ASP.NET成员ChangePassword控件 - 需要检查以前的密码 [英] ASP.NET Membership ChangePassword control - Need to check for previous password
问题描述
我有一个持有旧密码,我需要检查是否有匹配的新表。
如果有匹配我需要的ChangePassword控逆变为NOT更改密码。我要告诉大家,在使用该密码的用户和PIC一个新的。
我似乎无法能够打断更改密码的控制。
也许我使用了错误的事件。
下面是一段我的代码,或者我多么希望这是可行的。
我感谢你的帮助。
保护无效ChangePassword1_ChangedPassword(对象发件人,EventArgs五)
{
用户的MembershipUser = Membership.GetUser();
串usrName =;
如果(用户!= NULL)
{
串connStr = ConfigurationManager.ConnectionStrings [LocalSqlServer这个]的ConnectionString。
的SqlConnection的MySqlConnection =新的SqlConnection(connStr);
的SqlCommand的MySqlCommand = mySqlConnection.CreateCommand();
mySqlCommand.CommandText =选择从OldPasswords其中UserName ='测试'用户名;
mySqlConnection.Open();
SqlDataReader的了MySqlDataReader = mySqlCommand.ExecuteReader(CommandBehavior.Default);
,而(mySqlDataReader.Read())
{
usrName = MySqlDataReader将[用户名]的ToString()。
如果(usrName == user.ToString())
{
Label1.Text =匹配;
}
,否则
{
Label1.Text =!不匹配;
}
}
您正在覆盖错误的方法,史蒂夫。你想重写撤销 ChangingPassword
试试这个:
保护无效ChangePassword1_ChangingPassword(对象发件人,LoginCancelEventArgs E)
{
//做你的查找在这里,
布尔passwordHasBeenPreviouslyUsed = TRUE;
如果(passwordHasBeenPreviouslyUsed)
{
e.Cancel = TRUE;
//通知错误
的回报;
}
}
和,按以前的Q /一个会议,你永远也不会 EVER 存储用户的密码 1 。转至成员关系表,并得到了盐和使用散列传入的密码比较已存储在您的查找表已经盐哈希值。
好。运气
(1) - 如何站得住脚当CEO发现他的密码已被存储在一个可利用的形式将你的立场是什么?有给黑魔导士是我们的信任水平和信任拿它自己的风险。要知道他们。 ; - )
修改
一个工作示例:
为ChangePassword.aspx
<%@页面语言=C#%> ;
<%@导入命名空间=System.Diagnostics程序%>
<脚本=服务器>
保护无效的Page_Load(对象发件人,EventArgs五)
{
}
保护无效ChangePassword1_ChangingPassword(对象发件人,LoginCancelEventArgs E)
{
//对我的作品!
Debugger.Break();
}
< / SCRIPT>
< DOCTYPE HTML PUBLIC - // W3C // DTD XHTML 1.0过渡// ENhttp://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional! DTD>
< HTML的xmlns =http://www.w3.org/1999/xhtml>
<头=服务器>
<标题>< /标题>
< /头>
<身体GT;
<表ID =form1的=服务器>
< DIV>
< ASP:的ChangePassword ID =ChangePassword1=服务器OnChangingPassword =ChangePassword1_ChangingPassword>
< / ASP:&的ChangePassword GT;
< / DIV>
< /表及GT;
< /身体GT;
< / HTML>
更新:
。您还可能有兴趣在简单地定义在较高的范围处理程序,将观看所有密码活动:
考虑这个
创建用户时,公共无效SetupPasswordActionHook()
{
//发生时,密码被更改或密码重置。
Membership.ValidatingPassword + = Membership_ValidatingPassword;
}
无效Membership_ValidatingPassword(对象发件人,ValidatePasswordEventArgs E)
{
//获取一个值,该值指示是否System.Web.Security。 MembershipProvider.ValidatingPassword事件期间
被提出//调用到System.Web.Security.MembershipProvider.CreateUser()方法。
//真要是到
// System.Web.Security.MembershipProvider.CreateUser()方法的调用过程中被提出的System.Web.Security.MembershipProvider.ValidatingPassword事件;否则为false。
布尔isNewUser = e.IsNewUser;
//当前创建用户获取密码,更改密码或重置密码操作。
//将当前创建用户的密码,更改密码或重置密码操作。
字符串密码= e.Password;
//获取会员资格的用户的名称为当前创建用户,改变密码,或重置口令的动作。
//将当前创建用户的会员用户名,更改密码或重置密码操作。
串的用户名= e.UserName;
//获取或设置一个值,该值指示当前创建用户是否更改密码或重置密码操作将被取消。
//如果当前创建用户,更改密码或重置密码操作将被取消;否则为false。默认为false。
e.Cancel = TRUE;
//获取或设置一个描述密码验证失败原因的异常。
//描述的密码验证失败原因的System.Exception的。
e.FailureInformation =新的异常(这就是为什么我没有你的密码);
}
I have a new table that hold old passwords, I need to check if there is a match.
If there is a match I need the ChangePassword contol to NOT change the password. I need to tell the user that this password was used and pic a new one.
I can't seem to be able to interrupt the control from changing the password. Maybe I am using the wrong event.
Here is a piece of my code, or how I wish it would work. I appreciate all your help.
protected void ChangePassword1_ChangedPassword(object sender, EventArgs e)
{
MembershipUser user = Membership.GetUser();
string usrName = "";
if (user != null)
{
string connStr = ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;
SqlConnection mySqlConnection = new SqlConnection(connStr);
SqlCommand mySqlCommand = mySqlConnection.CreateCommand();
mySqlCommand.CommandText = "Select UserName from OldPasswords where UserName = 'test'";
mySqlConnection.Open();
SqlDataReader mySqlDataReader = mySqlCommand.ExecuteReader(CommandBehavior.Default);
while (mySqlDataReader.Read())
{
usrName = mySqlDataReader["UserName"].ToString();
if (usrName == user.ToString())
{
Label1.Text = "Match";
}
else
{
Label1.Text = "NO Match!";
}
}
You are overriding the wrong method, Steve. You want to override the cancellable ChangingPassword.
Try this:
protected void ChangePassword1_ChangingPassword(object sender, LoginCancelEventArgs e)
{
// do your lookup here,
bool passwordHasBeenPreviouslyUsed = true;
if (passwordHasBeenPreviouslyUsed)
{
e.Cancel = true;
// notify of error
return;
}
}
And, as per previous Q/A sessions, You should NEVER EVER EVER store a user's password1. Go to the membership table and get the salt and use that to hash the incoming password to compare to the already salt-hashed values you have stored in your lookup table.
Good luck.
(1) - how tenable would your position be when the CEO finds out that his password has been stored in an exploitable format? There is a level of trust given to the black mages that are us and that trust carries it's own risks. Be aware of them. ;-)
EDIT:
A working example:
ChangePassword.aspx
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics"%>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
}
protected void ChangePassword1_ChangingPassword(object sender, LoginCancelEventArgs e)
{
// works for me!
Debugger.Break();
}
</script>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:ChangePassword ID="ChangePassword1" runat="server" OnChangingPassword="ChangePassword1_ChangingPassword">
</asp:ChangePassword>
</div>
</form>
</body>
</html>
Update: You may also be interested in simply defining a handler in a higher scope that will watch all password activity:
consider this
public void SetupPasswordActionHook()
{
//Occurs when a user is created, a password is changed, or a password is reset.
Membership.ValidatingPassword += Membership_ValidatingPassword;
}
void Membership_ValidatingPassword(object sender, ValidatePasswordEventArgs e)
{
// Gets a value that indicates whether the System.Web.Security.MembershipProvider.ValidatingPassword event is being raised during a
// call to the System.Web.Security.MembershipProvider.CreateUser() method.
// true if the System.Web.Security.MembershipProvider.ValidatingPassword event is being raised during a call to the
// System.Web.Security.MembershipProvider.CreateUser() method; otherwise, false.
bool isNewUser = e.IsNewUser;
// Gets the password for the current create-user, change-password, or reset-password action.
// The password for the current create-user, change-password, or reset-password action.
string password = e.Password;
// Gets the name of the membership user for the current create-user, change-password, or reset-password action.
// The name of the membership user for the current create-user, change-password, or reset-password action.
string username = e.UserName;
// Gets or sets a value that indicates whether the current create-user, change-password, or reset-password action will be canceled.
// true if the current create-user, change-password, or reset-password action will be canceled; otherwise, false. The default is false.
e.Cancel = true;
// Gets or sets an exception that describes the reason for the password-validation failure.
// An System.Exception that describes the reason for the password-validation failure.
e.FailureInformation = new Exception("This is why I failed your password");
}
这篇关于ASP.NET成员ChangePassword控件 - 需要检查以前的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
