ASP.NET 会员资格 - 从会员资格表中检索密码和 PasswordSalt - 哈希用户 ID

发布于 2024-08-31 00:35:36 字数 298 浏览 6 评论 0原文

我已经非常接近完成这个项目了。我需要从我的会员表中检索密码和密码盐,以将其与我的“OldPasswords”表进行比较。

问题是会员资格提供商不允许我使用 GetPassword 方法,因为密码是经过哈希处理的。

我无法在正常的 sqlConnection 中检索它,因为 UserID 也经过哈希处理。

有谁知道如何对 UserID 进行哈希处理,以便我可以将其放入我的 where 子句中?

或者也许有不同的方式来获取这些数据?

任何帮助表示赞赏。

谢谢你,

史蒂夫

I am so close to get this project done. I need to retrieve the password and passwordSalt from my Membership table to compare it to my 'OldPasswords' table.

The problem is the Membership provider does not let me use the GetPassword method because the password is hashed.

And I can not retrieve it in a normal sqlConnection because the UserID is hashed also.

Does anyone know how to hash the UserID so I can put it in my where clause?

Or maybe there is a different way to get to that data?

Any help is appreciated.

Thank you,

Steve

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

卷耳 2024-09-07 00:35:36

Steve,UserId 没有经过哈希处理。您可能会将 UserName 与 UserId (ProviderUserKey) 混淆,后者是一个 Guid。

在您的其他问题的上下文中:您应该在用于创建新用户的代码中引用此代码,以便记录初始密码哈希、盐和格式并在 OnPasswordChanging 中引用,以便您可以检查/拒绝/插入。

这将获取当前登录用户的相关信息:

var user = Membership.GetUser();
var userId = user.ProviderUserKey;

MembershipPasswordFormat passwordFormat;
string passwordSalt;
string password;

var cstring = WebConfigurationManager.ConnectionStrings["localSqlServer"];
using (var conn = new SqlConnection(cstring.ConnectionString))
{
    using (var cmd = conn.CreateCommand())
    {
        cmd.CommandText = "select PasswordFormat,PasswordSalt,Password from aspnet_Membership where UserId=@UserId";
        cmd.Parameters.AddWithValue("@UserId", userId);
        conn.Open();
        using (var rdr = cmd.ExecuteReader())
        {
            if (rdr != null && rdr.Read())
            {
                passwordFormat = (MembershipPasswordFormat) rdr.GetInt32(0);
                passwordSalt = rdr.GetString(1);
                password = rdr.GetString(2);
            }
            else
            {
                throw new Exception("An unhandled exception of type 'DoesntWorkException' has occured");
            }
        }
    }
}

//do something interesting hew with passwordFormat, passwordSalt , password 

Steve, the UserId is not hashed. You may be confusing UserName with UserId (ProviderUserKey) which is a Guid.

In the context of your other questions: You should reference this code in both the code that you use to create a new user in order to log the initial password hash, salt and format AND in the OnPasswordChanging so that you can check/reject/insert.

This will get the relevant information for the currently logged in user:

var user = Membership.GetUser();
var userId = user.ProviderUserKey;

MembershipPasswordFormat passwordFormat;
string passwordSalt;
string password;

var cstring = WebConfigurationManager.ConnectionStrings["localSqlServer"];
using (var conn = new SqlConnection(cstring.ConnectionString))
{
    using (var cmd = conn.CreateCommand())
    {
        cmd.CommandText = "select PasswordFormat,PasswordSalt,Password from aspnet_Membership where UserId=@UserId";
        cmd.Parameters.AddWithValue("@UserId", userId);
        conn.Open();
        using (var rdr = cmd.ExecuteReader())
        {
            if (rdr != null && rdr.Read())
            {
                passwordFormat = (MembershipPasswordFormat) rdr.GetInt32(0);
                passwordSalt = rdr.GetString(1);
                password = rdr.GetString(2);
            }
            else
            {
                throw new Exception("An unhandled exception of type 'DoesntWorkException' has occured");
            }
        }
    }
}

//do something interesting hew with passwordFormat, passwordSalt , password 
不打扰别人 2024-09-07 00:35:36

这里似乎发生了一些不同的事情...

  • 您无法恢复哈希密码。时期。散列的目的就是防止这种恢复。

  • 如果用户 ID 值已因某种原因在数据库中进行了哈希处理,则可以对用户 ID 进行哈希处理(尽管这有点奇怪,没有充分的理由对用户 ID 进行哈希处理)。但您需要知道如何对其进行哈希处理。如果是 MD5 或 SHA1,最快的方法是使用 FormsAuthentication.HashPasswordForStoringInConfigFile(但在用户名上使用它而不是密码)。

  • 绝对不应该被散列,否则它无法使用。盐值在哈希处理之前附加到明文密码中,因此您在盐列中看到的任何值都是盐值。

There seem to be a couple of different things going on here...

  • You cannot recover a hashed password. Period. The purpose of hashing is to prevent exactly this kind of recovery.

  • You can hash the User ID for a lookup if the User ID value is already hashed in the database for some reason (although, that is a little strange, there is no good reason to hash a User ID). But you need to know how it was hashed. If it's MD5 or SHA1, the quickest way is to use FormsAuthentication.HashPasswordForStoringInConfigFile (but use it on the user name instead of the password).

  • The salt should definitely not be hashed, otherwise it's unusable. Salts are appended to the clear-text password before hashing, so whatever value you see in the salt column is the salt.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文