Answer the question
In order to leave comments, you need to log in
I
I
Ivan Murashkin2017-10-03 22:32:00
Ivan Murashkin, 2017-10-03 22:32:00
What's an easy and reliable way to hash an ASP.NET MVC password?
We need a simple and reliable way to hash the password in the AccountCOntroller controller.
It looks like this:
public class AccountController : Controller {
private IAuthProvider authProvider;
private IUserRepository repository;
public AccountController(IAuthProvider auth, IUserRepository repo) {
authProvider = auth;
repository = repo;
}
public ViewResult Login() {
return View();
}
public ViewResult Register() {
return View();
}
[HttpPost]
public ActionResult Login(LoginViewModel model) {
if (ModelState.IsValid) {
User user = repository.Users().FirstOrDefault(m => m.Login == model.Login && m.Password == model.Password);
if(user != null) {
authProvider.Authenticate(model.Login);
return RedirectToAction("Index", "Document");
} else {
ModelState.AddModelError("", "Неверный логин или пароль");
}
}
return View(model);
}
[HttpPost]
public ActionResult Register(RegisterViewModel model) {
if (ModelState.IsValid) {
User user = repository.Users().FirstOrDefault(m => m.Login == model.Login);
if (user == null) {
repository.Add(new User { Login = model.Login, Password = model.Password });
user = repository.Users().Where(m => m.Login == model.Login && m.Password == model.Password).FirstOrDefault();
if (user != null) {
authProvider.Authenticate(model.Login);
return RedirectToAction("Index", "Document");
}
} else {
ModelState.AddModelError("", "Пользователь с таким логинм уже есть");
}
}
return View(model);
}
public ActionResult ExitToStore() {
authProvider.Exit();
return RedirectToAction("Login");
}
} 3 answer(s)
@lexxpavlov
@dmitryKovalskiy
@LootKeeper
A
Alexey Pavlov, 2017-10-04 @lexxpavlov
For password hashing, it's best to use BCrypt ( example ).
If you don't like BCrypt, then you can use SHA512 - it's already in the .NET Framework.
D
Dmitry Kovalsky, 2017-10-04 @dmitryKovalskiy
Regarding the architecture - dragging the repository to the controller level is the level of the second quarter of the first class.
Ideally, you should have a bl level that will check the user, give him a session cookie or some other sign of authorization, and return the result of his work. If successful, redirect somewhere.
Regarding hashing - SHA512 and some kind of salting algorithm is more fun (you don't just need to sculpt the salt on the side).
Regarding the level at which the hash will be calculated, it all depends on the authorization algorithm. In your case, it smelled like EF and apparently it is worth counting the hash at the level of accessing the repository.
If you use storage, you will have to drag the password without touching it to the database itself and calculate the hash there. Otherwise, the logic of extracting the entire user base will appear, followed by a search for the right one, which is not the fact that there is
L
LootKeeper, 2017-10-04 @LootKeeper
Why not use the standard .net class: MD5?
It's very easy to use:
using System;
using System.Text;
using System.Security.Cryptography;
class Program
{
static void Main(string[] args)
{
string pass = "123";
using(MD5 md5 = MD5.Create())
{
string hash = GetMD5(md5, pass);
Console.Write(hash);
Console.ReadKey();
}
}
static string GetMD5(MD5 md5, string pass)
{
byte[] data = md5.ComputeHash(Encoding.UTF8.GetBytes(pass));
StringBuilder sb = new StringBuilder();
for(int i =0; i<data.Length; i++)
{
sb.Append(data[i].ToString("x2"));
}
return sb.ToString();
}
}
Similar questions
R
A
M
A
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question