尝试在登录页面中验证密码 [英] Trying to validate password in log in page
问题描述
大家好,
我正在尝试根据存储在数据库中的用户密码验证用户密码。问题是直接在login2页面中进行。请给我详细的步骤,我知道我在回答时正在学习。这是一个好方法吗?我需要一些解决方案。
这是我在我的aspx页面中的代码
Hello everyone,
I am trying to validate the user password against the one stored in the database. The problem is that is goes directly in the login2 page. Please give me detailed steps and i know that I am learning when responding. Is this a good approach or not? I need some solutions.
this is the code that i have in my aspx page
<%@ Page Title="" Language="C#" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="Login1.aspx.cs" Inherits="ExpressBookstore.Account.Login1" %>
<asp:Content ID="BodyContent" ContentPlaceHolderID="MainContent" runat="server" >
<div id="login1">
<p>
<br />
<asp:Label ID="Label1" runat="server" Text="UserName"></asp:Label>
<asp:TextBox ID="txtUserName" runat="server" />
<asp:RequiredFieldValidator runat="server" ControlToValidate="txtUserName" ErrorMessage="*" SetFocusOnError="true" />
</p>
<p>
<asp:Label ID="Label2" runat="server" Text="Password" ></asp:Label> 
<asp:TextBox ID="txtPassword" runat="server" TextMode="Password" ></asp:TextBox>
<asp:RequiredFieldValidator runat="server" ControlToValidate="txtPassword" ErrorMessage="*" SetFocusOnError="true" />
</p><asp:Label ID="lblerror" runat="server" />
<p>
<asp:CheckBox ID="CheckBox1" runat="server" />Remember me
</p>
<asp:Button ID="btnLogin" runat="server" Text="Login" OnClick="Button1_Click" OnClientClick="Button1_Click" CausesValidation="true" />
<br />
<br />
<asp:Button ID="btnforget" runat="server" Text="Forget Password" OnClick="btnforget_Click" OnClientClick="btnforget_Click" />
</div>
</asp:Content>
这是我的.cs页面中的代码
私有字符串CreatePasswordHash(字符串密码,字符串哈希,字符串盐)
{
// MD5,SHA1
返回FormsAuthentication.HashPasswordFo rStoringInConfigFile(密码+ hash + salt,SHA1);
}
private string CreateSalt( int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte [] data = new byte [size];
provider.GetBytes(数据);
返回Convert.ToBase64String(数据);
}
私有字符串CreateHash(int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte [] hash = new byte [size];
provider.GetBytes(hash);
返回Convert.ToBase64String(hash);
}
private string GetHash(string password)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider ();
byte [] hash = new byte [5];
provider.GetBytes(hash);
return Convert.ToBase64String(哈希);
}
protected void Button1_Click(object sender,EventArgs e)
{
//定义连接字符串
var connectionString = ConfigurationManager.ConnectionStrings [BookstoreConnectionString]。ToString();
//打开连接
SqlConnection sqlConnection = new SqlConnection(connectionString);
sqlConnection.Open();
//定义sqlcommand对象并分配commandType
SqlCommand sqlCommand = new SqlCommand(SELECT HashKey FROM Registration WHERE UserName = @UserName,sqlConnection);
SqlCommand sqlCommand1 = new SqlCommand(SEL ECT SaltKey FROM Registration WHERE UserName = @UserName,sqlConnection);
// sqlCommand.CommandType = CommandType.StoredProcedure;
sqlCommand.Parameters.AddWithValue(@ UserName,txtUserName.Text.Trim());
SqlDataReader reader = sqlCommand.ExecuteReader() ;
reader.Read();
string dbHashKey = reader.GetString(0);
reader.Close();
sqlCommand1.Parameters.AddWithValue(@ UserName,txtUserName.Text.Trim());
SqlDataReader reader1 = sqlCommand1.ExecuteReader();
reader1.Read();
string dbSaltKey = reader1.GetString(0);
reader1。关闭();
//哈希用盐输入的密码并将其与数据库中的哈希键进行比较
// var loginHash = CreateHash(5);
var loginHash = GetHash(txtPassword.Text.Trim());
if(dbHashKey == loginHash)
{
Response.Redirect(MembersOnly.aspx);
}
其他
{
//Response.Write(\"请再试一次!无效的用户名或密码);
Response.Redirect(Login2.aspx);
}
}
protected void btnforget_Click(object sender,EventArgs e)
{
Response.Redirect(RetrievePassword.aspx);
}
谢谢
and this is the code in my .cs page
private string CreatePasswordHash(string password, string hash,string salt)
{
//MD5, SHA1
return FormsAuthentication.HashPasswordForStoringInConfigFile(password + hash + salt, "SHA1");
}
private string CreateSalt(int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] data = new byte[size];
provider.GetBytes(data);
return Convert.ToBase64String(data);
}
private string CreateHash(int size)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] hash = new byte[size];
provider.GetBytes(hash);
return Convert.ToBase64String(hash);
}
private string GetHash(string password)
{
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
byte[] hash = new byte[5];
provider.GetBytes(hash);
return Convert.ToBase64String(hash);
}
protected void Button1_Click(object sender, EventArgs e)
{
//Define a Connection string
var connectionString = ConfigurationManager.ConnectionStrings["BookstoreConnectionString"].ToString();
//Open the connection
SqlConnection sqlConnection = new SqlConnection(connectionString);
sqlConnection.Open();
//Define the sqlcommand object and assign the commandType
SqlCommand sqlCommand = new SqlCommand("SELECT HashKey FROM Registration WHERE UserName = @UserName", sqlConnection);
SqlCommand sqlCommand1 = new SqlCommand("SELECT SaltKey FROM Registration WHERE UserName = @UserName", sqlConnection);
// sqlCommand.CommandType = CommandType.StoredProcedure;
sqlCommand.Parameters.AddWithValue("@UserName", txtUserName.Text.Trim());
SqlDataReader reader = sqlCommand.ExecuteReader();
reader.Read();
string dbHashKey = reader.GetString(0);
reader.Close();
sqlCommand1.Parameters.AddWithValue("@UserName", txtUserName.Text.Trim());
SqlDataReader reader1 = sqlCommand1.ExecuteReader();
reader1.Read();
string dbSaltKey = reader1.GetString(0);
reader1.Close();
// hash the password entered with the salt and compare it to the hashkey in the database
// var loginHash = CreateHash(5);
var loginHash = GetHash(txtPassword.Text.Trim());
if (dbHashKey == loginHash)
{
Response.Redirect("MembersOnly.aspx");
}
else
{
//Response.Write(" Please try again ! Invalid UserName or password ");
Response.Redirect("Login2.aspx");
}
}
protected void btnforget_Click(object sender, EventArgs e)
{
Response.Redirect("RetrievePassword.aspx");
}
Thank you
推荐答案
您永远不应该将密码存储在数据库中。这是不安全的,绝对不需要进行身份验证。不同意?惊讶吗?然后请阅读我过去的答案:
我已经加密了我的密码但是当我登录时给了我一个错误。如何解密 [ ^ ] ,
解密加密密码 [ ^ ],
存储密码值int sql server with secure方式 [ ^ ]。
使用ASP.NET,您可以实现一切:
客户端: http://code.google.com/p/crypto-js [ ^ ]。
服务器端,.NET:http://msdn.microsoft.com/en-us/library/system。 security.cryptography.sha256%28v = vs.110%29.aspx [ ^ ]。
但即使这还不够如果您没有使用HTTPS和传输级安全性。基于加密哈希的方法将完美地运行:恶意研究人员可以窃听您的通信,但仍然无法找出您的密码。但是这样的人可以在不知道密码的情况下捕获您的哈希本身并冒充您。更容易受到影响的时刻是您首次创建密码的时间。传输级别的安全性将保护您免受此类攻击。
请参阅:
http://en.wikipedia.org/wiki/HTTPS [ ^ ],
http://en.wikipedia。 org / wiki / Transport_Layer_Security [ ^ ]。 />
-SA
You should never ever store passwords in database. This is unsafe and absolutely not needed for authentication. Disagree? surprised? Then please read my past answers:
i already encrypt my password but when i log in it gives me an error. how can decrypte it[^],
Decryption of Encrypted Password[^],
storing password value int sql server with secure way[^].
With ASP.NET you have everything implemented for you:
Client-side: http://code.google.com/p/crypto-js[^].
Server-side, .NET: http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256%28v=vs.110%29.aspx[^].
But even this is not enough if you are not using HTTPS and transport-level security. The approach based on cryptographic hash will work perfectly: a malicious researcher can eavesdrop your communication and still won't be able to figure out your password. But such person can capture your hash itself and impersonate you without knowing you password. Even more vulnerable moment is the time when you first create a password. Transport-level security will protect you from such attacks.
Please see:
http://en.wikipedia.org/wiki/HTTPS[^],
http://en.wikipedia.org/wiki/Transport_Layer_Security[^].
—SA
这篇关于尝试在登录页面中验证密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
