asp.net“记住我”的cookie

发布时间：2020-12-16 00:08:36 所属栏目：asp.Net 来源：网络整理

导读：我使用这个在asp.net webform中实现了记住我的选项, protected void LBtnSubmit_Click(object sender,EventArgs e) { if (this.ChkRememberme != null this.ChkRememberme.Checked == true) { HttpCookie cookie = new HttpCookie(TxtUserName.Text,TxtPassw

我使用这个在asp.net webform中实现了记住我的选项,

protected void LBtnSubmit_Click(object sender,EventArgs e)
 {
  if (this.ChkRememberme != null && this.ChkRememberme.Checked == true)
  {
     HttpCookie cookie = new HttpCookie(TxtUserName.Text,TxtPassword.Text);
     cookie.Expires.AddYears(1);
     Response.Cookies.Add(cookie);
  }
}

我是以正确的方式做到的吗？任何建议..我正在使用Windows身份验证,我不使用asp.net会员资格..

解决方法

不是直接在cookie中存储用户名和密码,而是在cookie中存储用户名和密码的哈希值以及盐,然后在验证cookie时,检索给定用户名的密码,重新创建哈希值.密码和相同的盐并比较它们.

创建哈希就像将密码和salt值一起存储在字符串中一样简单,将字符串转换为字节数组,计算字节数组的哈希值(使用MD5或您喜欢的任何内容)并将生成的哈希值转换为字符串(可能通过base64编码).

这是一些示例代码：

// Create a hash of the given password and salt.
public string CreateHash(string password,string salt)
{
    // Get a byte array containing the combined password + salt.
    string authDetails = password + salt;
    byte[] authBytes = System.Text.Encoding.ASCII.GetBytes(authDetails);

    // Use MD5 to compute the hash of the byte array,and return the hash as
    // a Base64-encoded string.
    var md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
    byte[] hashedBytes = md5.ComputeHash(authBytes);
    string hash = Convert.ToBase64String(hashedBytes);

    return hash;
}

// Check to see if the given password and salt hash to the same value
// as the given hash.
public bool IsMatchingHash(string password,string salt,string hash)
{
    // Recompute the hash from the given auth details,and compare it to
    // the hash provided by the cookie.
    return CreateHash(password,salt) == hash;
}

// Create an authentication cookie that stores the username and a hash of
// the password and salt.
public HttpCookie CreateAuthCookie(string username,string password,string salt)
{
    // Create the cookie and set its value to the username and a hash of the
    // password and salt. Use a pipe character as a delimiter so we can
    // separate these two elements later.
    HttpCookie cookie = new HttpCookie("YourSiteCookieNameHere");
    cookie.Value = username + "|" + CreateHash(password,salt);
    return cookie;
}

// Determine whether the given authentication cookie is valid by
// extracting the username,retrieving the saved password,recomputing its
// hash,and comparing the hashes to see if they match. If they match,// then this authentication cookie is valid.
public bool IsValidAuthCookie(HttpCookie cookie,string salt)
{
    // Split the cookie value by the pipe delimiter.
    string[] values = cookie.Value.Split('|');
    if (values.Length != 2) return false;

    // Retrieve the username and hash from the split values.
    string username = values[0];
    string hash = values[1];

    // You'll have to provide your GetPasswordForUser function.
    string password = GetPasswordForUser(username);

    // Check the password and salt against the hash.
    return IsMatchingHash(password,salt,hash);
}

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!