ASP.NET:跨应用程序的表单身份验证:匹配密码加密设置
我有两个网站,它们都在各自单独的 ASP.NET 身份验证数据库中创建用户。下面是两者的 Web.configs。我还在两个解决方案上使 aspnet_Applications
数据库记录相同。当我创建用户时,加密的密码不相同,密码盐也不相同。
当两个系统具有相同的用户名和密码时,知道如何使两个网站创建相同的密码哈希吗?
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, path, validationKey, validation, decryptionKey,
and decryption attributes must be identical across all applications.
-->
<forms loginUrl="~/Account/Login"
name=".ASPXAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="2880"
requireSSL="false"
cookieless="UseCookies"
enableCrossAppRedirects="true" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<!-- The validationKey is not wrapped in the solution -->
<!-- These keys are examples -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D940
1E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51
F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1"
decryption="Auto" />
</system.web>
</configuration>
I have two websites that both create users in their own separate ASP.NET authentication databases. Below is the Web.configs for both. I also made the aspnet_Applications
database records identical on both solutions. When I create a user, the encrypted passwords are not identical, nor are the password salts.
Any idea how to make two websites create the same password hashes when both systems have the same user name and password?
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, path, validationKey, validation, decryptionKey,
and decryption attributes must be identical across all applications.
-->
<forms loginUrl="~/Account/Login"
name=".ASPXAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="2880"
requireSSL="false"
cookieless="UseCookies"
enableCrossAppRedirects="true" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<!-- The validationKey is not wrapped in the solution -->
<!-- These keys are examples -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D940
1E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51
F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1"
decryption="Auto" />
</system.web>
</configuration>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
听起来您正在使用的 SqlMembershipProvider 会生成一个随机的 128 位值作为盐。即,当它对用户密码进行哈希处理时,它会包含此值作为安全措施。为了确保两个独立的系统产生相同的哈希值,您需要确保同一用户的 PasswordSalt 列值相同。 MembershipUser 上没有用于设置 PasswordSalt 的属性。这意味着您必须直接转到数据库来设置它,使用此属性构建自定义 MembershipUser 并能够保存它,或者构建提供此功能的自定义类或方法。
The SqlMembershipProvider, which it sounds like you are using, generates a random 128-bit value as the salt. I.e., it includes this value when it hashes the user's password as a security measure. In order to ensure two independent systems produce the same hash, you would need to ensure that the PasswordSalt column value is the same for the same user. There is no property on the MembershipUser for setting the PasswordSalt. That means you either have to go directly to the db to set it, build a custom MembershipUser with this property and the ability to save it or build a custom class or method that provides this ability.