Make ASP. NET JS authentication and server-side double authentication simpler

Source: Internet
Author: User

  only use JavaScript to verify that security is not secure

Everyone knows that the answer is unsafe, very insecure. Because the validation at the client is the equivalent of "let the user authenticate themselves", it is obviously not reliable. You cannot avoid some malicious users who modify their own forms to deceive, or prevent third parties from intercepting the form after tampering and then committing.

so, from a security standpoint, relying solely on JS authentication is not safe, and any robust system must be validated at the backend.


Double verification greatly increases the workload, how to solve?

Scenario 1: Stupid method, write it all over again

Scenario 2: Existing frameworks, such as the MVC self-validation support two-way verification, the insufficient point is to write model plus Attrbute also have a certain amount of work

Scenario 3: Self-encapsulation


My Choice scenario: Scenario 3

Ideas
Page loading through key to store table Form rules, through form rules to generate the front element binding, complete the foreground validation. The background function passes the key to get the form rule for background verification. (Can improve performance with cache quality)

Realize

Background code:

Store form rules by Getinitscript and assign values to viewstate["Intisript" to the foreground bindings




The foreground call as long as the binding viewstate["Intiscript"] (in fact, do not write anything, to ensure that the element name and viewState consistent on it):

<body> <form id= "Form1" runat= "Server" class= "Contact_form" > <ul> <li> &lt ;h2> form validation <%=viewstate["Intiscript"]%></body>

  

viewstate["Intiscript"] will generate a script for HTML elements to add the pattern, placeholder and Requierd properties, with these properties can be very convenient to use JS and other plug-in for front-end verification

The following is the HTML generated by viewstate["Intiscript")



Background validation using the Postvalidation function



Let's look at the effect:


Submit successful verification passed, let me change the front-end elements with malicious parameters to submit the background




Foreground verification by:


Backstage, I'm going to get you out of here.


Finally, attach C # validation class code:

Using system;using system.collections.generic;using system.linq;using system.text;using system.text.regularexpressions;///<summary>///* * Description: Can be conveniently implemented both front-end double authentication, based on jquery///* * Founding Time: 2015-6-4///* * Modified time:-///  * * sunkaixuan///* Instructions for use:-///</summary>public class validationsugar{private static list<validationoption>    Validationoptionlist = new list<validationoption> ();  <summary>//Reception///</summary>/<param name= "Pagekey" ></param>//<param     Name= "ItemList" ></param> public static string Getinitscript (String pagekey, list<optionitem> itemList) {//After initialization is not assigned if (Validationoptionlist.any (IT) Pagekey = = Pagekey) {return (Validationoptionlist.single (c = C.pagekey = = Pagekey).        Script);            } else {validationoption option = new Validationoption (); String UK = Guid.NewGuid (). ToString (). Replace ("-", "");//Unique function name StRing script = @ "<script>var bindvalidation{1}=function (name,params) {{var selectorobj=$ (" "[Name= '" "" +name+ ""] "     ");     Selectorobj.after ("<span class=\" "form_hint\" ">" "+params.tip+" "</span>" ");     if (params.pattern!=null) selectorobj.attr ("pattern", params.pattern);     if (params.placeholder!=null) selectorobj.attr ("" Placeholder "", params.placeholder); if (params.isrequired=true) selectorobj.attr ("" Required "", params.isrequired);}}            {0}</script> ";            StringBuilder Itemscode = new StringBuilder (); foreach (var item in itemList) {switch (item. Type) {case OptioItemType.Mail:item. Pattern = @ "^[\\w-]+ (\\.[ \\w-]+) *@[\\w-]+ (\\.[                        \\w-]+) +$ ";                    Break Case OptioItemType.Int:item.                        Pattern = @ "^\\d{1,11}$";                    Break           Case Optioitemtype.double:             Item.                        Pattern = @ "^\\d{1,11}$";                    Break Case OptioItemType.IdCard:item. Pattern = @ "^ (\\d{15}$|^\\d{18}$|^\\d{17} (\\d|                        X|X)) $ ";                    Break Case OptioItemType.Date:item. Pattern = @ "^ ((1[8-9]\\d{2}) | ( [2-9]\\d{3})] ([-\\/]) (10|12|0?[ 13578]) ([-\\/]) (3[01]|[ 12][0-9]|0? [1-9]) $)| (^ (1[8-9]\\d{2}) | ([2-9]\\d{3})) ([-\\/]) (11|0?) [469]) ([-\\/]) (30| [12] [0-9]|0? [1-9]) $)| (^ (1[8-9]\\d{2}) | ([2-9]\\d{3})) ([-\\/]) (0?2) ([-\\/]) (2[0-8]|1[0-9]|0?) [1-9]) $)| (^ ([2468][048]00) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([3579][26]00) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([1][89][0][48]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([2-9][0-9][0][48]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([1][89][2468][048]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([2-9][0-9][2468][048]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([1][89][13579][26]) ([-\\/]) (0?2) ([-\\/]) (29) $) | (^ ([2-9][0-9][13579][26]) ([-\\/]) (0?2) ([-\\/]) (29)) | ((((0[13578) | ([13578]) | (1[02])) [\\-\\/\\s]? ((0[1-9]) | ([1-9]) | ([1-2][0-9]) | (3[01])) | (([469]) | (11)) [\\-\\/\\s]? ((0[1-9]) | ([1-9]) | ([1-2][0-9]) | (30))) | ((02|2) [\\-\\/\\s]? ((0[1-9]) | ([1-9]) | ([1-2][0-9])))) [\\-\\/\\s]?\\d{4}] (\\s (((0[1-9)) | ( [1-9]) | (1[0-2])) \:([0-5][0-9]) ((\\s) | ( \:([0-5][0-9]) \\s) ([am|                        pm|am|pm]{2,2})))? $ ";                    Break Case OptioItemType.Mobile:item.                        Pattern = @ "^[0-9]{11}$";                    Break Case OptioItemType.Telephone:item.                        Pattern = @ "^ (\ \ (\\d{3,4}\\) |\\d{3,4}-|\\s)? \\d{8}$";                    Break Case OptioItemType.Fax:item. Pattern = @ "^[+]{0,1} (\\d) {1,3}[]? ([-]? ((\\d) |                        []) {1,12}) +$ ";                    Break                Case OptioItemType.Regex:break; } itemscode.appendformat ("bindvalidation{0} (' {1} ', {{tip: ' {2} ', Pattern: ' {3} ', placeholder: ' {4} ', isrequired : {5}}) ", UK, ITem. Formfiledname, item. TIP, item. Pattern, item. Placeholder, item. IsRequired?                "True": "false");            Itemscode.appendline (); } option. Script = string.            Format (script, itemscode.tostring (), UK);            script = null;            Itemscode.clear (); Option.            Pagekey = Pagekey; Option.            ItemList = ItemList;            Validationoptionlist.add (option); Return (option.        Script);  }}///<summary>//Background verification///</summary>//<param name= "Pagekey" ></param>// <param name= "errormessage" >json format </param>///<returns></returns> public static bool Postva        Lidation (String pagekey, out string errormessage) {bool issuccess = true; ErrorMessage = string.        Empty; if (! Validationoptionlist.any (c = C.pagekey = = Pagekey)) {throw new ArgumentNullException ("Validationsug Ar.        Postvalidation.pagekey "); } var context = System.Web.HttpContext.Current; var itemList = Validationoptionlist.where (c = = C.pagekey = = Pagekey). Single ().        ItemList; var successitemlist = Itemlist.where (it. IsRequired &&!string. IsNullOrEmpty (context. Request[it. Formfiledname]) | | !it. isrequired)). Where (it = regex.ismatch (context. Request[it. Formfiledname], it. Pattern.replace (@ "\ \", @ "\")).        ToList ();        Issuccess = (Successitemlist.count = = Itemlist.count); if (!issuccess) {errormessage = new System.Web.Script.Serialization.JavaScriptSerializer ().        Serialize (itemList);    } return issuccess;        } private class Validationoption {public string Pagekey {get; set;}        public string Script {get; set;}    Public list<optionitem> ItemList {get; set;} } public enum Optioitemtype {Mail = 0, Int = 2, Double = 3, Idcard = 4, Date = 5 ,///<summary>///Mobile phone// </summary> Mobile = 6,///<summary>//landline//</summary> telephone    = 7, Fax = 8,///<summary>//////Not suitable, please use regular authentication///</summary> Regex = 1000         }//<summary>///Authentication Options///</summary> public class Optionitem {//<summary>        Authentication type///</summary> public optioitemtype type {get; set;}        <summary>///Regular///</summary> public string Pattern {get; set;}        <summary>//whether required///</summary> public bool IsRequired {get; set;} <summary>///form field name (name or ID)///</summary> public string Formfiledname {get; set;        }///<summary>//watermark///</summary> public string Placeholder {get; set;} <summary>///reminder//</summary>        public string Tip {get; set;} }}

  


source Download:Http://pan.baidu.com/s/1mgoXpsW

Time issues only support HTML5 verification, need a high version of the browser, I will gradually improve


Make ASP. NET JS authentication and server-side double authentication simpler

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.