1. 首頁
  2. 問答
  3. 驗證輸入的用戶密碼匹配從登錄頁面的數據庫散列密碼c#asp.net

驗證輸入的用戶密碼匹配從登錄頁面的數據庫散列密碼c#asp.net

2015-11-20 87 views
0

我有一個登錄頁面,用戶被指示輸入他們的用戶名和密碼,它們都存儲在數據庫中。用戶名以純文本格式存儲,但密碼存儲爲MySQL數據庫中含鹽的哈希密碼。我使用了Chris Duran的crackstation websiteyoutube video的C#代碼示例。我成功地能夠註冊用戶並獲得他們的密碼被散列並存儲在MySQL數據庫中。驗證輸入的用戶密碼匹配從登錄頁面的數據庫散列密碼c#asp.net

我有一個簡單的登錄頁面,其中包含電子郵件地址的文本框以及用戶必須輸入的密碼的文本框。我的登錄按鈕有一個點擊事件。我爲我的登錄頁面的代碼後面的代碼如下:

protected void btnlogin_Click(object sender, System.EventArgs e) 
{ 
    char activation; 

    if(Request.QueryString["tokenNum"] != null) 
    { 
     using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
     { 
      dbConnection.Open(); 
      { 

       OdbcCommand dbCommand = new OdbcCommand(); 
       dbCommand.Connection = dbConnection; 
       dbCommand.CommandText = @"SELECT tokenNum FROM srlsLogin WHERE user_email_pk = ? and user_password = ?;"; 

       dbCommand.Parameters.AddWithValue("@user_email_pk", txtUsername.Text); 
       dbCommand.Parameters.AddWithValue("@user_password", txtPassword.Text); 
       dbCommand.ExecuteNonQuery(); 

       OdbcDataReader dataReader = dbCommand.ExecuteReader(); 
       while (dataReader.Read()) 
       { 
        if (token == dataReader["tokenNum"].ToString()) 
        { 
         updateActivationStatus(txtUsername.Text); 
         userRedirect(txtUsername.Text, txtPassword.Text); 
        } 
        else 
        { 
         test.Text = "You are not authorized to login! Please activate your account following the activation link sent to your email " + txtUsername.Text + " !"; 
        } 
       } 
       dataReader.Close(); 
      } 
       dbConnection.Close(); 
     } 
    } 
} 

protected void updateActivationStatus(string email) 
{ 
    using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
    { 
     dbConnection.Open(); 
     { 
      OdbcCommand dbCommand = new OdbcCommand(); 
      dbCommand.Connection = dbConnection; 
      dbCommand.CommandText = @"UPDATE srlsLogin set activation_status = 'Y' WHERE user_email_pk = ?;"; 

      dbCommand.Parameters.AddWithValue("@user_email_pk", txtUsername.Text); 
      dbCommand.ExecuteNonQuery(); 
     } 
     dbConnection.Close(); 
    } 
} 

//Redirecting the user to correct page 
protected void userRedirect(string username, string passcode) 
{ 
    Session["username"] = txtUsername.Text; 
    Session["password"] = txtPassword.Text; 
    //Session["password"] = PasswordHash.ValidatePassword(txtPassword.Text, "@slowhashsalt"); 

    using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
    { 
     dbConnection.Open(); 
     { 
      OdbcCommand dbCommand1 = new OdbcCommand(); 
      dbCommand1.Connection = dbConnection; 
      dbCommand1.CommandText = @"SELECT user_status FROM srlsLogin WHERE user_email_pk = ? and user_password = ?;"; 

      dbCommand1.Parameters.AddWithValue("@user_email_pk", txtUsername.Text); 
      dbCommand1.Parameters.AddWithValue("@user_password", txtPassword.Text); 
      dbCommand1.ExecuteNonQuery(); 

      OdbcDataReader dataReader1 = dbCommand1.ExecuteReader(); 
      while (dataReader1.Read()) 
      { 
       user_status = dataReader1["user_status"].ToString(); 
       Session["userType"] = user_status;       
      } 

      if (user_status == "Participant") 
      { 
       Response.Redirect("/srls/StudentUser"); 
      } 
      else if (user_status == "Coordinator") 
      { 
       Response.Redirect("/srls/CoordinatorUser"); 

      }      
      dataReader1.Close(); 
     } 
     dbConnection.Close();    
    }   
} 

private void LoginWithPasswordHashFunction() 
{ 
    List<string> salthashList = null; 
    List<string> usernameList = null; 

    try 
    { 
     using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
     { 
      dbConnection.Open(); 
      { 
       OdbcCommand dbCommand = new OdbcCommand(); 
       dbCommand.Connection = dbConnection; 
       dbCommand.CommandText = @"SELECT user_email_pk, slowsalthash FROM srlslogin WHERE user_email_pk = ?;"; 

       dbCommand.Parameters.AddWithValue("@user_email_pk", txtUsername.Text); 
       dbCommand.ExecuteNonQuery(); 

       OdbcDataReader dataReader = dbCommand.ExecuteReader(); 

       while (dataReader.HasRows && dataReader.Read()) 
       { 
        if (salthashList == null) 
        { 
         salthashList = new List<string>(); 
         usernameList = new List<string>(); 
        } 

        string saltHashes = dataReader.GetString(dataReader.GetOrdinal("@slowhashsalt")); 
        salthashList.Add(saltHashes); 

        string userName = dataReader.GetString(dataReader.GetOrdinal("@user_email_pk")); 
        usernameList.Add(userName); 
       } 
       dataReader.Close(); 

       if (salthashList != null) 
       { 
        for (int i = 0; i < salthashList.Count; i++) 
        { 
         bool validUser = PasswordHash.ValidatePassword(txtPassword.Text, salthashList[i]); 

         if (validUser == true) 
         { 
          Session["username"] = usernameList[i]; 
          Response.BufferOutput = true; 
          Response.Redirect("/srls/", false); 
         } 
         else 
         { 
          lblMessage.Text = "User not authorized! Please try again!"; 
         } 
        } 
       } 
      } 
      dbConnection.Close(); 
     } 
    } 
    catch (Exception ex) 
    { 

    }    
}

我有點新的C#和asp.net和很困惑,我該如何使用Session [「密碼」],我知道如果我有密碼的純文本版本存儲到數據庫表,它工作正常,但我想使用會話[「密碼」]檢查哈希密碼,以便當用戶放置文本密碼時,它可以檢查表中的哈希密碼並讓用戶進入他們的帳戶。

來源

2015-11-20 skaur

+0

SELECT語句不會爲您輸入純文本密碼,它只會嘗試比較兩個字符串,所以會失敗。您必須自己哈希密碼(使用相同的鹽),然後將您獲得的散列結果與數據庫中存儲的散列結果進行比較。 –

+0

請檢查[MCVE]以獲取有關應添加到帖子中的代碼數量/類型的指導。 –

+0

@AlexeiLevenkov我看了一下關於代碼的鏈接,並將其編輯了一下。有幾次我在這裏發佈問題,我不確定在這裏是否有太多或者沒有足夠的代碼,所以我最終發佈了儘可能多的代碼來展示我在做什麼。 – skaur

回答

0

儘量不要在會話中存儲用戶密碼。這是你可以做的。 一旦用戶輸入用戶名和密碼並單擊登錄頁面的登錄按鈕,您可以散列密碼並將其傳遞給存儲過程。 您使用數據庫中的密碼檢查散列的密碼,如果一切正常,您將返回變量發送回代碼,說明用戶已通過身份驗證。然後,您將其存儲在會話中。

來源

2015-11-20 16:27:14 Cupid

+0

好的。我試圖不使用存儲過程,但我會試一試。 – skaur

+0

使用存儲過程應該沒問題。 – Cupid

+0

好的。我會看看它是如何發展的,是C#和asp的新手。網我從來沒有寫過存儲過程。 – skaur

1

這是舊代碼,也許有更新或刪除?你基本上搶值,你已經到位,看它是否符合,都是我使用它搶了兩個字符串,這樣你就可以更新部分,您的數據庫調用

public bool VerifyPassword(string suppliedUserName, string suppliedPassword) 
{ 
    try 
    { 
     string dbPasswordHash = string.Empty; 
     string salt = string.Empty; 

     using (SqlDataReader reader = DB.drProc("LookupUser", new SqlParameter[] { 
      DB.Parameter("@userName", SqlDbType.VarChar, 255, suppliedUserName) })) 
     { 
      reader.Read(); 
      dbPasswordHash = reader.GetString(0); 
      salt = reader.GetString(1); 
     } 

     string passwordAndSalt = string.Concat(suppliedPassword, salt); 
     string hashedPasswordAndSalt = FormsAuthentication.HashPasswordForStoringInConfigFile(passwordAndSalt, "SHA1"); 
     return hashedPasswordAndSalt.Equals(dbPasswordHash); 
    } 
    catch (Exception) 
    { 
     return false; 
    } 
}

來源

2015-11-20 17:13:28 AdamRoof

0

改變這一行

  dbCommand.Parameters.AddWithValue("@user_password", txtPassword.Text); 


  dbCommand.Parameters.AddWithValue("@user_password", PasswordHasher(txtPassword.Text));

假設你有一個函數調用PasswordHasher接受一個字符串,並返回其散列版本。實際上,在你的代碼中的任何地方你都可以使用密碼做任何事情,你不應該使用密碼,你應該立即將它變成散列版本。

來源

2015-11-20 17:21:41 AgapwIesu

+0

好的。我有一個名爲LoginWithPasswordHashFunction的函數和一個PasswordHash類(來自crackstation網站),它具有一個ValidatePassword函數,該函數接受密碼字符串和散列密碼字符串。我能以某種方式在代碼中使用它嗎? – skaur

0

我能夠讓我的代碼工作。感謝所有幫助我解決問題的人。我在下面發佈我的解決方案,以防將來有人遇到類似問題,並可以將其用作參考。

protected void btnlogin_Click(object sender, System.EventArgs e) 
{ 
    char activation; 

    if (Request.QueryString["tokenNum"] != null) 
    { 
     using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
     { 
      dbConnection.Open(); 
      { 
       OdbcCommand dbCommand = new OdbcCommand(); 
       dbCommand.Connection = dbConnection; 
       dbCommand.CommandText = @"SELECT tokenNum FROM login WHERE useremail = ?"; 
       dbCommand.Parameters.AddWithValue("@useremail", txtUsername.Text); 
       dbCommand.ExecuteNonQuery(); 

       OdbcDataReader dataReader = dbCommand.ExecuteReader(); 
       while (dataReader.Read()) 
       { 
        if (token == dataReader["tokenNum"].ToString()) 
        { 
         updateActivationStatus(txtUsername.Text); 
         LoginWithPasswordHashFunction(); 
        } 
        else 
        {        
         test.Text = "You are not authorized to login! Please activate your account following the activation link sent to your email " + txtUsername.Text + " !"; 
        } 
       } 
      } 
      dbConnection.Close(); 
      } 
     } 
    else if (Request.QueryString["tokenNum"] == null) 
    { 
     using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
     { 
      dbConnection.Open(); 
      { 
       OdbcCommand dbCommand1 = new OdbcCommand(); 
       dbCommand1.Connection = dbConnection; 
       dbCommand1.CommandText = @"SELECT * FROM login WHERE useremail = ?;"; 

       dbCommand1.Parameters.AddWithValue("@useremail", txtUsername.Text); 
       dbCommand1.ExecuteNonQuery(); 

       OdbcDataReader dataReader1 = dbCommand1.ExecuteReader(); 
       if (dataReader1.Read()) 
       { 
        activation = Convert.ToChar(dataReader1["activation_status"]); 

        if (activation == 'Y') 
        {         
         LoginWithPasswordHashFunction(); 
        } 
        else 
        { 
         lblMessage.Text = "Please activate your account following the Activation link emailed to you at <i>" + txtUsername.Text + "</i> to Continue!"; 
        } 
       } 
       else 
       { 
        lblMessage.Text = "Invalid Username or Password"; 
       } 

       dataReader1.Close(); 
      } 
      dbConnection.Close(); 
     } 
    } 
} 

private void LoginWithPasswordHashFunction() 
{ 
    List<string> salthashList = null; 
    List<string> usernameList = null; 

    try 
    { 
     using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
     { 
      dbConnection.Open(); 
      { 
       OdbcCommand dbCommand = new OdbcCommand(); 
       dbCommand.Connection = dbConnection; 
       dbCommand.CommandText = @"SELECT slowhashsalt, useremail FROM login WHERE useremail = ?;"; 

       dbCommand.Parameters.AddWithValue(@"useremail", txtUsername.Text); 
       OdbcDataReader dataReader = dbCommand.ExecuteReader(); 
       while (dataReader.HasRows && dataReader.Read()) 
       { 

        if (salthashList == null) 
        { 
         salthashList = new List<string>(); 
         usernameList = new List<string>(); 
        } 
        string saltHashes = dataReader.GetString(dataReader.GetOrdinal("slowhashsalt")); 
        salthashList.Add(saltHashes); 

        string userInfo = dataReader.GetString(dataReader.GetOrdinal("useremail")); 

        usernameList.Add(userInfo); 
       } 

       dataReader.Close(); 

       if (salthashList != null) 
       { 

        for (int i = 0; i < salthashList.Count; i++) 
        { 
         bool validUser = PasswordHash.ValidatePassword(txtPassword.Text, salthashList[i]); 
         if (validUser == true) 
         {          
          Session["useremail"] = usernameList[i]; 

          OdbcCommand dbCommand1 = new OdbcCommand(); 
          dbCommand1.Connection = dbConnection; 
          dbCommand1.CommandText = @"SELECT userstatus FROM login WHERE useremail = ?;"; 

          dbCommand1.Parameters.AddWithValue("@useremail", txtUsername.Text); 
          dbCommand1.ExecuteNonQuery(); 

          OdbcDataReader dataReader1 = dbCommand1.ExecuteReader(); 
          while (dataReader1.Read()) 
          { 
           user_status = dataReader1["userstatus"].ToString(); 
           Session["userType"] = user_status; 
          } 

          Response.BufferOutput = true; 

          if (user_status == "Participant") 
          { 
           Response.Redirect("/StudentUser", false); 
          } 
          else if (user_status == "Coordinator") 
          { 
           Response.Redirect("/CoordinatorUser", false); 
          } 
          else if (user_status == "Instructor") 
          { 
           Response.Redirect("/InstructorUser", false); 
          } 
          else if (user_status == "Coordinator/Instructor") 
          { 
           Response.Redirect("/CoordinatorInstructorUser", false); 
          } 

          dataReader1.Close(); 

          Response.Redirect(/StudentUser) - Goes to Login Page"; 
         } 
         else 
         { 
          lblMessage.Text = "Invalid Username or Password! Please Try Again!"; 
         } 
        } 
       } 
      } 
      dbConnection.Close(); 
     } 
    } 
    catch (Exception ex) 
    { 
    } 
} 

protected void updateActivationStatus(string email) 
{ 
    using (OdbcConnection dbConnection = new OdbcConnection(srlsConnStr)) 
    { 
     dbConnection.Open(); 
     { 
      OdbcCommand dbCommand = new OdbcCommand(); 
      dbCommand.Connection = dbConnection; 
      dbCommand.CommandText = @"UPDATE login set activation_status = 'Y' WHERE useremail = ?;"; 

      dbCommand.Parameters.AddWithValue("@useremail", txtUsername.Text); 
      dbCommand.ExecuteNonQuery(); 
     } 
     dbConnection.Close(); 
    } 
}

來源

2015-11-25 15:23:23 skaur

相關問題

 相關問題