ASP.NET成员资格
[英]ASP.NET Membership
问题描述
I'd like to use the ASP.NET membership provider in the following (low-security) scenario... 
我想在以下(低安全性)方案中使用ASP.NET成员资格提供程序...
My company will create and administer user accounts on behalf of our clients. 我公司将代表客户创建和管理用户帐户。 These accounts will likely be shared amongst several people in the client company ( is that a problem? ). 这些帐户可能会在客户公司的几个人之间共享(这是一个问题吗? )。
There will be 2 types of users (2 roles): client and administrator. 用户将有2种类型(2个角色):客户端和管理员。 Administrators are the people within my company that will have special privileges to create client user accounts, etc. 管理员是我公司中具有创建客户用户帐户等特权的人员。
Clients will not be able to self-register. 客户将无法自行注册。 They also won't get to choose their own password, and they should not be able to change their password either, since that will just create confusion where several people are sharing the same account. 他们也将无法选择自己的密码,并且他们也将无法更改密码,因为这只会在几个人共享同一帐户的情况下造成混乱。
My internal users (admins) will set the password for each client. 我的内部用户(管理员)将为每个客户端设置密码。 Here's the bit I'm struggling with: if a client phones up and asks to be reminded of their password, how can my admin users find out what the password is? 这是我苦苦挣扎的事情:如果客户打电话给我并要求提醒他们密码,我的管理员用户如何才能知道密码是什么? Can I configure the provider to store the password in clear text (or other recoverable form), and if so can I get at the password through the .NET API? 是否可以将提供程序配置为以明文形式(或其他可恢复形式)存储密码,如果可以,则可以通过.NET API获取密码吗?
As I said at the outset, this is a low-security application, and so I plan simply to show the password in the (internal) web page where I have a list of all users. 正如我在一开始所说的那样,这是一个低安全性的应用程序,因此我计划仅在(内部)网页上显示密码,该网页中我列出了所有用户。
2 个解决方案
解决方案1
2 已采纳 2010-03-25 23:43:31
Here is an example of how to do this: 这是如何执行此操作的示例:
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="MySqlConnection"
applicationName="MyApplication"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="true"
requiresUniqueEmail="true"
passwordFormat="Clear" />
</providers>
</membership>
passwordFormat passwordFormat
Specifies the password format. 指定密码格式。 The SQL Server membership provider supports Clear, Encrypted, and Hashed password formats. SQL Server成员资格提供程序支持清除,加密和哈希密码格式。 Clear passwords are stored in plain text, which improves the performance of password storage and retrieval, but is less secure because passwords are easily read if your SQL Server database is compromised. 清除密码以纯文本格式存储,这可以提高密码存储和检索的性能,但是安全性较低,因为如果SQL Server数据库受到破坏,密码很容易读取。 Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. 加密的密码在存储时已加密,可以解密以进行密码比较或密码检索。 This requires additional processing for password storage and retrieval, but is more secure because passwords are not easily deciphered if the SQL Server database is compromised. 这需要对密码的存储和检索进行额外的处理,但是它更加安全,因为如果SQL Server数据库遭到破坏,密码不容易被解密。 Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. 当哈希密码存储在数据库中时,将使用单向哈希算法和随机生成的盐值对哈希密码进行哈希处理。 When a password is validated, it is hashed with the salt value in the database for verification. 密码通过验证后,会与数据库中的salt值一起进行哈希处理以进行验证。 Hashed passwords cannot be retrieved. 无法检索散列的密码。
解决方案2
1 2010-03-25 23:41:10
Even though it's low security, it's best not to store the password in plain-text. 即使安全性较低,也最好不要以纯文本形式存储密码。 Since you want it to be recoverable, you should look at Encrypting the passwords. 由于您希望它可以恢复,因此您应该查看“加密密码”。 By encrypting, it can be reversed back to it's original form with the correct key. 通过加密,可以使用正确的密钥将其恢复为原始形式。 Have a look at the Membership section here 在这里查看会员部分
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.