使用 SHA1 哈希密码手动验证 ASP.NET 用户帐户

引言

最近，我遇到了一种情况，我需要在移动设备上提供与 ASP.NET 角色和成员资格提供程序相同的身份验证服务。移动设备将与后端数据库同步，下载所有 aspNet_XXXX 表。然后，移动设备的用戶可以使用其现有的 ASP.NET 角色和成员资格凭据，在移动设备上验证其帐户。

使用代码

下面的代码首先演示了检查用户名是否匹配，然后将用户最初生成的密码哈希与使用程序提供的密码创建的哈希进行比较。

在程序的最后几行，我持久化用户数据，以便程序其余部分可以使用它。

public bool LogonUser(string userName, string passWord)
{
    Guid userID = Guid.Empty;
    string originalHash = "";
    string saltValue = "";
    DataLayer dataLayer = new DataLayer();

    // first check for a username
    try
    {
        string SQL =
        " Select    aspnet_Membership.UserId, "
        + "        Password, "
        + "         PasswordSalt "
        + " From    aspnet_Membership inner join  "
        + "         aspnet_Users on aspnet_Membership.UserID" 
        + " = aspnet_Users.UserID "
        + " Where    LoweredUserName = @p1 ";

        SqlCeCommand sqlCeCommand = new SqlCeCommand(SQL, 
                     dataLayer.GetOpenConnection);
        SqlCeParameter param1 = 
          sqlCeCommand.Parameters.Add("p1", 
                       System.Data.SqlDbType.NVarChar);
        param1.Value = userName.ToLower();

        SqlCeDataReader reader = sqlCeCommand.ExecuteReader();
        while (reader.Read())
        {
            userID = reader.GetGuid(0);
            originalHash = reader.GetString(1);
            saltValue = reader.GetString(2);
            break;
        }

        reader.Close();
    }
    catch (Exception ex)
    {
        new Logger().Log(ex);
        throw ex;
    }
    finally
    {
        dataLayer.CloseSQLConnection();
    }

    // username exists
    if (userID.CompareTo(Guid.Empty) != 0)
    {

        // compare password hashes
        byte[] bIn = Encoding.Unicode.GetBytes(passWord);
        byte[] bSalt = Convert.FromBase64String(saltValue);
        byte[] bAll = new byte[bSalt.Length + bIn.Length];
        byte[] bRet = null;

        Buffer.BlockCopy(bSalt, 0, bAll, 0, bSalt.Length);
        Buffer.BlockCopy(bIn, 0, bAll, bSalt.Length, bIn.Length);

        HashAlgorithm s = HashAlgorithm.Create("SHA1");

        bRet = s.ComputeHash(bAll);
        string newHash = Convert.ToBase64String(bRet);

        // check the hash in the datbase matched the new hash we generated
        if (originalHash != newHash)
            throw new Exception("Incorrect Username/Password" + 
                                " combination. Please try again");

    }
    else
    {
        throw new Exception("Incorrect Username/Password" + 
                            " combination. Please try again");
    }

    // store the users credentials in the config object for app instance use
    Config.UserID = userID;
    Config.UserName = userName;
    Config.PassWord = passWord;

    return true;

}

我花了一段时间才弄清楚这一点，希望这能帮助其他人不再苦思冥想！