当前位置: 文江博客话题详情

asp.net“记住我”曲奇饼

发布于 2024-09-12 00:48:33 字数 448 浏览 8 评论 0原文

我已经使用它在我的 asp.net webform 中实现了“记住我”选项,

protected void LBtnSubmit_Click(object sender, EventArgs e)
 {
  if (this.ChkRememberme != null && this.ChkRememberme.Checked == true)
  {
     HttpCookie cookie = new HttpCookie(TxtUserName.Text, TxtPassword.Text);
     cookie.Expires.AddYears(1);
     Response.Cookies.Add(cookie);
  }
}

我这样做的方式正确吗?任何建议..我正在使用 Windows 身份验证,并且我不使用 asp.net 会员资格..

原文

I have implemented remember me option in my asp.net webform by using this,

protected void LBtnSubmit_Click(object sender, EventArgs e)
 {
  if (this.ChkRememberme != null && this.ChkRememberme.Checked == true)
  {
     HttpCookie cookie = new HttpCookie(TxtUserName.Text, TxtPassword.Text);
     cookie.Expires.AddYears(1);
     Response.Cookies.Add(cookie);
  }
}

Am i doing it the right way? Any suggestion.. I am using windows authentication and i am not using asp.net membership..

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

欢你一世 2024-09-19 00:48:33

不要直接将用户名和密码存储在 cookie 中,而是将用户名和密码的哈希值以及盐存储在 cookie 中,然后当您验证 cookie 时,检索给定用户名的密码,使用密码和相同的盐并进行比较。

创建哈希非常简单,只需将密码和盐值一起存储在字符串中,将字符串转换为字节数组,计算字节数组的哈希(使用 MD5 或您喜欢的任何内容)并将生成的哈希转换为字符串(可能通过base64编码)。

这是一些示例代码:

// Create a hash of the given password and salt.
public string CreateHash(string password, string salt)
{
    // Get a byte array containing the combined password + salt.
    string authDetails = password + salt;
    byte[] authBytes = System.Text.Encoding.ASCII.GetBytes(authDetails);

    // Use MD5 to compute the hash of the byte array, and return the hash as
    // a Base64-encoded string.
    var md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
    byte[] hashedBytes = md5.ComputeHash(authBytes);
    string hash = Convert.ToBase64String(hashedBytes);

    return hash;
}

// Check to see if the given password and salt hash to the same value
// as the given hash.
public bool IsMatchingHash(string password, string salt, string hash)
{
    // Recompute the hash from the given auth details, and compare it to
    // the hash provided by the cookie.
    return CreateHash(password, salt) == hash;
}

// Create an authentication cookie that stores the username and a hash of
// the password and salt.
public HttpCookie CreateAuthCookie(string username, string password, string salt)
{
    // Create the cookie and set its value to the username and a hash of the
    // password and salt. Use a pipe character as a delimiter so we can
    // separate these two elements later.
    HttpCookie cookie = new HttpCookie("YourSiteCookieNameHere");
    cookie.Value = username + "|" + CreateHash(password, salt);
    return cookie;
}

// Determine whether the given authentication cookie is valid by
// extracting the username, retrieving the saved password, recomputing its
// hash, and comparing the hashes to see if they match. If they match,
// then this authentication cookie is valid.
public bool IsValidAuthCookie(HttpCookie cookie, string salt)
{
    // Split the cookie value by the pipe delimiter.
    string[] values = cookie.Value.Split('|');
    if (values.Length != 2) return false;

    // Retrieve the username and hash from the split values.
    string username = values[0];
    string hash = values[1];

    // You'll have to provide your GetPasswordForUser function.
    string password = GetPasswordForUser(username);

    // Check the password and salt against the hash.
    return IsMatchingHash(password, salt, hash);
}

Rather than directly storing the username and password in the cookie, store the username and a hash of the password and a salt in the cookie, then when you authenticate the cookie, retrieve the password for the given username, re-create the hash with the password and the same salt and compare them.

Creating the hash is as simple as storing the password and salt values together in a string, converting the string to a byte array, computing the hash of the byte array (using MD5 or whatever you prefer) and converting the resulting hash to a string (probably via base64 encoding).

Here's some example code:

// Create a hash of the given password and salt.
public string CreateHash(string password, string salt)
{
    // Get a byte array containing the combined password + salt.
    string authDetails = password + salt;
    byte[] authBytes = System.Text.Encoding.ASCII.GetBytes(authDetails);

    // Use MD5 to compute the hash of the byte array, and return the hash as
    // a Base64-encoded string.
    var md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
    byte[] hashedBytes = md5.ComputeHash(authBytes);
    string hash = Convert.ToBase64String(hashedBytes);

    return hash;
}

// Check to see if the given password and salt hash to the same value
// as the given hash.
public bool IsMatchingHash(string password, string salt, string hash)
{
    // Recompute the hash from the given auth details, and compare it to
    // the hash provided by the cookie.
    return CreateHash(password, salt) == hash;
}

// Create an authentication cookie that stores the username and a hash of
// the password and salt.
public HttpCookie CreateAuthCookie(string username, string password, string salt)
{
    // Create the cookie and set its value to the username and a hash of the
    // password and salt. Use a pipe character as a delimiter so we can
    // separate these two elements later.
    HttpCookie cookie = new HttpCookie("YourSiteCookieNameHere");
    cookie.Value = username + "|" + CreateHash(password, salt);
    return cookie;
}

// Determine whether the given authentication cookie is valid by
// extracting the username, retrieving the saved password, recomputing its
// hash, and comparing the hashes to see if they match. If they match,
// then this authentication cookie is valid.
public bool IsValidAuthCookie(HttpCookie cookie, string salt)
{
    // Split the cookie value by the pipe delimiter.
    string[] values = cookie.Value.Split('|');
    if (values.Length != 2) return false;

    // Retrieve the username and hash from the split values.
    string username = values[0];
    string hash = values[1];

    // You'll have to provide your GetPasswordForUser function.
    string password = GetPasswordForUser(username);

    // Check the password and salt against the hash.
    return IsMatchingHash(password, salt, hash);
}
回复 原文
或十年 2024-09-19 00:48:33

我不会将用户密码存储在 cookie 中...而是将用户 ID 和 IP 地址存储在 cookie 中。

I would not store the users password in a cookie... Rather store the user id and the ip address in the cookie.

回复 原文
只想待在家 2024-09-19 00:48:33

我不会将 ip / 用户 ID 存储在 cookie 中。会话劫持将非常容易,我的意思是我知道我同事的用户名/IP,我可以将该 cookie 添加到我的消息中,然后我可以处理我同事的会话。

I would not store the ip / user id in the cookie. Session highjacking would then be really easy, I mean I know the username / ip of my collegues, I could add that cookie to my message and then I can work on the session of my collegue.

回复 原文
~没有更多了~

关于作者

-小熊_

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

離殇

文章 0 评论 0

小姐丶请自重

文章 0 评论 0

Aik

文章 0 评论 0

国产ˉ祖宗

文章 0 评论 0

猥琐帝

文章 0 评论 0

半仙

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文