从 SqlMembershipProvider 迁移到自定义提供程序
场景如下:
我使用默认的 SqlMembershipProvider 在网站上实现membershp。现在我想迁移到我的自定义会员资格提供商。 (仅供参考,我使用的提供程序是 CodeFirst 会员提供程序。
问题是,提供商使用自定义加密/哈希算法将密码存储在数据库中,我不想为每个用户生成新密码并将新密码邮寄给他们。
如何在我的提供商中实现默认的会员密码哈希/加密。我使用 Reflector/googled 并尝试了以下代码,这似乎是 SqlMembershipProvider 中的默认实现:
internal static string GenerateSalt()
{
byte[] buf = new byte[16];
(new RNGCryptoServiceProvider()).GetBytes(buf);
return Convert.ToBase64String(buf);
}
internal string EncodePassword(string pass, string salt)
{
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
HashAlgorithm s = HashAlgorithm.Create("SHA1");
bRet = s.ComputeHash(bAll);
return Convert.ToBase64String(bRet);
}
并在我的 ValidateUser 方法中使用了它:
string salt = GenerateSalt();
string pass = EncodePassword(enteredPassword, salt);
bool verificationSucceeded = pass == user.Password;
但是从 EncodePassword 返回的通行证是不同的来自默认 SqlMembershipProvider 在切换到自定义成员资格之前已放入数据库的那个。如何像默认 SqlMembershipProvider 一样实现精确的密码验证/生成?
注意:由于我没有在 web.config 中定义任何 machinekey,我确信默认提供程序使用 Hashed 密码格式,而不是 Encrypted或清除。
谢谢。
Here's the scenario:
I have used default SqlMembershipProvider to implement membershp on a website. Now I'd like to migrate to my custom membership provider. (FYI the provide I use is CodeFirst Membership Provider.
The problem is, the provider uses a custom encryption/hash algorithm to store passwords in db and I don't want to generate new passwords for every user and mail them the new password.
How can I implement default membership password hashing/encryption in my provider. I used reflector/googled and tried the following code which seems to be the default implementation in SqlMembershipProvider:
internal static string GenerateSalt()
{
byte[] buf = new byte[16];
(new RNGCryptoServiceProvider()).GetBytes(buf);
return Convert.ToBase64String(buf);
}
internal string EncodePassword(string pass, string salt)
{
byte[] bIn = Encoding.Unicode.GetBytes(pass);
byte[] bSalt = Convert.FromBase64String(salt);
byte[] bAll = new byte[bSalt.Length + bIn.Length];
byte[] bRet = null;
Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);
HashAlgorithm s = HashAlgorithm.Create("SHA1");
bRet = s.ComputeHash(bAll);
return Convert.ToBase64String(bRet);
}
And used it in my ValidateUser method:
string salt = GenerateSalt();
string pass = EncodePassword(enteredPassword, salt);
bool verificationSucceeded = pass == user.Password;
But the pass returned from EncodePassword is different from the one that the default SqlMembershipProvider has put into database before switching to custom membership. How can I implement the exact password validation/generation like Default SqlMembershipProvider?
Note: since I have not defined any machinekey in my web.config, I'm sure the default provider used Hashed Password Format, not Encrypted or Clear.
Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
找到解决方案:
在
ValidateUser方法中,我们必须从aspnet_Membership表中获取PasswordSalt,而不是生成它!虚拟问题。 :|
Found the solution:
in
ValidateUsermethod, we have to getPasswordSaltfromaspnet_Membershiptable, not generating it!Dummy question. :|