Created
June 14, 2013 11:37
-
-
Save taurenshaman/5781194 to your computer and use it in GitHub Desktop.
Simple Enhancement for User's password @ FunnelWeb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
【add Script0033.sql】 | |
--add Salt field to User table | |
alter table $schema$.[User] add [Salt] nchar(32) null | |
go | |
【FunnelWeb.Model.Authentication.Mappings.UserMapping.cs】 | |
Append: | |
Map( x => x.Salt ); | |
【FunnelWeb.Authentication.Internal.SqlAuthenticator.cs】 | |
private bool SqlAuthenticateAndLogin(string username, string password) | |
{ | |
//var user = sessionFactory().QueryOver<User>() | |
// .Where(u => u.Username == username && u.Password == SqlFunnelWebMembership.HashPassword(password, u.Salt)) | |
// .SingleOrDefault(); | |
var user = sessionFactory().QueryOver<User>() | |
.Where( u => u.Username == username ).SingleOrDefault(); | |
if ( user != null ) { | |
string pwd = SqlFunnelWebMembership.HashPassword( password, user.Salt ); | |
if ( pwd != user.Password ) | |
user = null; | |
} | |
// ... | |
// ... | |
} | |
【FunnelWeb.Utilities.StringExtensions.cs】 | |
/// <summary> | |
/// 创建一个Guid字符串,去掉了所有符号,只剩32位数字或小写字母,如bea8b23f69574b0c8832b5723c3aae71 | |
/// </summary> | |
/// <returns></returns> | |
public static string NewGuid_PlainLower() { | |
return Guid.NewGuid().ToString().Replace( "-", "" ).ToLower(); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
public User CreateAccount(string name, string email, string username, string password) | |
{ | |
var user = new User | |
{ | |
Name = name, | |
Email = email, | |
Salt = Utilities.StringExtensions.NewGuid_PlainLower(), | |
//Password = HashPassword(password), | |
Username = username | |
}; | |
user.Password = HashPassword( password, user.Salt ); | |
DependencyResolver.Current.GetService<ISession>().Save(user); | |
return user; | |
} | |
/// <summary> | |
/// 更安全的验证方式。 | |
/// </summary> | |
/// <param name="password"></param> | |
/// <returns></returns> | |
internal static string HashPassword( string password, string salt ) { | |
// should add Salt to User first | |
return IntensifyPassword( password, salt ); | |
} | |
/// <summary> | |
/// 增强密码(二次加密) | |
/// </summary> | |
/// <param name="originalPwd"></param> | |
/// <param name="salt"></param> | |
/// <returns></returns> | |
internal static string IntensifyPassword( string pwd, string salt ) { | |
string part1 = FormsAuthentication.HashPasswordForStoringInConfigFile( pwd, FormsAuthPasswordFormat.SHA1.ToString() ); | |
string part2 = FormsAuthentication.HashPasswordForStoringInConfigFile( salt, FormsAuthPasswordFormat.SHA1.ToString() ); | |
// part1和part2都是长为40的字符串,总长即80,将其视为一个5X16的矩阵 | |
// 排列规则为,依次从part1和part2中取一个字符,从左到右、从上到下排列 | |
StringBuilder sb = new StringBuilder(); | |
// 下面的双重循环是从5x16的矩阵中,5行16列,每行选取8个最后仍然是40个字符 | |
for ( int i = 0; i < 5; i++ ) { | |
for ( int j = 0; j < 8; j++ ) { | |
int pos = i * 8 + j; | |
if ( i % 2 == 0 ) { // 奇数行: part1 | |
sb.Append( part1[pos] ); | |
} | |
else { // 偶数行: part2 | |
sb.Append( part2[pos] ); | |
} | |
} | |
} | |
// 再次加密 | |
return FormsAuthentication.HashPasswordForStoringInConfigFile( sb.ToString(), FormsAuthPasswordFormat.SHA1.ToString() ); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment