stackoom
  简体   繁体   中英

Creating a secure user login system in ASP.NET from scratch

 原文  2015-08-06 14:27:26       c#/ asp.net/ asp.net-mvc/ mongodb

Question

I am trying to start up an ASP.NET website with MongoDB. The starting ASP.NET project implements a user authorization schema with a connection string to a sql database.

I have a website working with Mongo DB to work off of...but that website seems to have implemented the automatically generated user login system, and somehow changed settings so that the user login data is deposited to the Mongo database instead. Rather than trust Microsoft to handle everything, I would like to build a user login system based on my own libraries (with the end goal being to handle as much as possible in F#).

I am trying to figure out how the user authorization code puts the user information into the database. It seems to be a black box. The code, 

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterViewModel model)
{
    if (ModelState.IsValid)
    {
        var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
        var result = await UserManager.CreateAsync(user, model.Password);

more specifically, 

var result = await UserManager.CreateAsync(user,model.Password);

yields a function specified in metadata upon inspection.

Am I just supposed to copy the settings from the working website I have until it automagically works, or is there a way to manually reproduce the user login system? Is it impossible to reverse engineer the process from the generated code? Is there a tutorial or guide to best practices for creating a secure user login system from scratch?

1 answers

solution1
 1  2015-08-06 14:37:00

This is one of those things that is usually best left to a tried and proven library. However, this could be a fun little project. The typical high-level description of a secure user login is along the lines of: Generate a random salt, append it to the user's input, run the result of that through a secure hash algorithm (eg SHA-256) and store both the salt and the hashed result. Checking a login then becomes: Retrieve the salt and the hash from the database, append salt to the user's input, hash that result, compare to the result from the database. However, beware of timing attacks. Some comparison algorithms stop running once they encounter a mismatch. A "secure" comparer should always take the same amount of time to run, regardless of how close the inputs are.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Creating a secure login method using ASP.net, JQuery, and Ajax How to secure user login in ASP.NET using C#? Secure login method in ASP.NET MVC Creating a DSP system from scratch ASP.NET Group level login system Get user from Windows login in asp.net asp.net c# login system Asp.net - Create a custom File Upload Control from scratch How to build an ASP.NET TreeView From Scratch…? Secure login from ASP.NET 3.5/4.0 page to SQL database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM