Comprehensive Asp.net submission verification solution (I)

I was learningAsp.netMost of the popular online image verification tutorials have many problems, such:

The verification code is stored on the page.CodeOrCookiesExposed to the client;

PassSessionAlthough the stored verification code solves the security problem, a user only uses one variable to store the verification code. If the user opens more than one page and submits the Verification Code separately, the user cannot use the verification code normally;

The verification code will not expire, which leaves hidden risks and makes brute-force cracking feasible.(Of course, you can also control it by means of refresh interval, submission interval, and blacklist.);

In addition, there is another problem that arises with the submission-repeated submission.

In order to solve the above problems, I have taken a lot of detours, and then I have come up with a solution that can effectively solve these problems. This article will combineADO. NET Entity FrameworkTechnology to introduce this solution:

The core of this solution is to store the verification codes and related information corresponding to all request pages through the database.(This can also be done throughSessionOr something else, but I personally feel that the database is better.).

First, createSQL ServerData table with the table name "Submit for verification ":

"ID"The field stores the unique authentication information.ID, Used for query, and we will also pass this value to the client for re-retrieval of the corresponding information, usingGuidThe format ensures uniqueness and complexity, and the client has almost no possibility of forgery;

"SessionID"Field is used for storageSessionidTo ensure that the authentication information corresponds to the user session. If you do not care whether the client is hijacked, you can ignore this field.

The "Verification Code" field stores the original verification code, which is used to verify user input. In addition, the function used to verify image generation also passesIDObtain this data to generate a verification image.

The "submitted" field identifies whether the verification information has been used. If you do not need to give a clear error message, you can directly Delete the verification information used after submission, this field is not used.

The data in the "expiration time" field will be used when the timeout information is cleared.

After the database is created, you can createADO. NET Entity FrameworkData Model(EDM)Now:

This model can be directly generated from an existing database without any additional changes.

To be continued, this article introduces the data structure and ideas, and introduces the code implementation and usage in the next article.