如何根据 ASP.NET 成员资格数据库手动验证用户?
我想知道如何根据现有的 asp.net 会员数据库验证用户的凭据。简而言之,我们希望提供单点登录访问。
所以我所做的就是直接连接到会员数据库并尝试对 aspnet_Membership 表运行 sql 查询:
private bool CanLogin(string userName, string password)
{
// Check DB to see if the credential is correct
try
{
string passwordHash = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "SHA1");
string sql = string.Format("select 1 from aspnet_Users a inner join aspnet_Membership b on a.UserId = b.UserId and a.applicationid = b.applicationid where a.username = '{0}' and b.password='{1}'", userName.ToLowerInvariant(), passwordHash);
using (SqlConnection sqlConn = new SqlConnection(ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString))
using (SqlCommand sqlCmd = new SqlCommand(sql, sqlConn))
{
sqlConn.Open();
int count = sqlCmd.ExecuteNonQuery();
return count == 1;
}
}
catch (Exception ex)
{
return false;
}
}
问题是密码值,有谁知道密码是如何散列的吗?
I would like to know how I can verify a user's credential against an existing asp.net membership database. The short story is that we want provide single sign on access.
So what I've done is to connect directly to the membership database and tried to run a sql query against the aspnet_Membership table:
private bool CanLogin(string userName, string password)
{
// Check DB to see if the credential is correct
try
{
string passwordHash = FormsAuthentication.HashPasswordForStoringInConfigFile(password, "SHA1");
string sql = string.Format("select 1 from aspnet_Users a inner join aspnet_Membership b on a.UserId = b.UserId and a.applicationid = b.applicationid where a.username = '{0}' and b.password='{1}'", userName.ToLowerInvariant(), passwordHash);
using (SqlConnection sqlConn = new SqlConnection(ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString))
using (SqlCommand sqlCmd = new SqlCommand(sql, sqlConn))
{
sqlConn.Open();
int count = sqlCmd.ExecuteNonQuery();
return count == 1;
}
}
catch (Exception ex)
{
return false;
}
}
The problem is the password value, does anyone know how the password it is hashed?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您在同一 IIS 服务器上有两个 ASP.NET 应用程序,则可以像这样进行 SSO。我问了这个问题并自己回答了。
此处
两个应用程序都指向您的 asp_membership 后通过将以下内容放置在 Web 配置的 system.web 部分中,
确保两者具有相同的 applicationname 属性集。
我使用的是 IIS 6,因此我将其配置为自动为这两个应用程序生成计算机密钥。由于这两个应用程序都位于同一台计算机上,因此密钥是相同的,这是使 SSO 正常工作的关键部分。设置 IIS 后,以下内容被添加到我的 web.config 中,
这就是全部内容。完成后,我可以登录 app1,然后浏览到 app2 并保留我的安全凭证。
if you have two asp.net apps on the same IIS server, you can do SSO like this. I asked this question and answered it myself.
here
Once you have both apps pointing at your asp_membership database by placing the following in the system.web section of your web config
make sure both have the same applicationname property set.
I was using IIS 6 so I configured it to autogenerate a machine key for both applications. Because both of these applications live on the same machine the key would be identical, this is the critical part to making the SSO work. After setting up IIS the following was added to my web.config
That was all there was to it. Once that was done I could log into app1 and then browse to app2 and keep my security credentials.
是的 - 你知道!检查您的 web.config 文件是否有类似以下内容:
PasswordFormat就是您要查找的内容。它可以具有以下三个值:ClearEncryptedHashed并且,Microsoft 将默认值设置为
Hashed<代码>密码格式。Yes - you do! Check your web.config file for something like this:
The
PasswordFormatis what you are looking for. It can have the following three values:ClearEncryptedHashedAnd, Microsoft sets the default value to
HashedforPasswordFormat.为什么不通过
System.Web.Security.Membership.ValidateUser()?Why don't check it automatically via
System.Web.Security.Membership.ValidateUser()?