[英]WebMatrix WebSecurity PasswordSalt
I am using WebMatrix and have built a website based on the "StarterSite". 我正在使用WebMatrix,并建立了一个基于“StarterSite”的网站。 In this starter site you get a nice basic layout - including registration, login, forgot password pages etc... 在这个初学者网站,你会得到一个很好的基本布局 - 包括注册,登录,忘记密码页等...
I've noticed that in the database that the "webpages_Membership" table has a column named "PasswordSalt". 我注意到在数据库中“webpages_Membership”表有一个名为“PasswordSalt”的列。 After creating a few new user accounts, this column always remains blank. 创建一些新用户帐户后,此列始终为空。 So I'm assuming that no password salt (not even a default one) is in use. 所以我假设没有使用密码盐(甚至不是默认密码)。
Obviously this is not the best practice, however I cannot seem to find any documentation that tells me how to set or manage the password salt. 显然这不是最佳实践,但我似乎无法找到任何文档告诉我如何设置或管理密码盐。
How can I set the password salt with the WebSecurity Helper? 如何使用WebSecurity Helper设置密码salt?
The above answer gives the impression that there is no salting applied when using WebSecurity
SimpleMembershipProvider
. 上面的答案给人的印象是,使用WebSecurity
SimpleMembershipProvider
时没有应用WebSecurity
。
That is not true. 事实并非如此。 Indeed the database salt field is not used, however this does not indicate that there is no salt generated when hashing the password. 实际上,未使用数据库salt字段,但这并不表示在对密码进行散列时不会生成salt 。
In WebSecurity
s SimpleMembershipProvider
the PBKDF2 algo is used, the random salt is generated by the StaticRandomNumberGenerator
and stored in the password field with the hash: 在WebSecurity
的SimpleMembershipProvider
了PBKDF2算法,随机盐由StaticRandomNumberGenerator
生成并存储在带有哈希的密码字段中:
byte[] outputBytes = new byte[1 + SALT_SIZE + PBKDF2_SUBKEY_LENGTH];
Buffer.BlockCopy(salt, 0, outputBytes, 1, SALT_SIZE);
Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SALT_SIZE, PBKDF2_SUBKEY_LENGTH);
return Convert.ToBase64String(outputBytes);
As of the RTM release of WebMatrix/ASP.NET Web Pages, the salt feature/column is unused. 从WebMatrix / ASP.NET网页的RTM版本开始,salt功能/列未使用。
If you open up the Web Pages source, you'll see the db classes littered with references like 如果打开Web页面源代码,您将看到db类中包含类似的引用
INSERT INTO [" + MembershipTableName + "] (UserId, [Password], PasswordSalt
... ...
VALUES (uid, hashedPassword,String.Empty /* salt column is unused */
shortened for emphasis 缩短了重点
There are definately ways to override and implement this behavior, first being: 有绝对的方法来覆盖和实现这种行为,首先是:
or 要么
not going to go into detail there though unless you request, as your usage of WebMatrix and a template suggests you probably don't wanna mess with rewriting a ton of your own C#/ASP code for this project. 除非你提出要求,否则不打算详细说明,因为你使用WebMatrix和模板表明你可能不想为这个项目重写你自己的C#/ ASP代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.