我根据此Code Project文章对登录信息进行了加盐处理和哈希处理
当我这样做时,数据库中的密码字段和盐字段只是varchar列。数据在SQL Server Management Studio中显示为问号。
然后,一个朋友来了,将列更改为nvarchar数据类型,现在数据似乎是亚洲字母/单词的集合-我认为即使对于阅读任何语言的人来说,它背后也没有任何意义。
现在的问题是,即使我创建了一个新用户,每次登录尝试也会失败。
用户添加和登录
public User Login() // returns an instance of its own class { // get the salt value for the user var auser = ie.users.FirstOrDefault(u => String.Compare(u.emailaddress, emailaddress, false) == 0); if (auser == null) { throw new ValidationException("User not found"); } // hash the login for comparison to stored password hash HashGenerator h = new HashGenerator(password, auser.usersalt); string hash = h.GetHash(); var us = ie.users.FirstOrDefault(u => String.Compare(u.emailaddress, emailaddress, false) == 0 && String.Compare(u.password, password, false) == 0); if (us == null) { throw new Exception("Invalid email address and/or password."); // seems here's where it goes wrong } User user = new User(); user.userid = us.userid; user.storeid = us.storeid; user.role = us.role; return user; // login succeeded, return the data to the calling method } public void Add() { user newuser = new user(); newuser.storeid = storeid; newuser.emailaddress = emailaddress; // Generate password hash string usersalt = SaltGenerator.GetSaltString(); HashGenerator hash = new HashGenerator(password, usersalt); newuser.password = hash.GetHash(); newuser.role = role; newuser.usersalt = usersalt; ie.users.Add(newuser); ie.SaveChanges(); }
哈希和盐生成器
public class HashGenerator { public string pass { get; protected set; } public string salt { get; protected set; } public HashGenerator(string Password, string Salt) { pass = Password; salt = Salt; } public string GetHash() { SHA512 sha = new SHA512CryptoServiceProvider(); byte[] data = CryptUtility.GetBytes(String.Format("{0}{1}", pass, salt)); byte[] hash = sha.ComputeHash(data); return CryptUtility.GetString(hash); } } public static class SaltGenerator { private static RNGCryptoServiceProvider provider = null; private const int saltSize = 128; static SaltGenerator() { provider = new RNGCryptoServiceProvider(); } public static string GetSaltString() { byte[] saltBytes = new byte[saltSize]; provider.GetNonZeroBytes(saltBytes); return CryptUtility.GetString(saltBytes); } }
加密实用程序,用于获取字符串和字节
class CryptUtility { public static byte[] GetBytes(string Str) { byte[] bytes = new byte[Str.Length * sizeof(char)]; System.Buffer.BlockCopy(Str.ToCharArray(), 0, bytes, 0, bytes.Length); return bytes; } public static string GetString(byte[] Bytes) { char[] chars = new char[Bytes.Length / sizeof(char)]; System.Buffer.BlockCopy(Bytes, 0, chars, 0, Bytes.Length); return new string(chars); } }
从那时起,登录名一直有效,此代码从那时起就没有更改过……唯一更改的是,users表中的password和salt列现在nvarchar改为了varchar。
nvarchar
varchar
就是说,我想可以使用上述的add方法创建一个新用户,但是用该用户登录也同样失败。
我真的对如何解决这个问题感到茫然。如果无法访问该系统以进行测试,则无法继续开发该系统的其余部分。
任何帮助将不胜感激!
嗯,你不应该使用变量
为了比较?
// hash the login for comparison to stored password hash HashGenerator h = new HashGenerator(password, auser.usersalt); string hash = h.GetHash(); var us = ie.users.FirstOrDefault(u => String.Compare(u.emailaddress, emailaddress, false) == 0 && String.Compare(u.password, hash, false) == 0);
