I have the user submit a form and if my spam filter catches it i redirect() the user into a captcha page to make sure it isnt a bot (reCaptcha appears not to be broken yet).
我让用户提交一个表单,如果我的垃圾邮件过滤器捕获它,我将用户重定向()到验证码页面,以确保它不是一个机器人(reCaptcha似乎还没有被破坏)。
My question is how do i handle going back to the original page?
我的问题是如何处理返回原始页面?
I was thinking i could generate a random number (check if there is a current session tag with that number), push all the POST data into a an object, put the object into ses[randomId]=obj; append the ID in the GET data (?sesTag=randId) then pull the get data from the ses when the user correctly passes the captcha. Is this a good solution? is there a problem with putting the object into a session?
我想我可以生成一个随机数(检查当前会话标签是否有该数字),将所有POST数据推送到一个对象中,将该对象放入ses [randomId] = obj;将ID附加到GET数据中(?sesTag = randId),然后在用户正确传递验证码时从ses中获取get数据。这是一个好的解决方案吗?将对象放入会话有问题吗?
How is pushing the post data into a dictionary? i can write a foreach loop to push all data into the dict? or will i get enough objects to eat up memory? (i am pushing HttpContext.Current.Request.Params which has many keys)
如何将帖子数据推送到字典中?我可以编写一个foreach循环来将所有数据推送到dict中吗?还是我会得到足够的物品来吃掉记忆? (我正在推HttpContext.Current.Request.Params,它有很多键)
3 个解决方案
#1
You should never be storing or processing arbitrary params. The page that receives the user's post data should know exactly which parameters to expect and what formats they may be in.
你永远不应该存储或处理任意参数。接收用户的帖子数据的页面应该确切地知道期望哪些参数以及它们可能的格式。
First validate each expected parameter and if validation passes -- with the exception of the spambot criteria -- populate an object with the validated parameters and save that object in the session. You can get it back out if the captcha is succesful.
首先验证每个预期参数,如果验证通过 - 除了spambot标准 - 使用验证参数填充对象并将该对象保存在会话中。如果验证码成功,您可以将其取回。
Edit
In response to your comment: From a security POV, you are trying to architect your function at too high a level. By having no "local knowledge" you have no option but to open yourself up to security problems. Have a think about how to introduce your method call at a lower level.
回应您的评论:从安全POV,您正试图在太高的水平上设计您的功能。没有“本地知识”,你别无选择,只能打开自己的安全问题。考虑如何在较低级别引入方法调用。
Here's a loosely worked example:
这是一个松散的例子:
Let each page/controller/action/whatever validate their own data first (only the local code knows how to validate it's own data), then let each action call your spambot filter/redirect component/method, passing the validated form data it wishes to be persisted along with the fieldnames that need to be spam-checked.
让每个页面/控制器/动作/任何首先验证它们自己的数据(只有本地代码知道如何验证它自己的数据),然后让每个动作调用你的spambot过滤器/重定向组件/方法,传递它希望的经过验证的表单数据与需要进行垃圾邮件检查的字段名一起保留。
Your method can spam-check the potential problem fields, persist the data and redirect to re-captcha.
您的方法可以垃圾邮件检查潜在的问题字段,保留数据并重定向到重新验证码。
In pseudo-code, each web action that needs a spam check can do something like below. It reqiures just one method call e.g.
在伪代码中,需要进行垃圾邮件检查的每个Web操作都可以执行以下操作。它只需要一个方法调用,例如
void someAction( untrustedData ) {
trustedData = object;
trustedData.id = makeInt( badData.id );
trustedData.name = safeCharsOnly( untrustedData.name );
trustedData.message = safeCharsOnly( untrustedData.message ); # <-- spam-check this
fieldsToSpamCheck = ['message'];
successUrlBase = '/myapp/sandwiches/postMessage';
if (!spamChecker.check( trustedData, fieldsToSpamCheck, successUrlBase )) {
// spamChecker will check specified params
// if not spam, it returns true
// if spam it sets a http redirect and returns false
return;
}
processData( trustedData );
}
#2
I'm not sure that this is a good solution, but if you must use it (or until someone posts a better alternative), you can store the Request.Params into the Session.
我不确定这是一个很好的解决方案,但是如果你必须使用它(或者直到有人发布更好的替代方案),你可以将Request.Params存储到Session中。
The Request.Params (or Request.Form) is a NameValueCollection which is serializable so you should have no problem storing it in Session even if you are using out-of-proc Session state. IOW, you do not need to pull out the data into a separate dictionary.
Request.Params(或Request.Form)是一个可序列化的NameValueCollection,因此即使您使用的是进程外会话状态,也应该没有问题存储在Session中。 IOW,您不需要将数据提取到单独的字典中。
#3
Why not just place the captcha on the original page and save yourself some grief?
为什么不将验证码放在原始页面上并为自己保留一些悲伤?
#1
You should never be storing or processing arbitrary params. The page that receives the user's post data should know exactly which parameters to expect and what formats they may be in.
你永远不应该存储或处理任意参数。接收用户的帖子数据的页面应该确切地知道期望哪些参数以及它们可能的格式。
First validate each expected parameter and if validation passes -- with the exception of the spambot criteria -- populate an object with the validated parameters and save that object in the session. You can get it back out if the captcha is succesful.
首先验证每个预期参数,如果验证通过 - 除了spambot标准 - 使用验证参数填充对象并将该对象保存在会话中。如果验证码成功,您可以将其取回。
Edit
In response to your comment: From a security POV, you are trying to architect your function at too high a level. By having no "local knowledge" you have no option but to open yourself up to security problems. Have a think about how to introduce your method call at a lower level.
回应您的评论:从安全POV,您正试图在太高的水平上设计您的功能。没有“本地知识”,你别无选择,只能打开自己的安全问题。考虑如何在较低级别引入方法调用。
Here's a loosely worked example:
这是一个松散的例子:
Let each page/controller/action/whatever validate their own data first (only the local code knows how to validate it's own data), then let each action call your spambot filter/redirect component/method, passing the validated form data it wishes to be persisted along with the fieldnames that need to be spam-checked.
让每个页面/控制器/动作/任何首先验证它们自己的数据(只有本地代码知道如何验证它自己的数据),然后让每个动作调用你的spambot过滤器/重定向组件/方法,传递它希望的经过验证的表单数据与需要进行垃圾邮件检查的字段名一起保留。
Your method can spam-check the potential problem fields, persist the data and redirect to re-captcha.
您的方法可以垃圾邮件检查潜在的问题字段,保留数据并重定向到重新验证码。
In pseudo-code, each web action that needs a spam check can do something like below. It reqiures just one method call e.g.
在伪代码中,需要进行垃圾邮件检查的每个Web操作都可以执行以下操作。它只需要一个方法调用,例如
void someAction( untrustedData ) {
trustedData = object;
trustedData.id = makeInt( badData.id );
trustedData.name = safeCharsOnly( untrustedData.name );
trustedData.message = safeCharsOnly( untrustedData.message ); # <-- spam-check this
fieldsToSpamCheck = ['message'];
successUrlBase = '/myapp/sandwiches/postMessage';
if (!spamChecker.check( trustedData, fieldsToSpamCheck, successUrlBase )) {
// spamChecker will check specified params
// if not spam, it returns true
// if spam it sets a http redirect and returns false
return;
}
processData( trustedData );
}
#2
I'm not sure that this is a good solution, but if you must use it (or until someone posts a better alternative), you can store the Request.Params into the Session.
我不确定这是一个很好的解决方案,但是如果你必须使用它(或者直到有人发布更好的替代方案),你可以将Request.Params存储到Session中。
The Request.Params (or Request.Form) is a NameValueCollection which is serializable so you should have no problem storing it in Session even if you are using out-of-proc Session state. IOW, you do not need to pull out the data into a separate dictionary.
Request.Params(或Request.Form)是一个可序列化的NameValueCollection,因此即使您使用的是进程外会话状态,也应该没有问题存储在Session中。 IOW,您不需要将数据提取到单独的字典中。
#3
Why not just place the captcha on the original page and save yourself some grief?
为什么不将验证码放在原始页面上并为自己保留一些悲伤?