使用PHP在ASP.NET成员资格认证用户 [英] Using PHP to authenticate users in an ASP.NET membership

问题描述

我想验证使用PHP用户对现有的ASP.NET成员资格数据库时遇到一些问题。我在网上搜索，而且我发现似乎并不为我工作已有答案。即：

 公共静态函数哈希（$密码，$盐）
{
  $日codedSalt = base64_de code（$盐）;
  $ UTF = mb_convert_encoding（$的密码，UTF-16LE，UTF-8）;
  返回base64_en code（SHA1（$日codedSalt $ UTF，真）。）;
}
 

我认为这个问题的一部分是，密码哈希值实际上并没有被计算与SHA-1，因为在数据库中的值是44个字符长，基数64 EN codeD字符串（也就是输入是大概256位）。我试着使用SHA-256代替SHA-1，但无济于事。我无法找到这将是进一步腌制的哈希值在web.config一机键，ASP.NET站点生成相同的哈希值，当我在本地运行，或在生产服务器上，所以我不知道为什么他们AREN T匹配。

Web.config中成员提供：

 ＆LT;新增的connectionStringName =MySqlMembershipConnectionenablePasswordRetrieval =假enablePasswordReset设置=真正的requiresQuestionAndAnswer =假requiresUniqueEmail =真了passwordFormat =散列maxInvalidPasswordAttempts =5 minRequiredPasswordLength =6minRequiredNonalphanumericCharacters =0passwordAttemptWindow =10的applicationName =/autogenerateschema =真名称=MySqlMembershipProvider类型=MySql.Web.Security.MySQLMembershipProvider，mysql.web/＆GT;
 

例密码的应该的工作：

  $盐='Mu1tp8XzfKl8dSTVAZm44A =='; //直接从数据库
$密码='测试';
$ expectedHash ='TQN7m8OWIyBOKVwzegWSUBVq7o7 + KWFBc46J + B77mLw ='//直接从数据库

//当使用SHA-256，而不是SHA-1以上的Hash函数
$ generatedHash ='rpmTmtBfWoJz71ooQGQUIIyQJKd99qhYxMUI1yda0qE ='
 

思考？任何想法，为什么我的哈希值不匹配，什么是存储在数据库中（以及为什么/如何通过ASP.NET网站登录时工作）？我试着换出散列函数，扭转了密码/盐串联，并大声喊叫，而打我的电脑，这些都不似乎帮助。

解决方案

我看了看在验证问题页面，你链接到与一个特定的答案引起了我的注意：的http://stackoverflow.com/a/4227642/633098 。

由于您说，不再使用的算法SHA-1，但更可能是SHA256我开始与HMAC哈希，SHA256 instad试验。它没有在第一次工作，但后来我试图用两个串联的字符串组成的密码，并结合盐与盐（=键）本身，和它的工作。

下面是简单的功能，我做了：

 函数_hash（$密码，$盐）{
    返回base64_en code（hash_hmac（SHA256，base64_de code（$盐）。的iconv（UTF-8，UTF-16LE，$密码），base64_de code（$盐） ， 真正））;
}

$盐='Mu1tp8XzfKl8dSTVAZm44A =='; //直接从数据库
$密码='测试';

后续代码var_dump（_hash（$密码，$盐））;
 

  

结果散列： TQN7m8OWIyBOKVwzegWSUBVq7o7 + KWFBc46J + B77mLw =

I'm having some issues when trying to authenticate users against an existing ASP.NET membership database using PHP. I've searched the web and the existing answers that I've found don't seem to be working for me. Namely:

public static function Hash($password, $salt)
{
  $decodedSalt = base64_decode($salt);
  $utf = mb_convert_encoding($password, 'UTF-16LE', 'UTF-8');
  return base64_encode(sha1($decodedSalt.$utf, true));
}

I think that part of the issue is that the password hashes aren't actually being computed with SHA-1, since the values in the database are 44 character long, base64 encoded strings (which means the inputs are probably 256 bits long). I've tried to use SHA-256 in place of SHA-1, but to no avail. I can't find a machine key in the web.config that would be salting the hashes even further, and the ASP.NET site generates the same hashes when I run locally or on the production server, so I have no idea why they aren't matching.

Web.config membership provider:

<add connectionStringName="MySqlMembershipConnection" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" autogenerateschema="true" name="MySqlMembershipProvider" type="MySql.Web.Security.MySQLMembershipProvider, mysql.web" />

Example password that should work:

$salt = 'Mu1tp8XzfKl8dSTVAZm44A=='; // Straight from the DB
$password = 'testing';
$expectedHash = 'TQN7m8OWIyBOKVwzegWSUBVq7o7+KWFBc46J+B77mLw=' // Straight from the DB

// When using the above Hash function with SHA-256 instead of SHA-1
$generatedHash = 'rpmTmtBfWoJz71ooQGQUIIyQJKd99qhYxMUI1yda0qE='

Thoughts? Any idea why my hash doesn't match what's stored in the DB (and why/how it works when logging in through the ASP.NET site)? I've tried swapping out hash functions, reversing the password/salt concatenation, and yelling loudly while hitting my computer and none of those seemed to help.

解决方案

I took a look at the authentication question page that you linked to and one particular answer captured my attention: http://stackoverflow.com/a/4227642/633098.

Because you said that the algorithm used no longer was SHA1 but more probably SHA256 I started experimenting with HMAC hash, SHA256 instad. It didn't work at first but then I tried using both the concatenated string consisting of the password and the salt in conjunction with the salt (= key) itself, and it worked.

Here's the simple function I made:

function _hash($password, $salt) {
    return base64_encode(hash_hmac('sha256', base64_decode($salt) . iconv('UTF-8', 'UTF-16LE', $password), base64_decode($salt), true));
}

$salt = 'Mu1tp8XzfKl8dSTVAZm44A=='; // Straight from the DB
$password = 'testing';

var_dump(_hash($password, $salt));

Resulting hash: TQN7m8OWIyBOKVwzegWSUBVq7o7+KWFBc46J+B77mLw=

这篇关于使用PHP在ASP.NET成员资格认证用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！