为什么 ValidateUser 不返回更多内容?
我正在使用标准的.NET 会员资格提供程序,并且想看看是否有人可以阐明它。
调用 ValidateUser 返回 true 或 false。 现在,由于该方法接受用户名和密码,因此我们会认为返回结果将反映无效的用户名或密码。 然而,如果我们进一步深入研究,我们会发现它也在检查 IsLockedOut 和 IsApproved。
public override bool ValidateUser (string username, string password)
{
MembershipUser user = GetUser (username, false);
/* if the user is locked out, return false immediately */
if (user.IsLockedOut)
return false;
/* if the user is not yet approved, return false */
if (!user.IsApproved)
return false;
......
在我的应用程序中,我想利用 IsApproved 来实现我自己的目的。 简单地滚动我自己的提供程序是行不通的,因为我仍然受限于 bool 结果。 创建用户为我们提供了所需的所有信息,那么为什么不使用 ValidateUser 呢? 我错过了什么吗?
I'm using the standard .NET membership provider, and thought I'd see if someone could shine a light on it.
Calling ValidateUser return either true or false. Now since the method accepts a username and password, one would reason that the return result would reflect an invalid username or password. Yet if we delve into it further, we find it is also checking IsLockedOut and IsApproved.
public override bool ValidateUser (string username, string password)
{
MembershipUser user = GetUser (username, false);
/* if the user is locked out, return false immediately */
if (user.IsLockedOut)
return false;
/* if the user is not yet approved, return false */
if (!user.IsApproved)
return false;
......
In my application, I would like to make use of IsApproved for my own means. Simply rolling my own provider won't work because I'm still constrained to a bool result. Creating a user gives us all the information we need, so why not ValidateUser? Am I missing something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我希望您看到的是一个安全决策 - 通过限制返回的信息,他们不会向恶意方提供信息。
想象一下,您是西里尔·克拉克 (Cyril Cracker),正在尝试闯入一个网站。
场景#1:
您尝试输入用户名“Admin”和密码“Password”,系统告诉您禁止。 您拥有的唯一信息是管理员/密码不是有效的组合。
场景#2:
您尝试输入用户名“Admin”和密码“Password”,系统告诉您没有已知的具有该名称的用户。 您可以不断尝试不同的用户名,直到找到已知的用户名。
场景#3:您尝试输入用户名“Admin”和密码“Password”,系统告诉您密码无效。 突然,您知道“Admin”是一个有效的用户。 您已经学到了一些有用的东西,您需要不断猜测的只是密码。
场景#4:您尝试输入用户名“Admin”和密码“Password”,系统告诉您该帐户已被阻止。 现在,您知道有效的用户名和密码,并且该帐户已被阻止。 您可以稍后再回来尝试。
泄露什么是有效的、什么是无效的系统被称为闲聊系统,并且它们被认为是不安全的有充分的理由,因为它们更容易被破解。
希望这有帮助。
I expect that what you're seeing is a security decision - by restricting the information returned, they're not providing information to malicious parties.
Imagine that you're Cyril Cracker, trying to break into a website.
Scenario #1:
You try entering username "Admin" with password "Password" and the system tells you no-go. The only information you have is that Admin/Password isn't a valid combination.
Scenario #2:
You try entering username "Admin" with password "Password" and the system tells you that no user by that name is known. You can keep trying different usernames until you find one that is known.
Scenario #3: You try entering username "Admin" with password "Password" and the system tells you that no the password is invalid. Suddenly, you know that "Admin" is a valid user. You've learnt something useful, and all you need to keep guessing is the password.
Scenario #4: You try entering username "Admin" with password "Password" and the system tells you that the account is blocked. Now, you know a valid username and password, and that the account is blocked. You can come back later and try again.
Systems that spill the beans on what's valid, and what's not, are known as chatty systems, and they're considered insecure for good reason, as they're easier to crack.
Hope this is helpful.