Add a verification code to the ASP.NET form
First, verification code
For a Web form for a preventive attack, the verification code is usually a common measures. Because if there is a login form, if there is no necessary security measures, if there is no necessary security, it is likely to be simulated, the violent crack attack, or easily get the login information of a specific account, or add a lot to the server. The load affects normal services. Solved approach, generally gives a random information (verification code) before logging in, displayed on the page, allowing users to fill in to ensure that users are normal logins through the web page, for illegal non-Web channel login This verification code will not be seen to reject its login. Although this, many attackers often intercept the login web page, so that verification codes are also searched, so that verification protection measures have lost significance, in general, we can display the verification information as image information on the web, which is both You may not hinder legitimate user login, but the illegal attacker cannot obtain verification information through HTML search. This is a big discharge is the use and meaning of the verification code.
Second, the authentication code for ASP.NET
Generally, traditional verification code images generally use some CGIs, ISAPI programs plus some encryption code to dynamically generate images, and most ASPs are implemented using COM components, quite hard.
ASP.NET wants to realize dynamic verification code is quite easy, and the author is approaching:
1. Safety, the verification code encryption string in the URL in the CGI program is generally not present in the HTML form, but the SESSION variable storage is used, so that the verification code is easy.
2, use a separate ASPX page specifically generate a dynamic program, the graphical verification code information to display exists in the session, and a plurality of forms may exist in one system to meet the entire system requirements, add a certain session after ASPX. KEY name, for example
The ABC here is the key to the client to automatically generate a random string in the session in the first output form. Name, in the server-side script can get the generated string ("ABC") to get the generated string (verification code), by comparison with the user input and the user entered in the verification code input box in the form of the form, determine whether the user passes normal IE browser to access the form.
3. When the first display (Get method) of the form, a random number string is generated in Session ("ABC"), and the value of the ABC is added to the verification code graphic display generated program viewimg.aspx at the same time. URL string.
4, Viewimg.aspx Analysis SessionKeyname, get the specific value of session ("abc"), use GDI to generate memory images, then modify http header, and output binary stream according to Content-Type = Images / PNG, so customer browser will A image is displayed, and the content of the image is the verification code.
5. After the user fills in the verification code, submit it to the form verification program, first examine the verification code input field, and find that the session ("ABC") is immediately refused, and even the number of failed logins is, and even reject this IP connection. Protect the system; match the storage value in the session, other processing, such as login processing, article publishing, etc., of course, also pay attention to the destruction of this session variable (if not required later).
6, different forms can allocate different session variable names, such a ViewImg.aspx can be system multiple forms. Third, instance explanation
Focus on ViewImg.aspx, specifically see the list:
Imports system.io
Public Class ViewImg
Inherits System.Web.ui.page
Private Sub Page_Load (Byvale AS System.Object, Byval E AS System.Eventargs) Handles MyBase.LOAD
DIM IMG As Bitmap
Dim gdiobj as graphics
DIM MS AS MEMORYSTREAM '- Memory flow, storage dynamic graphics memory print
DIM VFYCODE AS STRING '- Verification Code
Dim sessionkeyname as string
IF ("SessionKeyname") <> "" "
SessionKeyName = Request ("sessionkeyname")
IF (sessionKeyname <> "") THEN
vfycode = session (sessionkeyname)
Else
vfycode = ""
END IF
IMG = New Bitmap (32, 16) '- This width can be determined as needed
gdiobj = graphics.fromimage (IMG)
GDiobj.drawstring (Vfycode, (New Font ("Arial", 9)), (New Solidbrush (Color.Black), 0, 0)
MS = new memoryStream ()
IMG.SAVE (MS, System.drawing.Image.ImageFormat.png) '- Select Transparent Format
Response.clearContent () - It was originally prepared to output an HTML stream, and now output graphics data, so modify the http header
Response.contentType = "image / png"
Response.binaryWrite (ms.toarray ())
Else
END IF
Response.end () "- this best
End Sub
END CLASS