In the past, when learning ASP.net is to submit validation of this piece, online popular on the picture validation of the course there are many problems, such as:
The verification code is stored in the page code or cookies and is exposed to the client;
The verification code stored by the session, although the security problem has been solved, but a user only use a variable storage authentication code, if the user opened more than one page, separately submitted words, it will not be normal use;
The verification code does not expire, this will leave the hidden danger, causes the violent crack to become feasible (certainly also may through the refresh interval, the submission interval, the blacklist and so on means controls);
There is also another problem with the submission--repeated submissions.
In order to solve the above problems, I have gone through a lot of detours, and then summed up a solution can be a good solution to these problems, this article will be combined with ado.net Entity framework technology to introduce this scenario:
The core of this scheme is to store all the authentication codes and related information of all request pages through the database (this can also be achieved through session or something, but the personal sense database is better).
First, create a SQL Server datasheet with the table name "Commit Validation":
The ID field stores the unique ID for the authentication information, is used for querying, and we pass this value on to the client to retrieve the corresponding information again for the postback, using the GUID format to ensure uniqueness and complexity, and the client has little possibility of forgery;
The session ID field is used to store the SessionID to ensure that the validation information corresponds to the user's session, and you can ignore the field if you don't care if the client is hijacked.
The Validation code field, which is the original source of the stored verification Code, is used to validate user input, and the validation picture generation function obtains this data by ID to generate the corresponding validation picture.
The "Committed" field identifies whether this authentication information has been used, and if you do not need to give the user an explicit error, you can delete the authentication information you are using without using this field.
The data for the expiration field will be used when the timeout information is cleaned up.
Once the database is built, you can establish the Ado.net Entity Framework Data Model (EDM):
This model is generated directly from the existing database and does not require any additional changes.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
