在ASP.NET中创建安全web站点_[Asp.Net教程]

以前用ASP,PHP,JSP编写网站代码的时候，站点安全性总是一件头疼的事情，虽然我们编写了用户登录，注册，验证页面，但是效果总是不理想。有时候我们不得不用大量的session变量来存放相关信息，处处设防。而在.NET环境下，这个问题处理起来就非常容易了。关键是要充分理解web.config文件。首先，介绍一下web.config文件。

mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=sa;password="
cookieless="false"
timeout="20"
/>

好了，相信看过上面的介绍以后，对web.config文件一定非常了解了吧。下面我们就切入主题。为了防止用户没有经过验证就访问站点，我们的处理方法是当用户没有通过验证的时候点击任何页面将会直接跳到Login.aspx页面，具体代码如下：

protection="All" path="/" />

但是这样会产生一个问题，那就是如果我的站点有一些信息是可以让任意用户随意访问的，比如站点简介，使用说明等。如果按照上面的处理方法岂不让用户觉得很麻烦，呵呵，不急，在ASP.NET中自然有相应的解决办法。下面的代码可以实现匿名用户访问Test.aspx页面：

解决了上面两个问题，相信大家心里一定有底了吧。下面就开始实现login.aspx页面。利用C#和SQL Server2000，创建一个webform页面，加入相应的控件。具体代码如下：

<%@ Page language="c#" Codebehind="login.aspx.cs"
AutoEventWireup="false" Inherits="secure.login" %>







name="vs_targetSchema">



















E-mail:


















Password:








Width="120" TextMode="Password">









Text="Save my login">









ImageUrl="/images/w2k/login/btnLogin.gif">

界面做好之后，就开始编写提交按钮事件，首先需要注册该事件，代码如下：

private void InitializeComponent()
{
this.btnLogin.Click += new System.Web.UI.ImageClickEventHandler(this.btnLogin_Click);
.
.
.
}

事件注册好之后，自然就是编写事件处理函数了：

private void btnLogin_Click(object sender, System.Web.UI.ImageClickEventArgs e)
{
CCommonDB sql = new CCommonDB();
string redirect = "";
if((redirect = sql.AuthenticateUser(this.Session, this.Response,
username.Text, password.Text, saveLogin.Checked)) != string.Empty)
{
// Redirect the user
Response.Redirect(redirect);
}
else
{
Message.Text = "Login Failed!";
}
}

读者看完上面的代码之后一定想问CCommonDB是哪里来的东东，这是我编写的一个类，用来处理用户登录信息的，如果成功则把相关信息写入session、Cookie和SQL数据库，同时跳到default.aspx页面。具体如下：

CCommonDB.cs

namespace secure.Components
{
public class CCommonDB : CSql
{
public CCommonDB() : base() { }
public string AuthenticateUser(
System.Web.SessionState.HttpSessionState objSession, // Session Variable
System.Web.HttpResponse objResponse, // Response Variable
string email, // Login
string password, // Password
bool bPersist // Persist login
)
{
int nLoginID = 0;
int nLoginType = 0;
// Log the user in
Login(email, password, ref nLoginID, ref nLoginType);
if(nLoginID != 0) // Success
{
// Log the user in
System.Web.Security.FormsAuthentication.SetAuthCookie(nLoginID.ToString(), bPersist);
// Set the session varaibles
objSession["loginID"] = nLoginID.ToString();
objSession["loginType"] = nLoginType.ToString();
// Set cookie information incase they made it persistant
System.Web.HttpCookie wrapperCookie = new System.Web.HttpCookie("wrapper");
wrapperCookie.Value = objSession["wrapper"].ToString();
wrapperCookie.Expires = DateTime.Now.AddDays(30);
System.Web.HttpCookie lgnTypeCookie = new System.Web.HttpCookie("loginType");
lgnTypeCookie.Value = objSession["loginType"].ToString();
lgnTypeCookie.Expires = DateTime.Now.AddDays(30);
// Add the cookie to the response
objResponse.Cookies.Add(wrapperCookie);
objResponse.Cookies.Add(lgnTypeCookie);
return "/candidate/default.aspx";
}
case 1: // Admin Login
{
return "/admin/default.aspx";
}
case 2: // Reporting Login
{
return "/reports/default.aspx";
}
default:
{
return string.Empty;
}
}
}
else
{
return string.Empty;
}
}
///

/// Verifies the login and password that were given
///

/// the login
/// the password
/// returns the login id
/// returns the login type
public void Login(string email, string password, ref int nLoginID, ref int nLoginType)
{
ResetSql();
DataSet ds = new DataSet();
// Set our parameters
SqlParameter paramLogin = new SqlParameter("@username", SqlDbType.VarChar, 100);
paramLogin.Value = email;
SqlParameter paramPassword = new SqlParameter("@password", SqlDbType.VarChar, 20);
paramPassword.Value = password;
Command.CommandType = CommandType.StoredProcedure;
Command.CommandText = "glbl_Login";
Command.Parameters.Add(paramLogin);
Command.Parameters.Add(paramPassword);
Adapter.TableMappings.Add("Table", "Login");
Adapter.SelectCommand = Command;
Adapter.Fill(ds);
if(ds.Tables.Count != 0)
{
DataRow row = ds.Tables[0].Rows[0];
// Get the login id and the login type
nLoginID = Convert.ToInt32(row["Login_ID"].ToString());
nLoginType = Convert.ToInt32(row["Login_Type"].ToString());
}
else
{
nLoginID = 0;
nLoginType = 0;
}
}
}
abstract public class CSql
{
private SqlConnection sqlConnection; // Connection string
private SqlCommand sqlCommand; // Command
private SqlDataAdapter sqlDataAdapter; // Data Adapter
private DataSet sqlDataSet; // Data Set
public CSql()
{
sqlConnection = new SqlConnection(ConfigurationSettings.AppSettings["ConnectionString"]);
sqlCommand = new SqlCommand();
sqlDataAdapter = new SqlDataAdapter();
sqlDataSet = new DataSet();
sqlCommand.Connection = sqlConnection;
}
///

/// Access to our sql command
///

protected SqlCommand Command
{
get { return sqlCommand; }
}
///

/// Access to our data adapter
///

protected SqlDataAdapter Adapter
{
get { return sqlDataAdapter; }
}
///

/// Makes sure that everything is clear and ready for a new query
///

protected void ResetSql()
{
if(sqlCommand != null)
{
sqlCommand = new SqlCommand();
sqlCommand.Connection = sqlConnection;
}
if(sqlDataAdapter != null)
sqlDataAdapter = new SqlDataAdapter();
if(sqlDataSet != null)
sqlDataSet = new DataSet();
}
///

/// Runs our command and returns the dataset
///

/// the data set
protected DataSet RunQuery()
{
sqlDataAdapter.SelectCommand = Command;
sqlConnection.Open();
sqlConnection.Close();
sqlDataAdapter.Fill(sqlDataSet);
return sqlDataSet;
}
}
}