此过程向 Web 应用程序添加两个实用工具方法;一个方法生成一个随机 salt 值,另一个方法根据提供的密码和 salt 值创建哈希。
要开发生成哈希和 salt 值的函数,请执行下列步骤:
1.
打开 Logon.aspx.cs 并将下列 using 语句添加到位于文件顶部的现有 using 语句下。
using System.Security.Cryptography;
using System.Web.Security;
2.
将下列静态方法添加到 WebForm1 类中,用于生成随机 salt 值并作为 Base 64 编码字符串返回此值。
private static string CreateSalt(int size)
{
// Generate a cryptographic random number using the cryptographic
// service provider
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
byte[] buff = new byte[size];
rng.GetBytes(buff);
// Return a Base64 string representation of the random number
return Convert.ToBase64String(buff);
}
此过程在 SQL Server 中创建一个新的用户帐户数据库,此数据库包含一个用户表和一个用于查询用户数据库的存储过程。
要创建用户帐户数据库,请执行下列操作:
1.
在 Microsoft SQL Server programs 菜单上,单击 Query Analyzer ,然后连接到本地 SQL Server。
2.
输入下列 SQL 脚本。注意,必须用自己的计算机名称替换此脚本末尾的“LocalMachine”。
USE master
GO
-- create a database for the security information
IF EXISTS (SELECT * FROM master..sysdatabases WHERE name = 'UserAccounts')
DROP DATABASE UserAccounts
GO
CREATE DATABASE UserAccounts
GO
USE UserAccounts
GO
CREATE TABLE [Users] (
[UserName] [varchar] (255) NOT NULL ,
[PasswordHash] [varchar] (40) NOT NULL ,
[salt] [varchar] (10) NOT NULL,
CONSTRAINT [PK_Users] PRIMARY KEY CLUSTERED
(
[UserName]
) ON [PRIMARY]
) ON [PRIMARY]
GO
-- create stored procedure to register user details
CREATE PROCEDURE RegisterUser
@userName varchar(255),
@passwordHash varchar(40),
@salt varchar(10)
AS
INSERT INTO Users VALUES(@userName, @passwordHash, @salt)
GO
-- create stored procedure to retrieve user details
CREATE PROCEDURE LookupUser
@userName varchar(255)
AS
SELECT PasswordHash, salt
FROM Users
WHERE UserName = @userName
GO
-- Add a login for the local ASPNET account
-- In the following statements, replace LocalMachine with your
-- local machine name
exec sp_grantlogin [LocalMachine/ASPNET]
-- Add a database login for the UserAccounts database for the ASPNET account
exec sp_grantdbaccess [LocalMachine/ASPNET]
-- Grant execute permissions to the LookupUser and RegisterUser stored procs
grant execute on LookupUser to [LocalMachine/ASPNET]
grant execute on RegisterUser to [LocalMachine/ASPNET]
3.
运行查询来创建 UserAccounts 数据库。
4.
退出 Query Manager。
如何通过 SQL Server 2000 使用 Forms 身份验证
返回页首
使用 ADO.NET 将帐户详细信息存储在数据库中
此过程修改 Web 应用程序代码,以将提供的用户名、生成的密码哈希和 salt 值存储在数据库中。
要使用 ADO.NET 将帐户详细信息存储在数据库中,请执行下列操作:
•
返回到 Visual Studio .NET 并双击 Web 窗体上的 Register 按钮来创建按钮单击事件处理程序。
private bool VerifyPassword(string suppliedUserName,
string suppliedPassword )
{
bool passwordMatch = false;
// Get the salt and pwd from the database based on the user name.
// See "How To: Use DPAPI (Machine Store) from ASP.NET," "How To: Use DPAPI
// (User Store) from Enterprise Services," and "How To: Create a DPAPI
// Library" for more information about how to use DPAPI to securely store
// connection strings.
SqlConnection conn = new SqlConnection( "Server=(local);" +
"Integrated Security=SSPI;" +
"database=UserAccounts");
SqlCommand cmd = new SqlCommand( "LookupUser", conn );
cmd.CommandType = CommandType.StoredProcedure;
SqlParameter sqlParam = cmd.Parameters.Add("@userName",
SqlDbType.VarChar, 255);
sqlParam.Value = suppliedUserName;
try
{
conn.Open();
SqlDataReader reader = cmd.ExecuteReader();
reader.Read(); // Advance to the one and only row
// Return output parameters from returned data stream
string dbPasswordHash = reader.GetString(0);
string salt = reader.GetString(1);
reader.Close();
// Now take the salt and the password entered by the user
// and concatenate them together.
string passwordAndSalt = String.Concat(suppliedPassword, salt);
// Now hash them
string hashedPasswordAndSalt =
FormsAuthentication.HashPasswordForStoringInConfigFile(
passwordAndSalt, "SHA1");
// Now verify them.
passwordMatch = hashedPasswordAndSalt.Equals(dbPasswordHash);
}
catch (Exception ex)
{
throw new Exception("Execption verifying password. " + ex.Message);
}
finally
{
conn.Close();
}
return passwordMatch;
}
bool passwordVerified = false;
try
{
passwordVerified = VerifyPassword(txtUserName.Text,txtPassword.Text);
}
catch(Exception ex)
{
lblMessage.Text = ex.Message;
return;
}
if (passwordVerified == true )
{
// The user is authenticated
// At this point, an authentication ticket is normally created
// This can subsequently be used to generate a GenericPrincipal
// object for .NET authorization purposes
// For details, see "How To: Use Forms authentication with GenericPrincipal
// objects
lblMessage.Text = "Logon successful: User is authenticated";
}
else
{
lblMessage.Text = "Invalid username or password";
}
3.
在 Build 菜单上,单击 Build Solution 。
4.
在解决方案资源管理器中,右键单击 logon.aspx ,然后单击 View in Browser 。
5.
输入用户名和密码,然后单击 Register 。
6.
使用 SQL Server Enterprise Manager 查看 Users 表的内容。您会看到一个新行,新用户名与生成的密码哈希一起位于这一行中。
7.
返回到 Logon Web 页,重新输入密码,然后单击 Logon 。您会看到“Logon successful:User is authenticated”消息。
8.
现在请输入一个无效的密码(用户名保持不变)。您会看到“Invalid username or password”消息。
9.
关闭 Internet Explorer。
如何通过 SQL Server 2000 使用 Forms 身份验证
返回页首
<script language=javascript> var framesValid = false; if (window.name == "MNPMainFrame") { var menuFrame = parent.frames["MNPMenuFrame"]; if (menuFrame) { framesValid = true; } } if (!framesValid) document.forms["MNPFramesForm"].submit(); else document.write('