Comprehensive Analysis of Asp.net submission verification solution (I)

For example:
The verification code is stored on the page. Code Or exposed to the client in cookies;
Although the verification code stored by session solves the security problem, a user only uses one variable to store the verification code. If the user opens more than one page and submits the Verification Code separately, it cannot be used normally;
The verification code will not expire, which leaves hidden risks and makes brute-force cracking feasible (of course, it can also be controlled by refreshing interval, submission interval, blacklist, and other means );
In addition, there is another problem that arises with the submission-repeated submission.
In order to solve the above problems, I have taken many detours. Later I have summarized a solution that can solve these problems well. This article will introduce this solution in combination with ADO. NET Entity Framework technology:
The core of this solution is to store the Verification Code and related information corresponding to all request pages in a unified manner through the database (this can also be achieved through session or something else, but I personally feel that the database is better ).
First, create an SQL server data table named "Submit for verification ":

"ID"The field stores the unique authentication information.ID, Used for query, and we will also pass this value to the client for re-retrieval of the corresponding information, usingGuidThe format ensures uniqueness and complexity, and the client has almost no possibility of forgery;

"SessionID"Field is used for storageSessionidTo ensure that the authentication information corresponds to the user session. If you do not care whether the client is hijacked, you can ignore this field.

The "Verification Code" field stores the original verification code, which is used to verify user input. In addition, the function used to verify image generation also passesIDObtain this data to generate a verification image.

The "submitted" field identifies whether the verification information has been used. If you do not need to give a clear error message, you can directly Delete the verification information used after submission, this field is not used.

The data in the "expiration time" field will be used when the timeout information is cleared.

After the database is created, you can createADO. NET Entity FrameworkData Model(EDM)Now:

This model can be directly generated from an existing database without any additional changes.To be continued, this article introduces the data structure and ideas, and introduces the code implementation and usage in the next article.