I am using WebMatrix and have built a website based on the "StarterSite". In this starter site you get a nice basi开发者_如何学Cc layout - including registration, login, forgot password pages etc...
I've noticed that in the database that the "webpages_Membership" table has a column named "PasswordSalt". After creating a few new user accounts, this column always remains blank. So I'm assuming that no password salt (not even a default one) is in use.
Obviously this is not the best practice, however I cannot seem to find any documentation that tells me how to set or manage the password salt.
How can I set the password salt with the WebSecurity Helper?
The above answer gives the impression that there is no salting applied when using WebSecurity
SimpleMembershipProvider
.
That is not true. Indeed the database salt field is not used, however this does not indicate that there is no salt generated when hashing the password.
In WebSecurity
s SimpleMembershipProvider
the PBKDF2 algo is used, the random salt is generated by the StaticRandomNumberGenerator
and stored in the password field with the hash:
byte[] outputBytes = new byte[1 + SALT_SIZE + PBKDF2_SUBKEY_LENGTH];
Buffer.BlockCopy(salt, 0, outputBytes, 1, SALT_SIZE);
Buffer.BlockCopy(subkey, 0, outputBytes, 1 + SALT_SIZE, PBKDF2_SUBKEY_LENGTH);
return Convert.ToBase64String(outputBytes);
As of the RTM release of WebMatrix/ASP.NET Web Pages, the salt feature/column is unused.
If you open up the Web Pages source, you'll see the db classes littered with references like
INSERT INTO [" + MembershipTableName + "] (UserId, [Password], PasswordSalt
...
VALUES (uid, hashedPassword,String.Empty /* salt column is unused */
shortened for emphasis
There are definately ways to override and implement this behavior, first being:
- override System.WebData.SimpleMembershipProvider.CreateAccount()
or
- extend with System.WebData.SimpleMembershipProvider.CreateAccountWithPasswordSalt()
not going to go into detail there though unless you request, as your usage of WebMatrix and a template suggests you probably don't wanna mess with rewriting a ton of your own C#/ASP code for this project.
精彩评论