Mala Implementacion en Forms Authentication

10/08/2004 - 04:32 por Luis Esteban Valencia | Informe spam
Primero que todo la tabla de usuarios tiene un campo contraseña que es
varchar(40), salt char(10)

El formulario de registrate hace algo como esto

Dim passwordencryptado As String = obj.CreatePasswordhash(contraseña.Text,
salt)

la funcion es

Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal salt As
String) As String

Dim saltandpwd As String = String.Concat(pwd, salt)

Dim hashedpwd As String FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd, "SHA1")

Return hashedpwd

End Function

luego se ingresa el usuario

con esta funcion



Public Function ingresarusuarios(ByVal connstr As String, ByVal login As
String, ByVal nombrereal As String, ByVal contra As String, ByVal email As
String, ByVal ciudad As Int16, ByVal pais As Int16, ByVal sitioweb As
String, ByVal salt As String) As Int32

Dim objcargardatos As Library.datos = New Library.datos

sqlConn.ConnectionString = connstr

sqlConn.Open()

Dim mysqlcommand As SqlCommand = New SqlCommand

mysqlcommand.Connection = sqlConn

mysqlcommand.CommandText = "insertarusuario"

mysqlcommand.CommandType = CommandType.StoredProcedure

mysqlcommand.Parameters.Add("@login", SqlDbType.Char, 10)

mysqlcommand.Parameters("@login").Value = login

mysqlcommand.Parameters.Add("@nombrereal", SqlDbType.Char, 10)

mysqlcommand.Parameters("@nombrereal").Value = nombrereal

mysqlcommand.Parameters.Add("@contraseña", SqlDbType.NVarChar, 40)

mysqlcommand.Parameters("@contraseña").Value = contra

mysqlcommand.Parameters.Add("@email", SqlDbType.Char, 100)

mysqlcommand.Parameters("@email").Value = email

mysqlcommand.Parameters.Add("@ciudad", SqlDbType.Int, 4)

mysqlcommand.Parameters("@ciudad").Value = ciudad

mysqlcommand.Parameters.Add("@pais", SqlDbType.Int, 4)

mysqlcommand.Parameters("@pais").Value = pais

mysqlcommand.Parameters.Add("@sitioweb", SqlDbType.Char, 100)

mysqlcommand.Parameters("@sitioweb").Value = sitioweb

mysqlcommand.Parameters.Add("@salt", SqlDbType.Char, 10)

mysqlcommand.Parameters("@salt").Value = salt

mysqlcommand.Parameters.Add("@numero", SqlDbType.Char, 100)

mysqlcommand.Parameters("@numero").Direction = ParameterDirection.Output

'mysqlcommand.Parameters("@numero").Value = 0

mysqlcommand.ExecuteNonQuery()

Dim generico As Int32 = mysqlcommand.Parameters("@numero").Value

Return generico

End Function





la funcion se llama asi
activationcode = objcargardatos.ingresarusuarios(str, login.Text,
nombrereal.Text, passwordencryptado, email.Text, drciudades.SelectedValue,
drpaises.SelectedValue, sitioweb.Text, salt)



y eso devuelve un codigo de activacion

El codigo de la pagina de login es:



Public Shared Function CreateSalt(ByVal size As Int32) As String

Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider

Dim buff(size) As Byte

rng.GetBytes(buff)

Return Convert.ToBase64String(buff)

End Function

Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal salt As
String) As String

Dim saltandpwd As String = String.Concat(pwd, salt)

Dim hashedpwd As String FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd, "SHA1")

Return hashedpwd

End Function



Private Sub btnlogin_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles btnlogin.Click

Dim passwordverified As Boolean = False

Try

passwordverified = VerifyPassword(login.Text, pass.Text)

Catch ex As Exception

lblmensaje.Text = ex.Message

End Try

If passwordverified = True Then

lblmensaje.Text = " Login exitoso·"

Else

lblmensaje.Text = "Usuario invalido"

End If





End Sub

Private Function VerifyPassword(ByVal suppliedUsername As String, ByVal
suppliedpassword As String) As Boolean

Dim passwordmatch As Boolean = False

Dim str As String = Application("connstring")

Dim sqlconnection1 As sqlconnection

sqlconnection1.ConnectionString = str

Dim mycmd As SqlCommand = New SqlCommand

mycmd.CommandText = "lookupuser"

mycmd.Connection = sqlconnection1

mycmd.Parameters.Add("@login", SqlDbType.Char, 10)

mycmd.Parameters("@login").Value = suppliedUsername

Try

sqlconnection1.Open()

Dim reader As SqlDataReader = mycmd.ExecuteReader()

reader.Read()

Dim dbPasswordHash As String = reader.GetString(0)

Dim salt As String = reader.GetString(1)

reader.Close()

Dim passwordandsalt As String = String.Concat(suppliedpassword, salt)

Dim hashedPasswordAndSalt As String FormsAuthentication.HashPasswordForStoringInConfigFile(passwordandsalt,
"SHA1")

passwordmatch = hashedPasswordAndSalt.Equals(dbPasswordHash)

Catch ex As Exception

Throw New Exception("Exception verifying password" + ex.Message)

End Try

Return passwordmatch

End Function

+

este es el SP de lookupuser



ALTER PROCEDURE LookupUser

@login varchar(255)

AS

SELECT contraseña, salt

FROM tblusuarios

WHERE login = @login



Yo segui los pasos de:

http://msdn.microsoft.com/library/e...frame=true

pero lo pase a Visual Basic.net



cuando trato de logearme me aparece siempre usuario invalido. asi haya
digitado mal la contraseñla

Preguntas similare

Leer las respuestas

#1 Franco Figún
10/08/2004 - 04:51 | Informe spam
No me funciona el link, me lo podrias pasar entero, ya que me gustarìa
probar dicho ejemplo?
De paso veo si te puedo ayudar.
Gracias

FF
www.francofigun.com.ar
Yahoo MSN:

"Luis Esteban Valencia" escribió en el mensaje
news:O$
Primero que todo la tabla de usuarios tiene un campo contraseña que es
varchar(40), salt char(10)

El formulario de registrate hace algo como esto

Dim passwordencryptado As String = obj.CreatePasswordhash(contraseña.Text,
salt)

la funcion es

Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal salt


As
String) As String

Dim saltandpwd As String = String.Concat(pwd, salt)

Dim hashedpwd As String > FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd, "SHA1")

Return hashedpwd

End Function

luego se ingresa el usuario

con esta funcion



Public Function ingresarusuarios(ByVal connstr As String, ByVal login As
String, ByVal nombrereal As String, ByVal contra As String, ByVal email As
String, ByVal ciudad As Int16, ByVal pais As Int16, ByVal sitioweb As
String, ByVal salt As String) As Int32

Dim objcargardatos As Library.datos = New Library.datos

sqlConn.ConnectionString = connstr

sqlConn.Open()

Dim mysqlcommand As SqlCommand = New SqlCommand

mysqlcommand.Connection = sqlConn

mysqlcommand.CommandText = "insertarusuario"

mysqlcommand.CommandType = CommandType.StoredProcedure

mysqlcommand.Parameters.Add("@login", SqlDbType.Char, 10)

mysqlcommand.Parameters("@login").Value = login

mysqlcommand.Parameters.Add("@nombrereal", SqlDbType.Char, 10)

mysqlcommand.Parameters("@nombrereal").Value = nombrereal

mysqlcommand.Parameters.Add("@contraseña", SqlDbType.NVarChar, 40)

mysqlcommand.Parameters("@contraseña").Value = contra

mysqlcommand.Parameters.Add("@email", SqlDbType.Char, 100)

mysqlcommand.Parameters("@email").Value = email

mysqlcommand.Parameters.Add("@ciudad", SqlDbType.Int, 4)

mysqlcommand.Parameters("@ciudad").Value = ciudad

mysqlcommand.Parameters.Add("@pais", SqlDbType.Int, 4)

mysqlcommand.Parameters("@pais").Value = pais

mysqlcommand.Parameters.Add("@sitioweb", SqlDbType.Char, 100)

mysqlcommand.Parameters("@sitioweb").Value = sitioweb

mysqlcommand.Parameters.Add("@salt", SqlDbType.Char, 10)

mysqlcommand.Parameters("@salt").Value = salt

mysqlcommand.Parameters.Add("@numero", SqlDbType.Char, 100)

mysqlcommand.Parameters("@numero").Direction = ParameterDirection.Output

'mysqlcommand.Parameters("@numero").Value = 0

mysqlcommand.ExecuteNonQuery()

Dim generico As Int32 = mysqlcommand.Parameters("@numero").Value

Return generico

End Function





la funcion se llama asi
activationcode = objcargardatos.ingresarusuarios(str, login.Text,
nombrereal.Text, passwordencryptado, email.Text, drciudades.SelectedValue,
drpaises.SelectedValue, sitioweb.Text, salt)



y eso devuelve un codigo de activacion

El codigo de la pagina de login es:



Public Shared Function CreateSalt(ByVal size As Int32) As String

Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider

Dim buff(size) As Byte

rng.GetBytes(buff)

Return Convert.ToBase64String(buff)

End Function

Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal salt


As
String) As String

Dim saltandpwd As String = String.Concat(pwd, salt)

Dim hashedpwd As String > FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd, "SHA1")

Return hashedpwd

End Function



Private Sub btnlogin_Click(ByVal sender As System.Object, ByVal e As
System.EventArgs) Handles btnlogin.Click

Dim passwordverified As Boolean = False

Try

passwordverified = VerifyPassword(login.Text, pass.Text)

Catch ex As Exception

lblmensaje.Text = ex.Message

End Try

If passwordverified = True Then

lblmensaje.Text = " Login exitoso·"

Else

lblmensaje.Text = "Usuario invalido"

End If





End Sub

Private Function VerifyPassword(ByVal suppliedUsername As String, ByVal
suppliedpassword As String) As Boolean

Dim passwordmatch As Boolean = False

Dim str As String = Application("connstring")

Dim sqlconnection1 As sqlconnection

sqlconnection1.ConnectionString = str

Dim mycmd As SqlCommand = New SqlCommand

mycmd.CommandText = "lookupuser"

mycmd.Connection = sqlconnection1

mycmd.Parameters.Add("@login", SqlDbType.Char, 10)

mycmd.Parameters("@login").Value = suppliedUsername

Try

sqlconnection1.Open()

Dim reader As SqlDataReader = mycmd.ExecuteReader()

reader.Read()

Dim dbPasswordHash As String = reader.GetString(0)

Dim salt As String = reader.GetString(1)

reader.Close()

Dim passwordandsalt As String = String.Concat(suppliedpassword, salt)

Dim hashedPasswordAndSalt As String > FormsAuthentication.HashPasswordForStoringInConfigFile(passwordandsalt,
"SHA1")

passwordmatch = hashedPasswordAndSalt.Equals(dbPasswordHash)

Catch ex As Exception

Throw New Exception("Exception verifying password" + ex.Message)

End Try

Return passwordmatch

End Function

+

este es el SP de lookupuser



ALTER PROCEDURE LookupUser

@login varchar(255)

AS

SELECT contraseña, salt

FROM tblusuarios

WHERE login = @login



Yo segui los pasos de:




http://msdn.microsoft.com/library/e...frame=true

pero lo pase a Visual Basic.net



cuando trato de logearme me aparece siempre usuario invalido. asi haya
digitado mal la contraseñla




Respuesta Responder a este mensaje
#2 Luis Esteban Valencia Muñoz perrohijueputa
10/08/2004 - 13:52 | Informe spam
http://msdn.microsoft.com/library/d...nnetsec/ht
ml/SecNetHT03.asp

LUIS ESTEBAN VALENCIA MUÑOZ
MIEMBRO ACTIVO DE WWW.ALIANZADEV.NET
"Franco Figún" escribió en el mensaje
news:uZ2P#
No me funciona el link, me lo podrias pasar entero, ya que me gustarìa
probar dicho ejemplo?
De paso veo si te puedo ayudar.
Gracias

FF
www.francofigun.com.ar
Yahoo MSN:

"Luis Esteban Valencia" escribió en el mensaje
news:O$
> Primero que todo la tabla de usuarios tiene un campo contraseña que es
> varchar(40), salt char(10)
>
> El formulario de registrate hace algo como esto
>
> Dim passwordencryptado As String obj.CreatePasswordhash(contraseña.Text,
> salt)
>
> la funcion es
>
> Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal


salt
As
> String) As String
>
> Dim saltandpwd As String = String.Concat(pwd, salt)
>
> Dim hashedpwd As String > > FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd,


"SHA1")
>
> Return hashedpwd
>
> End Function
>
> luego se ingresa el usuario
>
> con esta funcion
>
>
>
> Public Function ingresarusuarios(ByVal connstr As String, ByVal login As
> String, ByVal nombrereal As String, ByVal contra As String, ByVal email


As
> String, ByVal ciudad As Int16, ByVal pais As Int16, ByVal sitioweb As
> String, ByVal salt As String) As Int32
>
> Dim objcargardatos As Library.datos = New Library.datos
>
> sqlConn.ConnectionString = connstr
>
> sqlConn.Open()
>
> Dim mysqlcommand As SqlCommand = New SqlCommand
>
> mysqlcommand.Connection = sqlConn
>
> mysqlcommand.CommandText = "insertarusuario"
>
> mysqlcommand.CommandType = CommandType.StoredProcedure
>
> mysqlcommand.Parameters.Add("@login", SqlDbType.Char, 10)
>
> mysqlcommand.Parameters("@login").Value = login
>
> mysqlcommand.Parameters.Add("@nombrereal", SqlDbType.Char, 10)
>
> mysqlcommand.Parameters("@nombrereal").Value = nombrereal
>
> mysqlcommand.Parameters.Add("@contraseña", SqlDbType.NVarChar, 40)
>
> mysqlcommand.Parameters("@contraseña").Value = contra
>
> mysqlcommand.Parameters.Add("@email", SqlDbType.Char, 100)
>
> mysqlcommand.Parameters("@email").Value = email
>
> mysqlcommand.Parameters.Add("@ciudad", SqlDbType.Int, 4)
>
> mysqlcommand.Parameters("@ciudad").Value = ciudad
>
> mysqlcommand.Parameters.Add("@pais", SqlDbType.Int, 4)
>
> mysqlcommand.Parameters("@pais").Value = pais
>
> mysqlcommand.Parameters.Add("@sitioweb", SqlDbType.Char, 100)
>
> mysqlcommand.Parameters("@sitioweb").Value = sitioweb
>
> mysqlcommand.Parameters.Add("@salt", SqlDbType.Char, 10)
>
> mysqlcommand.Parameters("@salt").Value = salt
>
> mysqlcommand.Parameters.Add("@numero", SqlDbType.Char, 100)
>
> mysqlcommand.Parameters("@numero").Direction = ParameterDirection.Output
>
> 'mysqlcommand.Parameters("@numero").Value = 0
>
> mysqlcommand.ExecuteNonQuery()
>
> Dim generico As Int32 = mysqlcommand.Parameters("@numero").Value
>
> Return generico
>
> End Function
>
>
>
>
>
> la funcion se llama asi
> activationcode = objcargardatos.ingresarusuarios(str, login.Text,
> nombrereal.Text, passwordencryptado, email.Text,


drciudades.SelectedValue,
> drpaises.SelectedValue, sitioweb.Text, salt)
>
>
>
> y eso devuelve un codigo de activacion
>
> El codigo de la pagina de login es:
>
>
>
> Public Shared Function CreateSalt(ByVal size As Int32) As String
>
> Dim rng As RNGCryptoServiceProvider = New RNGCryptoServiceProvider
>
> Dim buff(size) As Byte
>
> rng.GetBytes(buff)
>
> Return Convert.ToBase64String(buff)
>
> End Function
>
> Public Shared Function CreatePasswordhash(ByVal pwd As String, ByVal


salt
As
> String) As String
>
> Dim saltandpwd As String = String.Concat(pwd, salt)
>
> Dim hashedpwd As String > > FormsAuthentication.HashPasswordForStoringInConfigFile(saltandpwd,


"SHA1")
>
> Return hashedpwd
>
> End Function
>
>
>
> Private Sub btnlogin_Click(ByVal sender As System.Object, ByVal e As
> System.EventArgs) Handles btnlogin.Click
>
> Dim passwordverified As Boolean = False
>
> Try
>
> passwordverified = VerifyPassword(login.Text, pass.Text)
>
> Catch ex As Exception
>
> lblmensaje.Text = ex.Message
>
> End Try
>
> If passwordverified = True Then
>
> lblmensaje.Text = " Login exitoso·"
>
> Else
>
> lblmensaje.Text = "Usuario invalido"
>
> End If
>
>
>
>
>
> End Sub
>
> Private Function VerifyPassword(ByVal suppliedUsername As String, ByVal
> suppliedpassword As String) As Boolean
>
> Dim passwordmatch As Boolean = False
>
> Dim str As String = Application("connstring")
>
> Dim sqlconnection1 As sqlconnection
>
> sqlconnection1.ConnectionString = str
>
> Dim mycmd As SqlCommand = New SqlCommand
>
> mycmd.CommandText = "lookupuser"
>
> mycmd.Connection = sqlconnection1
>
> mycmd.Parameters.Add("@login", SqlDbType.Char, 10)
>
> mycmd.Parameters("@login").Value = suppliedUsername
>
> Try
>
> sqlconnection1.Open()
>
> Dim reader As SqlDataReader = mycmd.ExecuteReader()
>
> reader.Read()
>
> Dim dbPasswordHash As String = reader.GetString(0)
>
> Dim salt As String = reader.GetString(1)
>
> reader.Close()
>
> Dim passwordandsalt As String = String.Concat(suppliedpassword, salt)
>
> Dim hashedPasswordAndSalt As String > > FormsAuthentication.HashPasswordForStoringInConfigFile(passwordandsalt,
> "SHA1")
>
> passwordmatch = hashedPasswordAndSalt.Equals(dbPasswordHash)
>
> Catch ex As Exception
>
> Throw New Exception("Exception verifying password" + ex.Message)
>
> End Try
>
> Return passwordmatch
>
> End Function
>
> +
>
> este es el SP de lookupuser
>
>
>
> ALTER PROCEDURE LookupUser
>
> @login varchar(255)
>
> AS
>
> SELECT contraseña, salt
>
> FROM tblusuarios
>
> WHERE login = @login
>
>
>
> Yo segui los pasos de:
>
>



http://msdn.microsoft.com/library/e...sp?frame=t
rue
>
> pero lo pase a Visual Basic.net
>
>
>
> cuando trato de logearme me aparece siempre usuario invalido. asi haya
> digitado mal la contraseñla
>
>
>
>


email Siga el debate Respuesta Responder a este mensaje
Ads by Google
Help Hacer una preguntaRespuesta Tengo una respuesta
Search Busqueda sugerida