个人思路,请大神看到了指点

个人理解token是防止扫号机或者恶意注册、恶意发表灌水,有些JS写的token算法,也会被抓出来被利用,个人感觉还是用会过期的Session做token更好,服务器存储,加载到客户端页面,然后进行对比

index.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="index.aspx.cs" Inherits="index" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script type="text/javascript" src="jquery.js"></script>
<script>
function submist() {
if ($("#HDToken").val() != null) {
var JsonData = {
Token: $("#HDToken").val(),
sid: Math.random()
}; $.ajax({
type: "post",
url: "index.ashx",
dataType: "json",
data: JsonData,
success: function (data) {
if (data[0].status == 'success') { alert("成功" + data[0].message); }
else {
alert("失败" + data[0].message); }
},
error: function (data, status, e) {
alert("系统错误" + status + "|" + data[0].message); }
});
}
else {
alert("回话过期,重新刷新页面");
return;
}
} </script>
</head>
<body>
<form id="form1" runat="server">
<div>
<input id="HDToken" type="hidden" runat="server" />
<input id="Button1" type="button" value="提交" onclick="submist()"/>
<asp:Button ID="Button2" runat="server" Text="清除" onclick="Button2_Click" />
</div>
</form>
</body>
</html>

index.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls; public partial class index : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{ if (!IsPostBack)
{
string Token = "";
if (Session["Token"] == null)
{
Session["Token"] = DateTime.Now.ToString();
Token = Session["Token"].ToString();
HDToken.Value = FormsAuthentication.HashPasswordForStoringInConfigFile(Token, "md5").ToLower();//MD5加密后赋值给隐藏域
//Response.Write(HDToken.Value); }
else
{
Token = Session["Token"].ToString();
HDToken.Value = FormsAuthentication.HashPasswordForStoringInConfigFile(Token, "md5").ToLower();
// Response.Write(HDToken.Value); //以下为回话过期,可以放在Global.asax 做定时器
TimeSpan span=DateTime.Now.Subtract(Convert.ToDateTime(Session["Token"]));
int min = span.Minutes + ;
if (min > )
{
Session.Remove("Token");//时间大于1分钟,移除
}
} }
}
protected void Button2_Click(object sender, EventArgs e)
{
Session.Abandon();
}
}

index.ashx

<%@ WebHandler Language="C#" Class="index" %>

using System;
using System.Web;
using System.Web.Security;
using System.Web.SessionState; public class index : IHttpHandler, IRequiresSessionState
{ public void ProcessRequest(HttpContext context)
{
context.Response.ContentType = "text/plain";
string Token = context.Request["Token"];//获得隐藏域的值
if (context.Session["Token"] != null)
{ if (FormsAuthentication.HashPasswordForStoringInConfigFile(context.Session["Token"].ToString(), "md5").ToLower() == Token)
{
context.Response.Write("[{\"message\":\"成功\",\"status\":\"success\"}]");
context.Response.End();
return;
}
else
{
context.Response.Write("[{\"message\":\"失败\",\"status\":\"error\"}]");
context.Response.End();
return;
}
}
else
{
context.Response.Write("[{\"message\":\"过期\",\"status\":\"error\"}]");
context.Response.End();
return;
} } public bool IsReusable {
get {
return false;
}
} }

另一种方法,在请求头部加入token

    if (!IsPostBack)
{
///生成 Token
string Token = new Random().NextDouble().ToString();
Session["token"] = Token;
System.Web.UI.HtmlControls.HtmlGenericControl script = new System.Web.UI.HtmlControls.HtmlGenericControl("script");
script.Attributes.Add("type", "text/javascript");
script.InnerHtml = @"
$.ajaxSetup({
beforeSend: function (xhr) {
xhr.setRequestHeader(""token"", """ + Token + @""");
}
});
";
Page.Header.Controls.Add(script);
}

在请求结果页面直接获得string Token = context.Request.Headers["token"];

05-06 04:36