I. Verification Code
For a web form to prevent attacks, the verification code is usually a common measure. For some pages in the public area, for example, a logon form, if there are no necessary security measures, it is likely to be under brute force cracking attack of simulated logon, you can either easily obtain the login information of a specific account, or increase the load on the server, affecting normal services. The solution is generally to provide a random message (Verification Code) before logon, which is displayed on the page, asking the user to fill in to ensure that the user can log on normally through the web page, unauthorized non-web attackers cannot view the verification code and refuse to log on to the website. In this case, many attackers may intercept web pages and search for verification codes. In this way, verification and protection measures are meaningless. Generally, we can display the authentication information as image information on the web, so that illegal attackers can not access the authentication information through html search. This is the purpose and significance of the verification code.
Ii. ASP. Net verification code implementation
Generally, traditional verification code images use some CGI and ISAPI programs plus some encryption code to dynamically generate images. ASP mostly uses the COM component for implementation, which is quite hard.
It is quite easy to implement dynamic verification codes in ASP. Net. The general idea is as follows:
1. For the sake of security, it is recommended that the verification code encrypted string in the CGI program url not appear in the html form, but use session variable storage, so that verification of the verification code will be very easy.
2. A separate aspx page is used to generate a dynamic program. The graphic verification code information to be displayed is stored in the session. A system may have multiple forms, to meet the requirements of the entire system, you can add a fixed session key name after aspx, for example
here abc is the key name stored in the session in the first output form on the logon page to automatically generate a random string for the client, in the server script, you can use session ("abc") to obtain the generated string (Verification Code, compare with the content entered by the user in the Form Verification code input box to determine whether the user accesses the form through the normal IE browser.
3. When the form is displayed for the first time (the get method), a random number string is generated and stored in session ("abc, at the same time, abc is added as the sessionKeyName value to the Code graphic display generating program viewImg. in the url string of aspx.
4. ViewImg. aspx analyzes sessionKeyName, obtains the specific value of session ("abc"), generates memory images using GDI +, and then modifies the http header, the binary stream is output in the format of content-type = images/png, so that the client's browser will display an image. The content of the image is the verification code.
5. After you enter the verification code, submit it to the form verification program. First, check the verification code input field and immediately reject a session ("abc") that does not match the verification code, you can even accumulate the number of failed logons, or even reject the connection from this IP address to protect the system. Match the stored values in the session to perform further processing (such as login processing and article publishing ), of course, you also need to destroy this session variable (if not required in the future ).
6. Different forms can be assigned different session variable names, so that a ViewImg. aspx can serve multiple forms in the system.
Iii. instance explanation
Focus on viewImg. aspx. For details, refer to the list:
Imports System. IO
Public Class viewImg
Inherits System. Web. UI. Page
Private Sub Page_Load (ByVal sender As System. Object, ByVal e As System. EventArgs) Handles MyBase. Load
Dim img As Bitmap
Dim gdiobj As Graphics
Dim MS As MemoryStream ''' -- memory stream, stores dynamic graphics memory impressions
Dim vfycode As String ''' -- Verification Code
Dim SessionKeyname As String
If (Request ("SessionKeyName") <> "") Then
SessionKeyname = Request ("SessionKeyName ")
If (Session (SessionKeyname) <> "") Then
Vfycode = Session (SessionKeyname)
Else
Vfycode = ""
End If
Img = New Bitmap (32, 16) ''' -- the width and height can be determined as needed.
Gdiobj = Graphics. FromImage (img)
Gdiobj. DrawString (vfycode, (New Font ("Arial", 9), (New SolidBrush (Color. Black), 0, 0)
MS = New MemoryStream ()
Img. Save (MS, System. Drawing. Imaging. ImageFormat. Png) ''' -- select transparent format
Response. ClearContent () ''' -- originally prepared to output the html stream, and now output the image data, so you need to modify the http Header
Response. ContentType = "image/png"
Response. BinaryWrite (ms. ToArray ())
Else
End If
Response. End () ''' -- it is best to include
End Sub
End Class