asp.net-mvc – ASP.NET MVC 3应用程序,BCrypt.CheckPassword失
我正在努力在ASP.NET MVC 3应用程序中实现安全性,并使用BCrypt实现
found here来处理密码的加密和验证.用户注册屏幕加密用户提供的密码,并将散列密码保存到数据库中.我在登录页面上遇到密码验证问题,但我似乎无法弄清楚原因.
我的注册控制器操作包含以下内容: [HttpPost] [RequireHttps] public ActionResult Register(Registration registration) { // Validation logic... try { var user = new User { Username = registration.Username,Password = Password.Hash(HttpUtility.HtmlDecode(registration.Password)),EmailAddress = registration.EmailAddress,FirstName = registration.FirstName,MiddleInitial = registration.MiddleInitial,LastName = registration.LastName,DateCreated = DateTime.Now,DateModified = DateTime.Now,LastLogin = DateTime.Now }; var userId = _repository.CreateUser(user); } catch (Exception ex) { ModelState.AddModelError("User","Error creating user,please try again."); return View(registration); } // Do some other stuff... } 这是Password.Hash: public static string Hash(string password) { return BCrypt.HashPassword(password,BCrypt.GenerateSalt(12)); } 这就是我处理登录的方式: [HttpPost] [RequireHttps] public ActionResult Login(Credentials login) { // Validation logic... var authorized = _repository.CredentialsAreValid(HttpUtility.HtmlDecode(login.username),login.password); if (authorized) { // log the user in... } else { ModelState.AddModelError("AuthFail","Authentication failed,please try again"); return View(login); } } CredentialsAreValid包含对BCrypt.CheckPassword的调用: public bool CredentialsAreValid(string username,string password) { var user = GetUser(username); if (user == null) return false; return Password.Compare(password,user.Password); } Password.Compare: public static bool Compare(string password,string hash) { return BCrypt.CheckPassword(password,hash); } 最后,这就是BCrypt.CheckPassword正在做的事情: public static bool CheckPassword(string plaintext,string hashed) { return StringComparer.Ordinal.Compare(hashed,HashPassword(plaintext,hashed)) == 0; } 所以,是的…我不知道发生了什么,但我知道的是,我的登录控制器操作中的布尔授权变量由于某种原因总是返回false. 我过去在至少其他几个项目中使用了这个完全相同的BCrypt类,并且从来没有遇到任何问题. ASP.NET MVC 3是否对发布的数据执行了一些奇怪的,不同的编码,这些数据是我缺少的或需要处理不同的东西?要么是,要么是SQL CE 4做的(那是我目前正在使用的数据存储区)?在我的代码中,所有内容似乎都是按照我所知道的顺序排列,但由于某种原因,密码检查每次都失败了.有人有主意吗? 谢谢. 更新:以下是BCrypt类中包含的代码注释,以及它如何使用和工作的示例. /// <summary>BCrypt implements OpenBSD-style Blowfish password hashing /// using the scheme described in "A Future-Adaptable Password Scheme" /// by Niels Provos and David Mazieres.</summary> /// <remarks> /// <para>This password hashing system tries to thwart offline /// password cracking using a computationally-intensive hashing /// algorithm,based on Bruce Schneier's Blowfish cipher. The work /// factor of the algorithm is parametized,so it can be increased as /// computers get faster.</para> /// <para>To hash a password for the first time,call the /// <c>HashPassword</c> method with a random salt,like this:</para> /// <code> /// string hashed = BCrypt.HashPassword(plainPassword,BCrypt.GenerateSalt()); /// </code> /// <para>To check whether a plaintext password matches one that has /// been hashed previously,use the <c>CheckPassword</c> method:</para> /// <code> /// if (BCrypt.CheckPassword(candidatePassword,storedHash)) { /// Console.WriteLine("It matches"); /// } else { /// Console.WriteLine("It does not match"); /// } /// </code> /// <para>The <c>GenerateSalt</c> method takes an optional parameter /// (logRounds) that determines the computational complexity of the /// hashing:</para> /// <code> /// string strongSalt = BCrypt.GenerateSalt(10); /// string strongerSalt = BCrypt.GenerateSalt(12); /// </code> /// <para> /// The amount of work increases exponentially (2**log_rounds),so /// each increment is twice as much work. The default log_rounds is /// 10,and the valid range is 4 to 31. /// </para> /// </remarks> 解决方法
原谅我,如果我错过了什么,但看着你的哈希和你的模型你似乎没有把盐储存在任何地方,而是每次都使用新的盐.
因此,当设置密码时,您必须存储哈希和盐;如果要检查输入的密码,则检索盐,使用它计算哈希值,然后与存储的密码进行比较. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- 为什么(以及如何)ASP.NET缓存存储在非托管内存中?
- 分享一个asp.net pager分页控件
- asp.net – 从MSDN获取我需要的信息的最快方法是什么?
- asp.net-mvc-3 – Telerik().ScriptRegistrar()如何防止加载
- 如何在asp.net中更改javascript警告框的标题?
- asp.net – 如何对跨项目共享的资源进行版本控制
- asp.net-mvc-3 – asp.net mvc3返回原始html来查看
- ASP.NET关闭FriendlyURLs mobile.master页面
- ASP.NET:如何在没有任何子域的情况下获取域名?
- asp.net – 无法创建XYZ.ashx类型
- ASP.NET webform的Bootstrap
- asp.net – PayPal Express Checkout MVC C#示例
- asp.net-mvc-3 – 如何创建通用的MVC3编辑器模板
- Visual Studio 2017 ASP.NET Core开发
- asp.net-membership – 具有自定义成员资格提供程
- asp.net – web.config allowDefinition = Machi
- asp.net-mvc – ASP.net MVC – 我可以告诉Html.
- asp.net – 为什么Global.asax中的HttpContext.C
- asp.net – 哪个NuGet包包含System.Web.Routing?
- asp.net-mvc – 如何使用ASP.NET MVC 2在NHibern