从头开始在ASP.NET中创建安全的用户登录系统
[英]Creating a secure user login system in ASP.NET from scratch
问题描述
I am trying to start up an ASP.NET website with MongoDB. 
我正在尝试使用MongoDB启动ASP.NET网站。 The starting ASP.NET project implements a user authorization schema with a connection string to a sql database. 启动ASP.NET项目使用与sql数据库的连接字符串实现用户授权架构。
I have a website working with Mongo DB to work off of...but that website seems to have implemented the automatically generated user login system, and somehow changed settings so that the user login data is deposited to the Mongo database instead. 我有一个与Mongo DB一起工作的网站,但是...该网站似乎已经实现了自动生成的用户登录系统,并且以某种方式更改了设置,以便将用户登录数据存储到Mongo数据库中。 Rather than trust Microsoft to handle everything, I would like to build a user login system based on my own libraries (with the end goal being to handle as much as possible in F#). 我不想让Microsoft处理所有事情,而是希望基于我自己的库构建用户登录系统(最终目标是在F#中尽可能多地处理)。
I am trying to figure out how the user authorization code puts the user information into the database. 我试图弄清楚用户授权代码如何将用户信息放入数据库中。 It seems to be a black box. 好像是黑匣子。 The code, 编码,
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterViewModel model)
{
if (ModelState.IsValid)
{
var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
var result = await UserManager.CreateAsync(user, model.Password);
more specifically, 进一步来说,
var result = await UserManager.CreateAsync(user,model.Password);
yields a function specified in metadata upon inspection. 检查后会产生元数据中指定的功能。
Am I just supposed to copy the settings from the working website I have until it automagically works, or is there a way to manually reproduce the user login system? 我是否应该只是从拥有的工作网站复制设置,直到其自动运行,或者是否有办法手动重现用户登录系统? Is it impossible to reverse engineer the process from the generated code? 从生成的代码中对流程进行反向工程是不可能的吗? Is there a tutorial or guide to best practices for creating a secure user login system from scratch? 是否有从头开始创建安全用户登录系统的最佳实践的教程或指南?
1 个解决方案
解决方案1
1 2015-08-06 14:37:00
This is one of those things that is usually best left to a tried and proven library. 这是通常最好由久经考验的库完成的事情之一。 However, this could be a fun little project. 但是,这可能是一个有趣的小项目。 The typical high-level description of a secure user login is along the lines of: Generate a random salt, append it to the user's input, run the result of that through a secure hash algorithm (eg SHA-256) and store both the salt and the hashed result. 对安全用户登录的典型高级描述如下:生成随机盐,将其附加到用户输入,通过安全哈希算法(例如SHA-256)运行结果,并存储盐和散列结果。 Checking a login then becomes: Retrieve the salt and the hash from the database, append salt to the user's input, hash that result, compare to the result from the database. 然后检查登录名:从数据库中检索盐和哈希,将盐附加到用户的输入中,对结果进行哈希,然后与数据库的结果进行比较。 However, beware of timing attacks. 但是,请注意定时攻击。 Some comparison algorithms stop running once they encounter a mismatch. 一旦遇到不匹配,一些比较算法就会停止运行。 A "secure" comparer should always take the same amount of time to run, regardless of how close the inputs are. 不管输入有多接近,“安全”比较器都应始终花费相同的时间运行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.