我对我的登录信息进行了加盐和哈希处理 according to this Code Project article
当我这样做时,数据库中的密码和盐字段只是 varchar 列。数据在 SQL Server Management Studio 中显示为问号。
然后一位 friend 来了并将列更改为 nvarchar 数据类型,现在数据似乎是亚洲字母/单词的集合 - 我认为它背后没有任何意义,即使对于阅读任何语言的人也是如此。
问题是现在,即使我创建了一个新用户,每次登录尝试都会失败。
用户添加和登录
public User Login() // returns an instance of its own class
{
// get the salt value for the user
var auser = ie.users.FirstOrDefault(u => String.Compare(u.emailaddress, emailaddress, false) == 0);
if (auser == null)
{
throw new ValidationException("User not found");
}
// hash the login for comparison to stored password hash
HashGenerator h = new HashGenerator(password, auser.usersalt);
string hash = h.GetHash();
var us = ie.users.FirstOrDefault(u => String.Compare(u.emailaddress, emailaddress, false) == 0 && String.Compare(u.password, password, false) == 0);
if (us == null)
{
throw new Exception("Invalid email address and/or password."); // seems here's where it goes wrong
}
User user = new User();
user.userid = us.userid;
user.storeid = us.storeid;
user.role = us.role;
return user; // login succeeded, return the data to the calling method
}
public void Add()
{
user newuser = new user();
newuser.storeid = storeid;
newuser.emailaddress = emailaddress;
// Generate password hash
string usersalt = SaltGenerator.GetSaltString();
HashGenerator hash = new HashGenerator(password, usersalt);
newuser.password = hash.GetHash();
newuser.role = role;
newuser.usersalt = usersalt;
ie.users.Add(newuser);
ie.SaveChanges();
}
哈希和盐生成器
public class HashGenerator
{
public string pass { get; protected set; }
public string salt { get; protected set; }
public HashGenerator(string Password, string Salt)
{
pass = Password;
salt = Salt;
}
public string GetHash()
{
SHA512 sha = new SHA512CryptoServiceProvider();
byte[] data = CryptUtility.GetBytes(String.Format("{0}{1}", pass, salt));
byte[] hash = sha.ComputeHash(data);
return CryptUtility.GetString(hash);
}
}
public static class SaltGenerator
{
private static RNGCryptoServiceProvider provider = null;
private const int saltSize = 128;
static SaltGenerator()
{
provider = new RNGCryptoServiceProvider();
}
public static string GetSaltString()
{
byte[] saltBytes = new byte[saltSize];
provider.GetNonZeroBytes(saltBytes);
return CryptUtility.GetString(saltBytes);
}
}
获取字符串和字节的加密工具
class CryptUtility
{
public static byte[] GetBytes(string Str)
{
byte[] bytes = new byte[Str.Length * sizeof(char)];
System.Buffer.BlockCopy(Str.ToCharArray(), 0, bytes, 0, bytes.Length);
return bytes;
}
public static string GetString(byte[] Bytes)
{
char[] chars = new char[Bytes.Length / sizeof(char)];
System.Buffer.BlockCopy(Bytes, 0, chars, 0, Bytes.Length);
return new string(chars);
}
}
登录曾经有效,此代码从那时起就没有改变......唯一改变的是用户表中的密码和盐列现在是 nvarchar
而不是 varchar
.
也就是说,我想我会使用上面的添加方法创建一个新用户,但使用该用户登录也会失败。
我真的不知道如何解决这个问题。如果我不能访问它进行测试,我就无法继续开发系统的其余部分。
任何帮助将不胜感激!
最佳答案
嗯嗯你不应该使用变量
hash
为了比较?
// hash the login for comparison to stored password hash
HashGenerator h = new HashGenerator(password, auser.usersalt);
string hash = h.GetHash();
var us = ie.users.FirstOrDefault(u => String.Compare(u.emailaddress, emailaddress, false) == 0 && String.Compare(u.password, hash, false) == 0);
关于c# - 密码散列曾经有效,现在我无法进入我的软件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23591723/