[英]ASP.net authentication
我是CS专业,我刚刚完成了ASP.net网站的设计,对于网站我需要一个登录认证系统......我不想使用SQLMembershipProvider,因为我真的想学习如何自己创建一个......无论如何,这就是我想出来的,我想知道是否有人可以给我一些反馈,提示或建议。
提前致谢
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Security.Cryptography;
/// <summary>
/// Summary description for PwEncrypt
/// </summary>
public class PwEncrypt
{
public const int DefaultSaltSize = 5;
private static string CreateSalt()
{
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buffer = new byte[DefaultSaltSize];
rng.GetBytes(buffer);
return Convert.ToBase64String(buffer);
}
public static string CreateHash(string password, out string salt)
{
salt = CreateSalt();
string saltAndPassword = String.Concat(password, salt);
string hashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPassword, "SHA1");
hashedPassword = string.Concat(hashedPassword, salt);
return hashedPassword;
}
public static string CreateHashAndGetSalt(string password, string salt)
{
string saltAndPassword = String.Concat(password, salt);
string hashedPassword = FormsAuthentication.HashPasswordForStoringInConfigFile(saltAndPassword, "SHA1");
hashedPassword = string.Concat(hashedPassword, salt);
return hashedPassword;
}
public static bool comparePassword(string insertedPassword, string incUserName, out string newEncryptedPassword, out string originalPassword)
{
databaseInteraction DBI = new databaseInteraction();
string actualPassword ="";
string salt = "";
DBI.getSaltandPassword(incUserName, out salt, out actualPassword);
string hashedIncPassword = PwEncrypt.CreateHashAndGetSalt(insertedPassword, salt);
// hashedIncPassword = string.Concat(hashedIncPassword, salt);
newEncryptedPassword = hashedIncPassword;
originalPassword = actualPassword;
if (newEncryptedPassword == originalPassword)
{
return true;
}
else { return false; }
}
假设我们有一个这样的帐户表
然后,您可以创建一个返回帐户对象的帮助程序类
private static Account GetByName(string accountName, bool activatedOnly = false)
{
using (var context = new DBEntities())
{
return context.Accounts.FirstOrDefault(s =>
s.AccountName == accountName &&
s.IsApproved == activatedOnly);
}
}
public static Account Get(string accountName, string password)
{
var account = GetByName(accountName, true);
if (account != null)
if (!Cryptographer.IsValidPassword(password,
account.PasswordSalt,
account.PasswordKey))
return null;
return account;
}
我正在使用EntityFramework
但这并不重要。 主要思想是表明您不需要获取整个帐户列表(特别是如果您有大量用户)。
我的Cryptographer
课看起来像
public class Cryptographer
{
private const int keyByteLength = 20;
public static void Encrypt(string password,
out byte[] salt,
out byte[] key)
{
using (var deriveBytes = new Rfc2898DeriveBytes(password,
keyByteLength))
{
salt = deriveBytes.Salt;
key = deriveBytes.GetBytes(keyByteLength);
}
}
public static bool IsValidPassword(string password,
byte[] salt,
byte[] key)
{
using (var deriveBytes = new Rfc2898DeriveBytes(password, salt))
{
byte[] newKey = deriveBytes.GetBytes(keyByteLength);
return newKey.SequenceEqual(key);
}
}
}
对于cource,您可以实现自己的算法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.