尽管有 MSDN 解决方法,散列在 .Net 4.0 中不再起作用
我有一个正在生产中的现有应用程序,它使用 SqlMembershipProvider 并具有指定的计算机密钥:
<machineKey validationKey="..." decryptionKey="..."
validation="SHA1" decryption="AES"/>
它当前在 .Net 2.0 AppPool 下运行。
我正在编写一个必须使用现有数据库的新应用程序,我有一个备份。我正在尝试让 SqlMembershipProvider 与它一起工作(它确实如此),但我无法让已知的用户名/密码工作。该帐户在产品中工作,密码哈希和盐在两个数据库(产品和我的)上都是相同的。但是,当 SqlMembershipProvider 将数据库中的密码与输入的哈希密码进行比较时,它们并不相同。
本文建议对 .Net 4.0 中 ASP.Net 中的默认哈希算法进行重大更改: http://www.asp.net/learn/whitepapers/aspnet4/writing-更改
但是我已经按照建议指定了机器密钥。此外,我已经删除了 .Net 4.0 组件并将其降回 3.5(即 CLR 2),并且输入密码的哈希值仍然相同。
此外,我尝试将这个新的临时应用程序重新部署到同一服务器生产中,但它仍然无法登录(尽管我无法验证它是否由于密码哈希不匹配而失败)。
我在这里还能尝试什么?
I have an existing app in production that uses SqlMembershipProvider and has a specified machine key:
<machineKey validationKey="..." decryptionKey="..."
validation="SHA1" decryption="AES"/>
It runs under .Net 2.0 AppPool currently.
I'm writing a new application that has to use the existing database, which I have a backup of. I'm trying to get SqlMembershipProvider working with it (which it does) but I can't get a known username/password working. This account works in prod, and the password hash and salt are the same on both databases (prod and mine). However at the point where the SqlMembershipProvider compares the password from the database with the hashed password entered, they aren't the same.
This article suggests breaking changes with the default hashing algorithm in ASP.Net in .Net 4.0:
http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes
However I am already specifying a machine key as suggested. Further, I've stripped out the .Net 4.0 components and dropped it back to 3.5 (which is CLR 2) and the hash of the entered password is still the same.
Furthermore, I tried redeploying this new temporary app to the same server production is on, and it still fails to login (although I can't verify if it fails due to password hash mismatch).
What else can I try here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
首先将生产应用程序复制到开发/测试并在那里运行以查看它是否按预期工作。
如果是这样,请继续升级项目以在 .NET 4.0 下运行,但不要修改任何其他代码(即不要尝试使其与 SQLMembershipProvider 一起使用) - 重新测试应用程序
如果有效,您就知道这不是环境问题,也不是 .NET 重大更改问题,这将表明您的代码中的某些内容未按您期望的方式工作。我的猜测是,您在新应用程序中使用的哈希算法与旧应用程序中使用的算法不同。您是否在旧应用程序中对密码进行了加盐处理?您在新应用程序中使用相同的盐吗?
First copy the production app to dev/test and run it there to see if it works as expected.
If it does, proceed to upgrade the project to run under .NET 4.0, but do not modify any other code (ie. don't try to make it work with SQLMembershipProvider) - retest the application
If that works, you know it's not an environment issue, and it's not a .NET breaking change issue, which would point to something in your code not working as you expect it should work. My guess is that the hashing algorithm you're using in the new application is different from the one being used in the old application. Were you salting the password in the old application? Are you using the same salt in the new application?
您需要在 web.config 中指定成员资格提供程序的 hashAlgorithmType,因为默认值已随 .net 4 更改。
您想要的值很可能是 SHA1。
请参阅以下页面了解更多详细信息: http://geekswithblogs.net/DavidHoerster/archive/2010/06/15/asp.net-membership-password-hash----.net-3.5 -to-.net-4.aspx
You need to specify the hashAlgorithmType of the membership provider in the web.config as the default has changed with .net 4.
The value that you want is most likely SHA1.
Please see the following page for more details: http://geekswithblogs.net/DavidHoerster/archive/2010/06/15/asp.net-membership-password-hash----.net-3.5-to-.net-4.aspx