生成C#中的独特*和*随机URL [英] Generating a unique *and* random URL in C#
问题描述
我的最终目标是创建一个URL,它是唯一的,不能被猜出/ predicted。此URL的目的是允许用户在像验证他们的电子邮件地址,并复位密码等操作。这些URL会在设定的时间量(当前设置为24小时)内到期。
My ultimate goal is to create a URL that is unique and cannot be guessed/predicted. The purpose of this URL is to allow users to perform operations like verifying their email address and resetting their password. These URLs would expire within a set amount of time (currently set to 24 hours).
我原来使用的Guid
用于此目的,但我现在明白这是介于蛮好的和非常不安全,这取决于专家,你听。所以,我想我应该牛肉了我的code一点点,以防万一。起初,我以为我只是坚持使用的Guid
,但随机字节,而不是 Guid.NewGuid()$生成它C $ C>工厂方法。这里是我想出了方法:
I was originally using a Guid
for this purpose, but I now understand this to be somewhere between "just fine" and "very insecure", depending on which expert you listen to. So, I thought I'd beef up my code a little bit, just in case. At first I thought I'd just stick with using a Guid
, but generate it from random bytes rather than the Guid.NewGuid()
factory method. Here is the method I came up with:
public static Guid GetRandomGuid()
{
var bytes = new byte[16];
var generator = new RNGCryptoServiceProvider();
generator.GetBytes(bytes);
return new Guid(bytes);
}
我不是当您使用到底发生了什么新的GUID(字节)
而不是 Guid.NewGuid()$不太清楚C $ C>,但我认为这一切的方法确实是产生在
的Guid
数据结构的随机字节数组的商店的它。换句话说,它不再保证是唯一的,它只能保证是随机的。
I'm not quite clear on what exactly happens when you use new Guid(bytes)
instead of Guid.NewGuid()
, but I think all this method does is generate a random byte array and store it in a Guid
data structure. In other words, it's no longer guaranteed to be unique, it's only guaranteed to be random.
由于我的网址需要在两个独特的和的随机性,这似乎并不像一个坚实的解决方案。现在我想,我应该立足于双方的唯一ID的组合,我的网址(这可能是一个的Guid
或者,如果有的话,数据库自动递增的ID)从 RNGCryptoServiceProvider
生成的随机序列。
Since my URLs need to be both unique and random, this does not seem like a solid solution. I'm now thinking, I should base my URLs on a combination of both a unique ID (which could be a Guid
or, if available, a database auto-incremented id) and a random sequence generated from RNGCryptoServiceProvider
.
问题
什么是生成验证/密码重置网址,既保证唯一的和极其困难/不可能predict的最佳方式/猜到的?
What's the best way to generate a verification/password-reset URL that is both guaranteed unique and extremely difficult/impossible to predict/guess?
-
我应该简单地通过连接一个唯一的字符串一个随机字符串构造我的网址?
Should I simply construct my URL by concatenating a unique string with a random string?
请问.NET框架有一个内置的方式轻松地生成一个唯一的和的可用于随机的网址(UN predictable)序列?
Does the .NET Framework have a built-in way to easily generate a unique and random (unpredictable) sequence that can be used for URLs?
如果不是,是否有一个很好的解决方案的开源?
If not, is there a good solution available open source?
更新
在任何情况下也有类似的规定,我目前使用下面的方法:
In case anyone has a similar requirement, I'm currently using the following method:
public static string GenerateUniqueRandomToken(int uniqueId)
// generates a unique, random, and alphanumeric token
{
const string availableChars =
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
using (var generator = new RNGCryptoServiceProvider())
{
var bytes = new byte[16];
generator.GetBytes(bytes);
var chars = bytes
.Select(b => availableChars[b % availableChars.Length]);
var token = new string(chars.ToArray());
return uniqueId + token;
}
}
请,如果你看到任何这方面的问题提出意见。
Please comment if you see any problems with this.
推荐答案
一个GUID是不是意味着是一个安全功能。创建一个GUID 使没有关于它有多安全索赔或/硬是多么容易猜到。 它只是提出要求关于它的独特性。
A Guid is not meant to be a security feature. The standards for creating a Guid make no claims about how secure it is, or how easy/hard it is to guess. It simply makes a claim about it's uniqueness.
如果您尝试使用一个GUID,那么你将不会有一个安全的系统,以确保您的系统。
If you attempt to secure your system by using a Guid then you will not have a secure system.
这篇关于生成C#中的独特*和*随机URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!