ASP.NET 会员资格
我想在以下(低安全性)场景中使用 ASP.NET 会员资格提供程序...
我的公司将代表我们的客户创建和管理用户帐户。这些帐户可能会在客户公司的多个人员之间共享(这是一个问题吗?)。
将有 2 种类型的用户(2 个角色):客户端和管理员。管理员是我公司内拥有创建客户用户帐户等特殊权限的人员。
客户无法能够自行注册。他们也无法选择自己的密码,也不应该更改自己的密码,因为这只会在几个人共享同一帐户的情况下造成混乱。
我的内部用户(管理员)将为每个客户设置密码。这是我正在努力解决的问题:如果客户打电话并要求提醒他们的密码,我的管理员用户如何才能找到密码是什么? 我可以将提供程序配置为以明文(或其他可恢复形式)存储密码吗?如果可以,我可以通过 .NET API 获取密码吗?
正如我一开始所说的,这是一个低安全性的应用程序,因此我计划只是在(内部)网页中显示密码,其中我有所有用户的列表。
I'd like to use the ASP.NET membership provider in the following (low-security) scenario...
My company will create and administer user accounts on behalf of our clients. These accounts will likely be shared amongst several people in the client company (is that a problem?).
There will be 2 types of users (2 roles): client and administrator. Administrators are the people within my company that will have special privileges to create client user accounts, etc.
Clients will not be able to self-register. They also won't get to choose their own password, and they should not be able to change their password either, since that will just create confusion where several people are sharing the same account.
My internal users (admins) will set the password for each client. Here's the bit I'm struggling with: if a client phones up and asks to be reminded of their password, how can my admin users find out what the password is? Can I configure the provider to store the password in clear text (or other recoverable form), and if so can I get at the password through the .NET API?
As I said at the outset, this is a low-security application, and so I plan simply to show the password in the (internal) web page where I have a list of all users.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
以下是如何执行此操作的示例:
passwordFormat
指定密码格式。 SQL Server 成员身份提供程序支持明文、加密和散列密码格式。明文密码以纯文本形式存储,这可以提高密码存储和检索的性能,但安全性较低,因为如果您的 SQL Server 数据库受到威胁,密码很容易被读取。加密密码在存储时会被加密,并且可以解密以进行密码比较或密码检索。这需要对密码存储和检索进行额外的处理,但更安全,因为如果 SQL Server 数据库遭到破坏,密码就不容易被破译。哈希密码在存储在数据库中时使用单向哈希算法和随机生成的盐值进行哈希处理。验证密码时,会使用数据库中的盐值对其进行哈希处理以进行验证。无法检索哈希密码。
Here is an example of how to do this:
passwordFormat
Specifies the password format. The SQL Server membership provider supports Clear, Encrypted, and Hashed password formats. Clear passwords are stored in plain text, which improves the performance of password storage and retrieval, but is less secure because passwords are easily read if your SQL Server database is compromised. Encrypted passwords are encrypted when stored and can be decrypted for password comparison or password retrieval. This requires additional processing for password storage and retrieval, but is more secure because passwords are not easily deciphered if the SQL Server database is compromised. Hashed passwords are hashed using a one-way hash algorithm and a randomly generated salt value when stored in the database. When a password is validated, it is hashed with the salt value in the database for verification. Hashed passwords cannot be retrieved.
尽管安全性较低,但最好不要以明文形式存储密码。由于您希望它可恢复,因此您应该查看加密密码。通过加密,可以使用正确的密钥将其恢复为原始形式。请查看此处的“成员身份”部分
Even though it's low security, it's best not to store the password in plain-text. Since you want it to be recoverable, you should look at Encrypting the passwords. By encrypting, it can be reversed back to it's original form with the correct key. Have a look at the Membership section here