问题
Good Day everyone. I'm currently creating a Login Form in Xamarin.Forms Portable application. I have a WebFormsProject, wherein I created an API controller that compares the username and password typed by the User versus the username and password saved on my Database.
The password saved on my database is Hashed using ASP.NET Identity. While the password that will be typed by the User is hashed using Crypto.HashPassword (don't know if this class is an ASP.NET Identity thing).
How can I compare this two?
If the two password matched, it should return 'true' otherwise false. I'm on a confusing stage right now. Hope you can help me. Thanks.
Here are some of my codes.
LoginController.cs
using System;
using System.Collections.Generic;
using System.Data;
using System.Data.Entity;
using System.Data.Entity.Infrastructure;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Description;
using WebFormsDemo;
using WebFormsDemo.ViewModel;
using System.Security.Cryptography;
using System.Web.Helpers;
using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin.Security;
using Microsoft.AspNet.Identity.EntityFramework;
namespace WebFormsDemo.Controllers
{
public class LoginController : ApiController
{
private EBMSEntities db = new EBMSEntities();
// GET: api/Login
[Route("api/Login/Search/{username}/{password}")]
[ResponseType(typeof(List<AspNetUser>))]
public bool getUsernamePassword(string username, string password)
{
var hashedPassword = "";
hashedPassword = Crypto.HashPassword(password);
var pass = (from u in db.AspNetUsers
where u.UserName.Equals(username)
select u.PasswordHash).Take(1);
string hashpassinDb = Convert.ToString(pass.FirstOrDefault());
return Crypto.VerifyHashedPassword(hashpassinDb, hashedPassword);
}
}
}
回答1:
Password hashes are usually compared using the method VerifyHashedPassword from the PasswordHasher class. check this link: Verifies that a password matches the hashed password.
Edit:
As per comment It turns out that using Crypto.HashedPassword will produce a Hash Value different from the Hash value saved on my database.
You need to provide IPasswordHasher implementation that can provide clear password without hashing.
public class ClearPassword : IPasswordHasher
{
public string HashPassword(string password)
{
return password;
}
}
Will give you clear password which you can use to compare with entered password.
回答2:
The second parameter to return Crypto.VerifyHashedPassword isn't meant to be hashed, it's meant to be plain text.
来源:https://stackoverflow.com/questions/39289540/asp-net-identitys-way-of-hashing-password-compared-to-crypto-hashpassword