好的,我现在已经到了最后。我正在为我的学位学院创建一个项目(网站),并要求对用户进行身份验证。我决定使用ASP.NET的散列功能来提高安全性。我也在用盐。 现在问题是我无法验证密码是否正确,因为HashPassword()方法总是提供不同的哈希,即使我存储的哈希和盐是相同的。
以下是代码:
1)signup.aspx.cs(如果你能在那里找到一些错误)
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Helpers;
using System.Data.SqlClient;
public partial class signup : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void SignUpButton_Click(object sender, EventArgs e)
{
String username = Request.Form["username"].Trim();
String password = Request.Form["password"].Trim();
String emailaddress = Request.Form["emailaddress"].Trim();
String salt = Crypto.GenerateSalt(128);
String hashedpassword = Crypto.HashPassword(salt + password);
InsertData(username, password, emailaddress, salt, hashedpassword);
}
private void InsertData(string username, string password, string emailaddress, string salt, string hashedpassword)
{
String connectstring = System.Configuration.ConfigurationManager.ConnectionStrings["EpicsoString"].ConnectionString;
result1.InnerText = connectstring;
String enter = "INSERT INTO USERS ( USERNAME, EMAILADDRESS, PASSWORD, SALT ) VALUES ( @UN, @EA, @HP, @S )";
result1.InnerText = "username: " + username + "\nPassword: " + password + "\nEmailAddress: " + emailaddress + "\nSalt: " + salt + "\nhashedPassword: " + hashedpassword;
SqlConnection con = new SqlConnection(connectstring);
SqlCommand cmd = new SqlCommand(enter, con);
cmd.Parameters.Add("@UN", System.Data.SqlDbType.Char, 15).Value = username;
cmd.Parameters.Add("@EA", System.Data.SqlDbType.VarChar, 20).Value = emailaddress;
cmd.Parameters.Add("@HP", System.Data.SqlDbType.NVarChar, 128).Value = hashedpassword;
cmd.Parameters.Add("@S", System.Data.SqlDbType.NVarChar, 128).Value = salt;
con.Open();
cmd.ExecuteNonQuery();
con.Close();
}
}
2)login.aspx.cs这是生成错误的实际登录页面
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Helpers;
using System.Security.Cryptography;
using System.Data.SqlClient;
public partial class login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void LoginButton_Click(object sender, EventArgs e)
{
string username = Request.Form["username"];
string password = Request.Form["password"];
VerifyData(username, password);
}
private void VerifyData(string username, string password)
{
String connectstring = System.Configuration.ConfigurationManager.ConnectionStrings["EpicsoString"].ConnectionString;
string query = "SELECT Password, Salt FROM USERS WHERE UserName = @UN";
string dbpassword = "";
string dbsalt = "";
string hash = "";
SqlConnection con = new SqlConnection(connectstring);
SqlCommand cmd = new SqlCommand(query, con);
cmd.Parameters.Add("@UN", System.Data.SqlDbType.Char, 15).Value = username;
try
{
con.Open();
SqlDataReader sdr = cmd.ExecuteReader();
if (sdr.HasRows)
{
if(sdr.Read())
{
dbpassword = sdr["password"].ToString();
dbsalt = sdr["salt"].ToString();
hash = Crypto.HashPassword(dbsalt + password);
result.InnerText = " dbsalt: " + dbsalt + " " + " dbpassword: " + dbpassword + " " + " hash: "+hash;
if (Crypto.VerifyHashedPassword(dbpassword, password))
{
Response.Write("<script type='text/javascript'>alert('Successful.');</script>");//Authentication Successful
}
else
{
Response.Write("<script type='text/javascript'>alert('Not Successful.');</script>");//Authentication Unsuccessful
}
}
}
else
{
}
con.Close();
}
catch (Exception ex)
{
Response.Write("<script type='text/javascript'>alert('Sorry, an error occured for some reason. Please try again');</script>");
}
}
}
甚至VerifyHashedPassword()也没有进行身份验证。 我正在调试哈希变量。 这是我第一次来这里,任何帮助将不胜感激。感谢。