ASP.net mvc远程验证,安全吗?如何安全吗?

时间:2021-11-08 17:19:51

I recently came across Remote Validation in asp.net mvc. Really helpful feature but doesn't adding something like this to a registration form, say to check for username or email, open up a security hole? Couldn't someone use this to mine information from the site? Captca would be an obvious solution to this problem, but has anyone been able to integrate it with the [Remote] validation?

我最近在asp.net mvc中遇到了远程验证。真正有用的功能,但是没有在注册表单中添加这样的东西,比如检查用户名或电子邮件,打开一个安全漏洞?难道没有人能用它从网站上挖掘信息吗?Captca显然可以解决这个问题,但是有没有人能够将它与[远程]验证集成在一起呢?

public class CreateUserModel : EditUserModel {
    [Required]
    [StringLength(6, MinimumLength = 3)]
    [Remote("IsUID_Available", "Validation")]
    [RegularExpression(@"(\S)+", ErrorMessage = "White space is not allowed.")]
    [Editable(true)]
    public override string UserName { get; set; }
}  

1 个解决方案

#1


1  

You could use a Captcha if you want. For example with Google's ReCaptcha you could install the microsoft-web-helpers NuGet, sign up for a ReCaptcha account in order to obtain your private/public key pairs and then simply modify your view model so that when you perform the remote call the 2 additional fields are included:

如果你愿意,你可以用验证码。例如,通过谷歌的ReCaptcha,您可以安装microsoft-web-helper NuGet,注册一个ReCaptcha帐户,以获取您的私有/公共密匙对,然后简单地修改视图模型,以便在执行远程调用时包含两个附加字段:

public class CreateUserModel : EditUserModel 
{
    [Required]
    [StringLength(6, MinimumLength = 3)]
    [Remote("IsUID_Available", "Validation", AdditionalFields = "recaptcha_response_field,recaptcha_challenge_field", HttpMethod = "POST")]
    [RegularExpression(@"(\S)+", ErrorMessage = "White space is not allowed.")]
    [Editable(true)]
    public override string UserName { get; set; }
}

and in the view:

和观点:

@using Microsoft.Web.Helpers
@model CreateUserModel
@{
    ReCaptcha.PublicKey = "... public key obtained from Google ...";
}

<script src="@Url.Content("~/Scripts/jquery.validate.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.js")" type="text/javascript"></script>

@using (Html.BeginForm())
{
    @Html.EditorFor(x => x.UserName)
    @Html.ValidationMessageFor(x => x.UserName)
    @ReCaptcha.GetHtml(theme: "red")
    <button type="submit">OK</button>
}

and in the controller:

和控制器:

[HttpPost]
public ActionResult IsUID_Available(string username)
{
    if (!ReCaptcha.Validate(privateKey: "... private key obtained from Google ..."))
    {
        return Json("sorry, please enter a correct Captcha first");
    }

    // TODO: the user entered a correct Captcha => you can proceed
    // into usrname existence verification:
    bool userExists = _repository.UserExists(username);
    return Json(userExists);
}

#1


1  

You could use a Captcha if you want. For example with Google's ReCaptcha you could install the microsoft-web-helpers NuGet, sign up for a ReCaptcha account in order to obtain your private/public key pairs and then simply modify your view model so that when you perform the remote call the 2 additional fields are included:

如果你愿意,你可以用验证码。例如,通过谷歌的ReCaptcha,您可以安装microsoft-web-helper NuGet,注册一个ReCaptcha帐户,以获取您的私有/公共密匙对,然后简单地修改视图模型,以便在执行远程调用时包含两个附加字段:

public class CreateUserModel : EditUserModel 
{
    [Required]
    [StringLength(6, MinimumLength = 3)]
    [Remote("IsUID_Available", "Validation", AdditionalFields = "recaptcha_response_field,recaptcha_challenge_field", HttpMethod = "POST")]
    [RegularExpression(@"(\S)+", ErrorMessage = "White space is not allowed.")]
    [Editable(true)]
    public override string UserName { get; set; }
}

and in the view:

和观点:

@using Microsoft.Web.Helpers
@model CreateUserModel
@{
    ReCaptcha.PublicKey = "... public key obtained from Google ...";
}

<script src="@Url.Content("~/Scripts/jquery.validate.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.js")" type="text/javascript"></script>

@using (Html.BeginForm())
{
    @Html.EditorFor(x => x.UserName)
    @Html.ValidationMessageFor(x => x.UserName)
    @ReCaptcha.GetHtml(theme: "red")
    <button type="submit">OK</button>
}

and in the controller:

和控制器:

[HttpPost]
public ActionResult IsUID_Available(string username)
{
    if (!ReCaptcha.Validate(privateKey: "... private key obtained from Google ..."))
    {
        return Json("sorry, please enter a correct Captcha first");
    }

    // TODO: the user entered a correct Captcha => you can proceed
    // into usrname existence verification:
    bool userExists = _repository.UserExists(username);
    return Json(userExists);
}