ASP.NET:跨应用程序的表单身份验证:匹配密码加密设置

发布于 2024-11-05 10:17:57 字数 1539 浏览 3 评论 0原文

我有两个网站,它们都在各自单独的 ASP.NET 身份验证数据库中创建用户。下面是两者的 Web.configs。我还在两个解决方案上使 aspnet_Applications 数据库记录相同。当我创建用户时,加密的密码不相同,密码盐也不相同。

当两个系统具有相同的用户名和密码时,知道如何使两个网站创建相同的密码哈希吗?

<configuration>
  <system.web>
    <authentication mode="Forms" >
      <!-- The name, protection, path, validationKey, validation, decryptionKey,
           and decryption attributes must be identical across all applications. 
      -->
      <forms loginUrl="~/Account/Login"
             name=".ASPXAUTH" 
             protection="All"  
             path="/" 
             domain="contoso.com" 
             timeout="2880"
             requireSSL="false" 
             cookieless="UseCookies" 
             enableCrossAppRedirects="true" />
    </authentication>
    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
    <!-- The validationKey is not wrapped in the solution -->
    <!-- These keys are examples -->
    <machineKey
         validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D940
                        1E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51
                        F17C529AD3CABE" 
         decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" 
         validation="SHA1"
         decryption="Auto" />
  </system.web>
</configuration>

I have two websites that both create users in their own separate ASP.NET authentication databases. Below is the Web.configs for both. I also made the aspnet_Applications database records identical on both solutions. When I create a user, the encrypted passwords are not identical, nor are the password salts.

Any idea how to make two websites create the same password hashes when both systems have the same user name and password?

<configuration>
  <system.web>
    <authentication mode="Forms" >
      <!-- The name, protection, path, validationKey, validation, decryptionKey,
           and decryption attributes must be identical across all applications. 
      -->
      <forms loginUrl="~/Account/Login"
             name=".ASPXAUTH" 
             protection="All"  
             path="/" 
             domain="contoso.com" 
             timeout="2880"
             requireSSL="false" 
             cookieless="UseCookies" 
             enableCrossAppRedirects="true" />
    </authentication>
    <!-- Validation and decryption keys must exactly match and cannot
         be set to "AutoGenerate". The validation and decryption
         algorithms must also be the same. -->
    <!-- The validationKey is not wrapped in the solution -->
    <!-- These keys are examples -->
    <machineKey
         validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D940
                        1E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51
                        F17C529AD3CABE" 
         decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" 
         validation="SHA1"
         decryption="Auto" />
  </system.web>
</configuration>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

花想c 2024-11-12 10:17:57

听起来您正在使用的 SqlMembershipProvider 会生成一个随机的 128 位值作为盐。即,当它对用户密码进行哈希处理时,它会包含此值作为安全措施。为了确保两个独立的系统产生相同的哈希值,您需要确保同一用户的 PasswordSalt 列值相同。 MembershipUser 上没有用于设置 PasswordSalt 的属性。这意味着您必须直接转到数据库来设置它,使用此属性构建自定义 MembershipUser 并能够保存它,或者构建提供此功能的自定义类或方法。

The SqlMembershipProvider, which it sounds like you are using, generates a random 128-bit value as the salt. I.e., it includes this value when it hashes the user's password as a security measure. In order to ensure two independent systems produce the same hash, you would need to ensure that the PasswordSalt column value is the same for the same user. There is no property on the MembershipUser for setting the PasswordSalt. That means you either have to go directly to the db to set it, build a custom MembershipUser with this property and the ability to save it or build a custom class or method that provides this ability.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文