All geek questions in one place

Temporary password storage in ASP.NET Core db

I am developing a .NET Core + Identity application. I want the user to subscribe. The user enters a username / password for data entry, etc. And the next step that I need to confirm the email address, and I do not want to create the user in db before he confirms the email address, because I need to create a new db for him. I want to save data in temp table in db. And after confirmation, I will take the data from there and continue registration and after that I will delete the record from the temp table.

But, as I see it, Identity has a method userManager.Create(user, password)with a password in clear text.

Do I need a hash / dehash algorithm algorithm? If so, what is it? What is the best way to store a secure password in a temp table?

+4
source share
4 answers

So, I did the following:

1) Create a password for user = null (first parameter):

var hashPassword = _passwordHasher.HashPassword(null, command.Password);

2) When the user confirms the email address, I create it with a default password that checks the password verification settings in the class Startup.cs:

_userManager.CreateAsync(user, "123456");

3) Update the "Password and Password" column for passwords and user from the value from step 1:

user.PasswordHash = command.PasswordHash;
_userManager.UpdateAsync(user);
0
source

No, you do not need to - I will automatically hash in the UserManager database.

In my opinion, it’s nice to create a temporary recording. Just create a user, mark him inactive until he confirms his email. This is the right approach.

+2
source

. Identity 2 (PBKDF2) - wiki. -.

public static string HashPass(string pwd)
{
    byte[] salt;
    byte[] bytes;

    using (Rfc2898DeriveBytes rfc2898DeriveByte = new Rfc2898DeriveBytes(pwd, 16, 1000))
    {
        salt = rfc2898DeriveByte.Salt;
        bytes = rfc2898DeriveByte.GetBytes(32);
    }
    byte[] num = new byte[49];
    Buffer.BlockCopy(salt, 0, num, 1, 16);
    Buffer.BlockCopy(bytes, 0, num, 17, 32);
    return Convert.ToBase64String(num);
}

UserAccount , :

public class UserAccount
{
   public int AccountId {  get; set;}

   public UserAccountStatus AccountStatus { get; set; }

}

public enum UserAccountStatus 
{
   Pending = 0,
   UsingTempPassword = 1
   Active = 2
}
0

SHA1 , 128 . , PHP-, :). .

( https://msdn.microsoft.com/en-us/library/t8yy6w3h.aspx ):

<configuration>
<connectionStrings>
     <add name="SqlServices" connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial Catalog=aspnetdb;" />
</connectionStrings>
<system.web>
  <authentication mode="Forms">
    <forms loginUrl="login.aspx" />
  </authentication>
  <authorization>
    <deny users="?" />
  </authorization>
  <membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20">
  <providers>        
    <add name="SqlProvider"
      type="System.Web.Security.SqlMembershipProvider"
      connectionStringName="SqlServices"
      enablePasswordRetrieval="false"
      enablePasswordReset="true"
      requiresQuestionAndAnswer="false"
      passwordFormat="Hashed"
      applicationName="/" />
  </providers>
</membership>
</configuration>
</system.web>

U . hash alg. SHA1, HMACSHA256 SHA256 .NET 4.0 Framework. U :

<membership
    defaultProvider="provider name"
    userIsOnlineTimeWindow="number of minutes"
    hashAlgorithmType="SHA1">
    <providers>...</providers>
</membership>

SHA, .NET, .NET 4 SHA512, .

, ( .dll, machine.config , , web.config, ):

https://msdn.microsoft.com/en-us/library/693aff9y.aspx

Membership.Validate .

If you use the new MVC thing that came out in 2013, UserManager u just implements a user who has an email, all of which should be IUser. There is a UserManager.CreateUser method (TUser user, string password)

-1
source

Source: https://habr.com/ru/post/1663488/

More articles:


All Articles