存储窗体身份验证cookie密码 - ASP.NET和WCF电话 [英] Storing password in forms authentication cookie - ASP.NET and WCF calls
问题描述
对于我的web应用程序的安全性我使用FormsAuthentication /的MembershipProvider与非持续性的cookie。
For my web app security I'm using FormsAuthentication / MembershipProvider with a non persistant cookie.
我的应用程序的一些Web服务交互,这些还可以使用会员提供商。
My application interacts with some web services, these also use the Membership providers.
用户密码散列在数据库中。
User passwords are hashed in the database.
问题是登录到应用程序的人员Web服务需要使用自己的用户名和密码,每次页面加载时间Web服务进行身份验证。但因为它是散列一旦用户已经登录在其密码不retreivable
The problem is the person logged into application the web service needs to authenticate with the web service using his username and password every time a page is loaded. BUT once the user has logged in his password is not retreivable as it is hashed.
我在想,如果密码可以被存储在securley身份验证Cookie,以便用户可以与Web服务的身份验证。
或者一个更好的主意!
编辑
我喜欢JOHNS IDEA以下,但有4个评论的力学,我希望解决才去这条路线...
EDIT I LIKE JOHNS IDEA BELOW BUT HAVE 4 COMMENTS ON THE MECHANICS THAT I WANT TO RESOLVE BEFORE GOING DOWN THAT ROUTE...
推荐答案
我同意@约翰的回答,使用一次性令牌是不是存储凭据更好。
I agree with @John's answer that using throwaway token is better than storing the credentials.
有关令牌你可能会产生一些随机的GUID,并将其存储在数据库中。
For the token you could generate some random GUIDs and store it in the database.
由于不需要你的ASP.NET应用程序和WCF服务之间的协调替代方案,您可以发送签名的文档令牌。
As an alternative that does not require coordination between your ASP.NET application and the WCF service, you could send a signed document as token.
- 创建一个XML或JSON文件已签署的时间,用户名和签名者的名字(ASP.NET应用程序)。
- 生成上述文件的哈希值。
- 登入使用非对称加密(使用私钥)的哈希值。
所有WCF所要做的就是验证哈希和签名。因此,这不涉及击中相同的数据库。使用签名的时间,可以在固定时间到期令牌。
All WCF has to do is validate the hash and the signature. So this does not involve hitting the same database. Using the signed time, you can expire the token in fixed time.
修改:这个想法是基于公钥加密(也被称为非对称密钥算法,公共/私人密钥)。如果您加密与私钥东西,你可以回去只能使用对应的公钥进行解密;如果你使用公钥加密的东西,你可以将其解密只能使用相应的私钥。请参见实现RSA在C#中为code会是什么样子在C#。这是为什么有用吗?因为我们可以用它来实现数字签名。数字签名是一种方式来证明我只有我写的东西,并没有其他人。
Edit: The idea is based on public-key cryptography (also known as asymmetric key algorithm, public/private key). If you encrypt something with a private key you can decrypt it back only using the corresponding public key; and if you encrypt something with a public key you can decrypt it only using the corresponding private key. See Implementing RSA in C# for how code would look like in C#. Why is this useful? Because we can use this to implement digital signatures. A digital signature is a way to prove that I and only I wrote something, and no one else.
继上述步骤产生一个签名。首先,您需要定义的规范形式,让这家伙的文件。通常一个非对称密钥算法不能处理的过大投入,所以你生成一个散列出来,并且使用ASP.NET应用程序的私有密钥加密哈希值。将得到的签名只能使用你的应用程序的公共密钥进行解密。最后,你可以打包所有三个组成部分(原件,哈希和签名)到像XML或JSON格式的一些并把它作为记号。
Following the above mentioned step generates a signature. You first need to define a canonical form of "let this guy in" document. Usually an asymmetric key algorithm can't handle too big input, so you generate a hash out of it, and you encrypt the hash using your ASP.NET application's private key. The resulting signature can only be decrypted using you application's public key. Finally you can package all three components (original document, hash, and signature) into some format like XML or JSON and send it as token.
作为一个例子,假设你使用JSON格式的一切。首先,原来的让这个家伙在文件
As an example, let's say you use JSON format for everything. First, the original "let this guy in document":
{"UserName":"Foo","SignedTime":"2009-07-09T00:00:00","Signer":"ASP.NET APP1"}
接下来,生成上面的字符串,这是一个SHA-1散列字节[] 和连接$ C $用的modified Base64编码或东西,这看起来是这样的:
Next, you generate a SHA-1 hash of the above string, which is byte[] and encode it with modified Base64 encoding or something, which would look something like:
b2YgYW55IGNhcm5hbCBwbGVhc3VyZS4
以上是假的字符串,实际的东西可能看起来更长。然后你把哈希字节[] 和使用RSA,生成加密它的另一个字节[] 这样的连接code太改良Base64的:
The above is bogus string, the actual stuff may look longer. You then take the hash byte[] and encrypt it using RSA, which generates another byte[] so encode that too with modified Base64:
mxlIGdlbmVyYXRpb24gb2Yga25vd2xfo34
最后,你再拍JSON文件来存储所有以上。
Finally, you make another JSON document to store all the above.
{"UserName":"Foo","SignedTime":"2009-07-09T00:00:00","Signer":"ASP.NET APP1","Hash":"b2YgYW55IGNhcm5hbCBwbGVhc3VyZS4","Signature":"mxlIGdlbmVyYXRpb24gb2Yga25vd2xfo34"}
最后JSON文件成为你的密码的令牌。它传递给WCF服务。
WCF服务取令牌,通过消除散列和签名构造原始文档:
The final JSON document becomes your passwordless token. Pass it to WCF service. The WCF service takes the token, construct the original document by removing the hash and signature:
{"UserName":"Foo","SignedTime":"2009-07-09T00:00:00","Signer":"ASP.NET APP1"}
按照相同的算法来生成散列并验证它是相同的。使用ASP.NET应用程序的公钥对签名进行解密,看看它是否成为哈希值。此时,该文件被验证为由签名者签名。检查当前时间和签名的时间,看看令牌仍然有效。所有你需要的是分配之间的两个code碱基公共密钥的一种方式,它可以从XML加载。
Follow the same algorithm to generate the hash and verify it's the same. Decrypt the Signature using the public key of the ASP.NET app and see if it becomes the hash. At this point, the document is verified to be signed by the signer. Check the current time and the signed time and see if the token is still valid. All you need is a way to distribute public keys between two code base, which could be loaded from XML.
这篇关于存储窗体身份验证cookie密码 - ASP.NET和WCF电话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
