ASPNET Landing Summary

Last night to watch the video, this morning, with memory and video code to try to do a landing, the basic function is realized.

0x0: First, the first step is to make an interface .... Directly to the other people do the page ..... Various changes to the path of what, with the browser open, well, found that the basic interface is right on the OK

0x1: Resolve the verification code. Add a generic handler validatecode. A class is packaged directly, specifically implemented with GDI +. The methods inside the class return directly to the image/jpeg. Then add JS code inside the ASPX interface code, register the click event for the CAPTCHA image, change the src attribute once per click (add 1 at the back) and request it again. At the same time in this general handler implementation of the interface plus irequiressessionstate, this interface to the definition after the discovery is empty, is to play a role in the flag, you can use the session. Add context to the code behind VALIDATECODE.ASHX.  session["Validatecode"] = Strcode; Record the generated verification code to this session.

0x2:cookie. On the first request, place the last logged-in user name in the text box.

if (! IsPostBack)
{
First request to get the last logged-in user name from the cookie and put it in the text box
Lastloginname = request.cookies["UserName"] = = null? String. empty:request.cookies["UserName"]. Value;
}

0X3: If it is ispostback, it means that this is a login request, first write the user name that is now logged in to the cookie: request.cookies["UserName"]. Value = request["Txtclientid"];

Then verify the verification code:

String requestcode = request["Txtcode"];
String sessioncode = session["Validatecode"] = = null? String. empty:session["Validatecode"]. ToString ();
session["Validatecode"] = null;//match once to clear

Obtain the verification code entered by the user, there is a verification code in the session, and then empty the verification code in the session.

Then you can take these two verification code to verify, if the same and are not empty, meaning that the code is correct, you can check the user name and password, if the two times the verification code is different or empty, it means that the verification code check failed. (PS: Why should I empty the verification code in the session?) is to prevent brute force cracking, if not empty, you can forge HTTP requests to keep trying to verify code. Burp Suite can be very easy to do blasting ~);

If the validation fails, you can pop up a prompt in the foreground. For convenience, reserve a pit <%= showmsg%> directly in the foreground, and add the property showmsg in the background code. It would be all right to write the code in this pit. For example: (<script>alert (' Verification code input failed! '); </script>);

0x4: Verifying user name password is too simple, the BLL layer directly call their own method of writing is OK, the method returns the result is a list<t> collection. If successful, the direct Response.Redirect () jumps to the background home page, and adds the elements of this successful list<t> to the session. Failure of the words in the showmsg pit inside the bomb, Bounce crow's feet ~

0X5: The problem comes, we landed successfully can jump to the main page, but we do not log in, directly in the browser address bar input address is also the same can reach the main page, this Nima landing there is no meaning, all must do verification, if not the successful login session request directly let him go to the landing, Direct Response.Redirect () to the landing page. Backstage this need to verify whether the incoming request is too much, and for convenience, we directly generate a class.

How exactly? We found that our generated ASPX Web forms programs are all integrated from the System.Web.UI.Page class. We can let our own generated classes integrate System.Web.UI.Page this class, and then let the Web forms that we need to validate the session inherit our own generated classes, which is equivalent to adding a layer of stuff between Web Forms and System.Web.UI.Page, and we're in this extra layer. Hands-on feet.

We add a property to this class. Because we stored the List<t> element in the session memory, the type of attribute we added is T, which is used to verify the existence of a session. The code is as follows:

Public model.hksj_users currentloginusers {get; set;}

protected void Page_Init (object sender, EventArgs e)
{
Currentloginusers = session["Loginuser"] as model.hksj_users;
if (currentloginusers==null)
{
Response.Redirect ("Login.aspx");
}
}

The Page_Init event represents a page initialization that is earlier than the Page_Load occurs. Web Forms inherit this class, so they verify that a session exists when the page is initialized.

0x6: In the video, see, the session expires, the IFRAME tag jump, will be in the place of the IFRAME jump directly to the landing page, the formation of nested effect, simply ugly!! The previous invasion site put on the big horse, that is, a period of time do not operate, will be nested like that, then feel almost shit!!

I first landed into the backstage, and then rebuilt, supposedly the session has been disconnected, I should also encounter such a situation is right ah, but the reality is not so, I can continue to operate in the background, directly in the browser address bar GET request will jump to the landing interface, thus, My session is also disconnected just right ah ~ i in the background of those operations did not pass the Page_Init? But the video screen inside is nested jump AH? Forget, I also do not have a dead-over, will certainly meet again, now put the solution:

<%--<script type= "Text/javascript" >
if (Window! = Window.top.window) {
Window.top.window.location.href = "/admin/login.aspx";
}
</script>--%>

Jump to see if you are a top-level window, if not, let the top-level window to jump to the landing screen;

The first time to write such a blog, the idea is still very messy ... Before writing, my train of thought also wants to be more chaotic, writes writes, the thought gradually straightened out some, did not really write the blog or the useful place! Also, is the time to spend a bit more, but such a summary I think it is necessary.

ASPNET Landing Summary