5.8. Transferring Login Credentials Securely
Problem
You need to protect login credentials during transmission over the network and when they are stored within a database.
Solution
Use password hashing and
salting with the
.NET
FormsAuthentication class to control user
authentication and access to the application.
The schema of table TBL0508 used in this solution is shown in Table 5-5.
Table 5-5. TBL0508 schema
|
Column name |
Data type |
Length |
Allow nulls? |
|---|---|---|---|
|
UserName |
|
50 |
No |
|
PasswordHash |
|
50 |
No |
|
PasswordSalt |
|
50 |
No |
The sample code contains two event handlers:
- Create
Button.Click Creates a GUID-based salt and generates a hash of the password concatenated with the salt for a user-specified password. The username, password hash, and salt are inserted into a database.
- Login
Button.Click Retrieves the salt and the hash of the password and salt from the database for the specified username. The user-entered password is concatenated with the retrieved salt and the hash is generated. If the hash matches the hash retrieved from the database, the user is authenticated.
The C# code is shown in Example 5-8.
Example 5-8. File: ADOCookbookCS0508.aspx.cs
// Namespaces, variables, and constants using System; using System.Configuration; using System.Web.Security; using System.Data; using System.Data.SqlClient; private const String TABLENAME = "TBL0508"; // . . . private void createButton_Click(object sender, System.EventArgs e) { // Create and display the password salt. String ...Get ADO.NET Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
