通过认证的web.config在ASP.net 3.5未认证 [英] Authentication through web.config not authenticating in ASP.net 3.5

问题描述

这是这个东西，应该是非常简单，我只是不明白为什么它不工作之一。

This is one of this things that should be extremely simple and I just can't work out why it's not working.

我想建立一个ASP.net 3.5应用中的一些非常快的认证，但存储在web.config文件中的用户名和密码（我知道这是不是很安全，但它是一个内部应用程序，我一直在问添加和删​​除登录的，所以这是做）的最快方式。

I'm trying to set up some very quick authentication for an ASP.net 3.5 app but storing the usernames and passwords in the web.config file (I know it's not very secure but it's an internal app that I keep getting asked to add and remove logins for so this is the quickest way to do it).

那么，相关的配置部分看起来是这样的：

So, the relevant config section looks like this:

<authentication mode="Forms">
   <forms loginUrl="~/login.aspx">
    <credentials>
     <user name="user" password="password" />
     <user name="user2" password="password2" />
    </credentials>
   </forms>
  </authentication>

  <authorization>
    <deny users="?"/>
  </authorization>

和，在登录页面中，code是这样的：

And, in the login page, the code look like this:

string username = tbUsername.Text;
string password = tbPassword.Text;

if (FormsAuthentication.Authenticate(username, password))
    FormsAuthentication.RedirectFromLoginPage(username, false);

不过，FormsAuthentication.Authenticate（用户名，密码）始终返回false。我想不通为什么。

But, FormsAuthentication.Authenticate(username, password) always returns false. And I can't figure out why.

我甚至使用Membership.ValidateUser尝试，但只是在本地数据库到App_Data文件夹补充说。

I even tried using Membership.ValidateUser but that just adds in a local database to the App_Data folder.

有什么真正的基本我忘了这里还是这难道不是在.NET 3.5在所有的工作？

Is there something really basic I'm forgetting here or does this not work at all in .net 3.5?

推荐答案

我不知道，如果这已经改变了.NET 3.5，但＆LT;凭证＆GT; 元素定义在的web.config 密码的格式属性了passwordFormat 。从 MSDN文档.NET 3.5 ，默认格式是SHA1

I'm not sure if this has changed in .NET 3.5, but the <credentials> element has an attribute passwordFormat that defines the format for passwords in the web.config. From the MSDN documentation for .NET 3.5, the default format is SHA1.

如果您正在使用明文用户名和密码在你的的web.config ，你应该使用：

If you're using cleartext usernames and passwords in your web.config, you should use:

...
<credentials passwordFormat="Clear">
...

事件，虽然这是一个内部应用程序我还是建议至少散列密码，而不是把它留在明文的。

Event though this is an internal application I'd still recommend at least hashing the password instead of leaving it in clear text.

这篇关于通过认证的web.config在ASP.net 3.5未认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！