问题描述

为了保护密码，我需要将密码安全地发送到服务器，但不要使用SSL或HTTPS.

我也使用AjaxPro将数据发送到服务器.

这是javascript代码:

in order to protect password I need to send password to the server securely but not to use SSL or HTTPS.

also I use AjaxPro to send data to the server.

Here is javascript code :

function checkPW(username, password)
{
//here I think password needs to be code
     var res = AjaxMethods.Login(username, password)
}

这是C#代码

Here is c# code

[AjaxMethod()]
public bool Login(string username, string password)
{
//here I think password needs to be decode
      return ChekingUsernameAndPassword(username, password);
}

提前谢谢.
关于Jamal.

Thanks in advance.
Regards Jamal.

推荐答案

// I am not infavor of passwords is reversible... (encrypt/decrypt)
// I store password as bytes in table (users) then  
// if ever retrieve it and compare as a bytes...
// Neglecting a down voting…
// So here is it...
private static byte[] encrypt(string dat)
{
   System.Security.Cryptography.MD5CryptoServiceProvider md5 = new System.Security.Cryptography.MD5CryptoServiceProvider();
   byte[] bytes = System.Text.Encoding.ASCII.GetBytes(dat);
   bytes = md5.ComputeHash(bytes);
   return bytes;
}

问候

Regards,

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;

public class User
{
    public User()
    { }

    public string UserId { get; set; }
    public string UserName { get; set; }
    public string PayorCode { get; set; }
    public string Application { get; set; }
    public string AccessLevel { get; set; }
    public string ActivationDate { get; set; }
    public string CreatedBy { get; set; }
    public string Pwd { get; set; }
    public string Status { get; set; }
}

public partial class _Default : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void btnLogin_Click(object sender, EventArgs e)
    {
        User user = new User();
        user.UserId = this.txtUserId.Text;
        user.CreatedBy = this.txtUserId.Text;
        user.Pwd = this.txtPassword.Text;
        user.UserName = "Algem";
        user.PayorCode = "FWB";
        user.Application = "XP";
        user.AccessLevel = "admin";
        user.Status = "Y";

        var pwd = Encrypt(user.Pwd, 14);
        user.Pwd = pwd;
        //var ok = InsertNewUser( user);
        var userCredential = GetUserCredential(user.UserId, user.Pwd);
        if (userCredential.UserId == null)
        {
           lblValidation.Text  = "Invalid UserID or Password";
        }
        else if (user.Status != "Y")
        {
            lblValidation.Text = "Account is not yet activated";
        }
        else
        {
            lblValidation.Text = "Authenticated user.  Go to main menu...";
            // goto main menu...
        }
    }
    public bool InsertNewUser(User user)
    {
        SqlCommand cmd = new SqlCommand();
        bool success = true;
        string sql = string.Empty;
        try
        {
            SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["SQLConnection"].ToString());
            conn.Open();

            sql = "INSERT INTO users(UserId, UserName, Pwd, PayorCode, Application, AccessLevel,"
                + "Status,CreatedBy, ActivationDate) "
                + "VALUES("
                + "GetDate()) ";
            using (cmd = new SqlCommand(sql, conn))
            {
                cmd.CommandType = CommandType.Text;
                cmd.CommandText = sql;
                cmd.ExecuteNonQuery();
            }
        }
        catch (Exception)
        {
            throw;
        }
        finally
        {
            cmd.Parameters.Clear();
            cmd.Dispose();
        }
        return success;
    }
    private User GetUserCredential(string userId, string pwd)
    {
        SqlCommand cmd = new SqlCommand();
        SqlConnection conn = new SqlConnection();
        string UserSqlConnection = ConfigurationManager.ConnectionStrings["SQLConnection"].ToString();
        string qry = "SELECT * FROM [TestDB].[dbo].[users] where UserId = '" + userId + "' and Pwd = '" + pwd + "'";

        User user = new User();
        try
        {
            using (conn = new SqlConnection(UserSqlConnection))
            {
                conn.Open();

                using (cmd = new SqlCommand(qry, conn))
                {
                    cmd.CommandType = CommandType.Text;
                    using (SqlDataReader dr = cmd.ExecuteReader())
                    {
                        if (dr.Read())
                        {
                            user.UserId = dr["UserId"].ToString();
                            user.UserName = dr["UserName"].ToString();
                            user.PayorCode = dr["PayorCode"].ToString();
                            user.AccessLevel = dr["AccessLevel"].ToString();
                            user.Application = dr["Application"].ToString();

                        }
                    }
                }
            }
        }
        catch (Exception ex)
        {
            throw ex;
        }
        return user;
    }
    private static string Encrypt(string dat, int keyNumber)
    {
        System.Security.Cryptography.MD5CryptoServiceProvider md5 =
            new System.Security.Cryptography.MD5CryptoServiceProvider();
        byte[] bytes = System.Text.Encoding.ASCII.GetBytes(dat);
        bytes = md5.ComputeHash(bytes);
        string pwd = string.Empty;
        var arry = bytes.ToList();
        for (int i = 0; i < arry.Count; i++)
        {
            try
            {
                pwd += (arry[i] / keyNumber).ToString();
            }
            catch (Exception)
            {
                throw;
            }
        }
        return pwd;
    }
}

这篇关于如何使用ajax和javascript安全地将密码发送到服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！