问题
I am trying to encrypt a random token to be stored in the user table when a user uses the forgot password field by entering their username. It will also send out an e-mail with a url to the change user password page. This url will have a query string param called 'key'.
i.e. www.mysite.com/Changepassword?key=xfsdfsdffsdfiughjksdf.
Once the user clicks the link and they are on this page. I have a function that will get a user by ResetToken. If it finds a user then proceed.
I need advice on a few things:
- What kind of random token/encryption technique should I use to ensure that no one can go to the Changepassword page and guess a key and be able to change a users password.
- How will I handle making this key url friendly?
回答1:
If you want to be super-secure, using the cryptographically secure random number generator would work. And converting to hex is the easiest way to ensure it's URL-safe:
byte[] bytes = new byte[8];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(bytes);
}
string key = string.Join("", bytes.Select(b => b.ToString("X2")));
EDIT Keep in mind that e-mail is potentially insecure, so it's possible (however unlikely) that your message can be intercepted by a malicious third-party before reaching the recipient.
来源:https://stackoverflow.com/questions/26076540/trying-to-encrypt-a-random-key-for-password-reset-functionality