1. Introduction ASP.NET is a web programming framework for establishing a Microsoft .NET platform, which can be used to generate powerful and clear web applications on the server. It is necessary to point out that since ASP.NET runs based on the .NET public language running library, all the features of the entire .NET platform can be utilized in ASP.NET. This article describes the description of page access control issues in ASP.NET development, involving several objects of Request, Response, Session, Cookies, and working on ASP.NET, session security, and life cycle of ASP pages. More detailed analysis, providing an ASP.NET development for a reference for quick start. 2, Environmental introduction and preparatory knowledge: (1), Windows XP Professional (Windows 2000, Windows 2003) IIS (2) ,. Net Framework SDK 1.1 (self-contained in VS.NET 2003) (3), Visual Studio.net 2003 Please install the IIS and VS.NET2003 according to the guide. Users using Windows2003: After the VS.NET 2003 is installed, make sure that the ASP.NET Web service extension in IIS is allowed, otherwise you will not be able to use ASP.NET. This article assumes that you can use C # to make simple WinForm development on the .NET platform and understand certain HTML knowledge. 3, Text: (1), create a project launch vs.net 2003, select the menu command to create a new-> project, pop up the new project dialog, create a new ASP.NET project, the items used in this article are http: // localhost / WebApplication1. Click Confirm, the IDE will create a project. In the Solution Manager, we can find that the IDE automatically adds a list of HebForm1.aspx, please delete it, then add two ASP.NET pages to our project, named Signin.aspx, Protected.aspx. View Signin.aspx's HTML code, in the first line you can find: <% @ page language = "c #" codebehind = "signin.aspx.cs" autoeventwireup = "false" inherits = "WebApplication1.signin"%> Very It is necessary to introduce the codebehind attribute and the inherits property. ASP.NET is a biggest progress than ASP, which is the separation of HTML code (responsible for presentation user interface) and program code (responsible for business logic) in Web development. The ASP.NET page is running, first interprets to compile into a class, this class inherits the pre-compiled class specified in the inherits property, and then the class generated after the ASP.NET page is started to process the request. (Note: Inherited mode has been canceled in ASP.NET 2.0, in version 2.0, the page is compiled into the same class along with the program code). With the above description, we can know the codebehind attribute indicating the code file of the ASP.NET page to inherit the parent class (prompt: After adding the web control in the ASPX page, then open the code file corresponding to the page, check the parent class code Those changes, you will learn about the ASP.NET page execution mode described above).
(2), complete the code to view the HTML code of Signin.aspx, inserted the HTML code as follows: Username:
password:
Then switch to the design view of the Sigin.aspx page, as shown below: Right-click on the login button, select "Run as the server control", we can find that there is a green small triangle with a border with a side of the login button. , So that two text boxes are also converted to server controls. In ASP.NET, server controls have visible and programmable properties on the server. In the above operation, we will disclose the Element that can be programmed on the server by converting the HTML element into an HTML server control, which allows us to use them like WinForm programming (prompt: original HTML design code) It can be used to reuse in the ASPX page according to the same method). Double-click the login button, the window switches to the code file signin.aspx.cs, you can find that the IDE has automatically added the button's event handler, fill in our program code in this function, as follows: Private void Submit1_serverClick (Object Sender , System.eventargs e) {if (text1.value == "ASP" && password1.value == "net") {// Fill in session, used as authority control session ["username"] = "asp"; session "AccessCount"] = 1; // Create cookie system.web.httpcookie cookie = new httpcookie ("userinfo"); cookie ["UserName"] = "ASP"; cookie ["accesscount"] = "1"; cookie. Expires = datetime.now.adddays (30); response.cookies.add (cookie); // redirect to protected page Response.Redirect ("protected.aspx? Message = parameter in url");}} The above program code Very simple, see the comment quickly understand. It is worth mentioning that session security and safety issues of cookies. We know that http is stateless, but the web application must provide maintenance of some cross-candy status information. The most common example is a shopping cart in a web shopping site, so all Web programming environments provide a session support. . In ASP.NET, the session is identified and tracked using a 120-bit sessionID string, and the sessionID value is generated using an algorithm that guarantees uniqueness and randomness (such as MD5 algorithm), and sessionID randomness makes malicious Users cannot use new sessionid to calculate the sessionID for existing sessions. In the default, the sessionid is saved in the client's session cookie, if the client is disabled, by setting the web.config file
The property cookieless = "true", you can make the sessionID in the URL. At this point, in your session validity period, if you tell your friends if you get your sessionid (from the URL), he can use your sessionID to access the same web application from other machines, he will use you with you. SESSION content. This situation illustrates the reason for the uniqueness and randomness of sessionid. SessionID is maintained by the client, saved in the session cookie or in the URL. The session state is maintained by the server, and there are three session states in the ASP.NET. You can choose between the status server (Stareserver) and SQL Server. The specific setting can be referred to as follows MSDN. Session is user-oriented, it cannot cross the web application boundary. The so-called self-built SESSION can access other Web sites in the same session. From the perspective of the application, session is safe and cannot be forged. But this is not to say that using the Session's Web site is absolutely safe! Finally, it is worth noting that the session in the hacker attack is not a session in the hijacking web application, but refers to the network application connection, such as an HTTP session, Telnet session, etc. Cookie is stored locally, and is not encrypted, so don't store important information such as credit cards, passwords, etc. in cookies. Switch to Protected.aspx's code window to view the protected.aspx.cs file, enter the access control code in Page_Load, the completed code is as follows: private void page_load (Object sender, system.eventargs e) {// Place here User code is in the initialization page / * page access control code * / string username = (string) session ["UserName"]; if (username == null) // session is empty {system.web.httpcookie cookie = request. Cookies ["userinfo"]; if (cookie! = Null) // cookie is not empty {username = cookie ["username"]; int accessCount = int.parse (cookie [accesscount "]) 1; cookie [" AccessCount "] = AccessCount.toString (); cookie.expires = DateTime.now.Adddays (30); response.cookies.add (cookie); // Fill in Session Information Session [" UserName "] = UserName; session [" AccessCount "] = AccessCount;} Else // cookie is empty response.redirect (" signin.aspx ", true);} response.write (" Welcome " " "" "]er"] "
"); Response.write (" you have visited for " session [" accesscount "]. Tostring () " Times " "
"); // The following statement uses the request.QueryString property to get the parameters in the URL response.write (" QueryString Message = " Request.QueryString [" Message "]);} Page_load event in each page The Postback is triggered back after the server, it is worth noting that its Page_Load trigger time is prior to server control events (such as the click events of the button). Please see the brief description of the life cycle of the ASP.NET page. Details See MSDN Site: 1, Initialization-Page Initialization (Initialization Page and Its Control); This event is only triggered after the page Postback); (Ie the Page_Load event, the event indicates that the page has been restored to the last access); 5, the server control that changes in the property value will trigger the Postback event, note that the status is not used Information, this event is only triggered after the page Postback) 6, Save View State (view status information of the page), 7, render (generated HTML code that is finally displayed). Here, we are in the protected.aspx page The page_load event handler adds the page access control code, first check the session, if the authorization information is not found in the session (here is session ["" "] is not empty), try again to determine from the cookie information of the client Whether the user has already logged in. Finally, simply remove the cookie and clear the session code, you can add a button on the Protected.aspx page, then add it to this button Click event, you can implement the logout function: system .Web.httpcookie cookie = Request.cookies ["userinfo"]; if (cookie! = Null) // cookie is not empty {cookie.expires = datetime.now.adddays (-1); response.cooki Es.Add (cookie);} // Empty session information session.clear (); session.abandon (); (3) Test Select Generate in VS.NET -> Generate Solutions. Then enter in the browser address bar: http: //localhost/webapplication1/protected.aspx page automatically oriented to signin.aspx, enter the ASP, NET can access the protected protected.aspx page, turn off the browser to turn back, Then enter the above-described address to access protected.aspx, which is a reason for reading the cookie information. 4, small knot.
