePassword应该生成相同的哈希,但它不会。
有没有人有使用此代码的经验,或者有任何实际可行的代码?我现在尝试了几个,包括MSDN上的那个,似乎没有一个符合要求。建议我不要尝试编写自己的代码来实现这一点。
这是调用方法的代码,我在调试期间验证输入是否正确。
我已将链接网站的代码复制到静态助手类中,该类由我的服务方法调用。
public ResultModel Register(string emailAddress, string password, string givenName, string familyName)
{
var _db = new EntityConnection();
if (_db.Users.Any(x => x.isDeleted == false && x.EmailAddress == emailAddress))
return new ResultModel() { success = false, message = "Email Address already registered, please attempt to Login" };
password = HashHelper.CreateHash(password);
var user = new User()
{
EmailAddress = emailAddress,
Password = password,
GivenName = givenName,
FamilyName = familyName,
DateAdded = DateTime.Now,
isDeleted = false,
isApproved = false
};
_db.Users.Add(user);
_db.SaveChanges();
var activationToken = new Token()
{
TokenType = "Account Activation",
User = user,
UserID = user.UserID,
DateAdded = DateTime.Now,
TokenCode = Guid.NewGuid().ToString()
};
_db.Tokens.Add(activationToken);
_db.SaveChanges();
return new ResultModel() { success = true, entity = user };
}
public ResultModel Login(string emailAddress, string password)
{
var _db = new EntityConnection();
var user = _db.Users.Where(x => x.isDeleted == false && x.EmailAddress == emailAddress);
if (!user.Any() || user.Count() > 1)
return new ResultModel() { success = false, message = "Credentials supplied do not match an Account, please try again." };
var existingHash = user.First().Password;
var result = HashHelper.ValidatePassword(password, existingHash);
if (result)
return new ResultModel() { success = true, entity = user.First() };
else
return new ResultModel() { success = false, message = "Credentials supplied do not match an Account, please try again." };
}