asp.net security Certification (iv): Form certification Supplement

Asp.net| Security

The first three articles in the CSDN forum after the announcement, the effect is like "immortal fart--really different from every (counter) ring." In order to thank the broad masses of netizens enthusiasm and support, this is not, after a while of brewing, cultivation, deliberately prepared the fourth ring.

We have previously described the use of form authentication to achieve a single sign-on, as netizens said, can only be used under the same domain name. For a single sign-on across domain names, in addition to the use of Passport certification, we can still use form certification, just to pay attention to methods. Is the so-called "mountain does not turn the water, people do not turn the heart turn."

First, cross-domain resolution ideas

Search for the keyword "passport" on MSDN 2003 and I found a Passport authentication provider. The article describes the Passport of the principle of authentication, a total of 8, I will not say more, everyone from a look. One of the words, causing my attention: "... The response contains an encrypted Passport Cookie in the query string ... ". It is this sentence has the following ideas.

The so-called certification of the adoption or not, its essence is to detect whether the issue of valid cookies, using Form or, using Passport, are cookies at work. In other words, we just have to send a valid Cookie to the client once it's logged in.

Two, cross domain name, cross server single sign-on method

1. How to simulate cross domain name, cross server single Sign in local computer

As long as browsing the Web site is different from the same domain name, at least the following three kinds of machine. Although they are the same project, they cannot share the session and Cookie, and they are unable to shared the authentication ticket:

a). http://localhost/FormTest/Login.aspx

b). http://127.0.0.1/FormTest/Login.aspx

c). http://My_Computer_Name/FormTest/Login.aspx//Browse site with computer name

d). http://192.168.0.8/FormTest/Login.aspx//To browse the site with the network card address

e). http://172.meibu.com/FormTest/Login.aspx//International Domain name

2. How to submit to other pages in asp.net

The viewstate is probably known, viewstate is stored on the client. I don't know, guys, asp.net. each. aspx page is equipped with a separate ViewState, and is parsed with a name= "__viewstate" hidden control value to save the ViewState. Each time the page commits, the server checks that the value of the control has been tampered with, which is doomed. aspx can only be submitted to this page. The server is dead, people are alive, we can not be limited by these rules of death, we have to write the program alive.

Let's enter the username and password from http://localhost/FormTest/Login.aspx and submit it to http://127.0.0.1/FormTest/Public/LoginTransfer.aspx. Login.aspx and logintransfer.aspx all contain user name input box one, password input box One, login button one. Add the following code to the Login.aspx page:

This. btn_login.attributes["onclick"]= "Singlesignon ()"; Specify script event execution

Insert the following script on the Login.aspx page:

<script language= "JavaScript" >

function Singlesignon ()

{

You can only change the object submitted by the specified Form with a script

document.getElementById ("Form1"). action= "Http://127.0.0.1/FormTest/Public/LoginTransfer.aspx?" Fromurl= "+WINDOW.LOCATION.HREF;

Change the value in the hidden control __viewstate to the value that appears after the logintransfer.aspx resolution, whichever is the value actually seen

Document.all.__viewstate.value = "Ddwtmtkyoduzmtmynzs7pv1cp2raxucr5hgyf8ilx9/emky8";

}

</script>

Attention matters

a). Logintransfer.aspx the control that appears and its ID must be able to find in Login.aspx

B. The ID of the control must be consistent and can correspond to each

C. About the value in __viewstate, it has nothing to do with the page control ID, it's not the URL to browse the page, I only know the number, type, namespace (namespace Formtest.public) and viewstate of the control. When you are testing, to browse the http://127.0.0.1/FormTest/Public/LoginTransfer.aspx directly, view the page source file to see the value is whichever.

D). After submission, the Btn_login_click event in Logintransfer.aspx is triggered and executed

[1] [2] [3] [4] Next page