ASP.NET成员资格提供程序 - 验证散列安全问题/答案

时间:2021-11-01 03:15:00

On a page I'm adding retrieve forgotten USERNAME

在页面上我添加了检索忘记的USERNAME

Step 1) Enter email address (Get account by email)

步骤1)输入电子邮件地址(通过电子邮件获取帐户)

Step 2) Verify Security Question (they provide answer and I validate it)

步骤2)验证安全问题(他们提供答案,我验证它)

Step 3) Send them an email with username

步骤3)向他们发送一个用户名的电子邮件

Step 2 is where I'm stuck. How do I validate the answer with what's stored in the database?

第二步是我被困住的地方。如何使用存储在数据库中的内容验证答案?

All values are hashed.

所有值都经过哈希处理。

I see other questions posted similar to this but they don't answer the question, at least not clearly.

我看到其他问题与此类似,但他们没有回答这个问题,至少不清楚。

2 个解决方案

#1


Like you said, the values in the DB are hashed, so in order to validate what the user typed in matches what's in the DB, hashed the value that the user entered and compare the two hashed values. If they are equal, it validates.

如您所说,数据库中的值是经过哈希处理的,因此为了验证用户键入的内容与数据库中的内容相匹配,请对用户输入的值进行哈希处理并比较两个哈希值。如果它们相等,则验证。

You basically need to hash the answer text before you compare it to the value in the database.

在将答案文本与数据库中的值进行比较之前,您基本上需要对答案文本进行哈希处理。

Also, be aware that sometimes the answer text is salted with a value before it is hashed, so the same steps would need to be taken when validating.

此外,请注意,有时答案文本在散列之前会使用某个值进行加盐,因此在验证时需要采取相同的步骤。

#2


Looking at the provider, it does not expose any methods for you to perform your desired step two.

查看提供程序,它不会公开任何方法来执行您所需的第二步。

You will need to do the following.

您需要执行以下操作。

  1. Create a stored procedure that will retrieve results based on the email and answer.
  2. 创建一个存储过程,该过程将根据电子邮件和答案检索结果。

  3. As you mentioned since the answer is hashed, you will need to MD5 hash the user supplied values. (FormsAuthentication.HashPasswordForStoringInConfigFile would work for this)
  4. 正如您所提到的,因为答案是经过哈希处理的,您需要对用户提供的值进行MD5哈希处理。 (FormsAuthentication.HashPasswordForStoringInConfigFile适用于此)

  5. Call your stored procedure with the needed parameters to validate that the users information matches.
  6. 使用所需参数调用存储过程以验证用户信息是否匹配。

#1


Like you said, the values in the DB are hashed, so in order to validate what the user typed in matches what's in the DB, hashed the value that the user entered and compare the two hashed values. If they are equal, it validates.

如您所说,数据库中的值是经过哈希处理的,因此为了验证用户键入的内容与数据库中的内容相匹配,请对用户输入的值进行哈希处理并比较两个哈希值。如果它们相等,则验证。

You basically need to hash the answer text before you compare it to the value in the database.

在将答案文本与数据库中的值进行比较之前,您基本上需要对答案文本进行哈希处理。

Also, be aware that sometimes the answer text is salted with a value before it is hashed, so the same steps would need to be taken when validating.

此外,请注意,有时答案文本在散列之前会使用某个值进行加盐,因此在验证时需要采取相同的步骤。

#2


Looking at the provider, it does not expose any methods for you to perform your desired step two.

查看提供程序,它不会公开任何方法来执行您所需的第二步。

You will need to do the following.

您需要执行以下操作。

  1. Create a stored procedure that will retrieve results based on the email and answer.
  2. 创建一个存储过程,该过程将根据电子邮件和答案检索结果。

  3. As you mentioned since the answer is hashed, you will need to MD5 hash the user supplied values. (FormsAuthentication.HashPasswordForStoringInConfigFile would work for this)
  4. 正如您所提到的,因为答案是经过哈希处理的,您需要对用户提供的值进行MD5哈希处理。 (FormsAuthentication.HashPasswordForStoringInConfigFile适用于此)

  5. Call your stored procedure with the needed parameters to validate that the users information matches.
  6. 使用所需参数调用存储过程以验证用户信息是否匹配。