中的激活

中的激活

关注
发信
关注(28)粉丝(399)

实施安全、独特的“一次性"ASP.NET (C#) 中的激活 URL

本文介绍了实施安全、独特的“一次性"ASP.NET (C#) 中的激活 URL的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个场景,我正在构建的网站的用户需要能够将一些基本信息输入到 Web 表单中而无需登录.该网站正在使用 ASP.NET/C# 开发,并使用 MSSQL 2005 处理其关系数据.

I have a scenario inwhich users of a site I am building need the ability to enter some basic information into a webform without having to logon. The site is being developed with ASP.NET/C# and is using MSSQL 2005 for its relational data.

网站将向用户发送一封电子邮件,为他们提供一个独特的链接以输入他们所需的特定信息.该电子邮件将与我们在注册论坛等网站时收到的电子邮件样式非常相似,其中包含一个随机生成的、唯一的 URL 参数,该参数专门针对单一目的(例如验证论坛的电子邮件地址).

The users will be sent an email from the site, providing them a unique link to enter the specific information they are required. The email will be very similar to the style of email we all get when registering for sites such as forums, containing a randomly generated, unique URL paramter specifically pertaining to a single purpose (such as verifying an email address for a forum).

我的问题是关于这个问题的安全实施.我正在考虑使用 GUID 作为唯一标识符,但不确定它在安全领域的影响.

My queries are regarding the secure implementation of this problem. I was considering using a GUID as the unique identifier, but am unsure of its implications in the security world.

  1. GUID 是否足够长,以至于无法轻易猜出值(或随着时间的推移被暴力破解)?

  2. .NET 的 GUID 实现是否足够随机,即在密钥空间"中生成所有可能值的机会均等?

  1. Is a GUID sufficiently long enough such that values cannot be easily guessed (or brute-forced over time)?

  2. Is .NET's GUID implmentation sufficiently random in the sense that there is an equal chance of generation of all possible values in the "key space"?

如果使用 GUID 是一种可接受的方法,那么网站是否应该通过 URL 重写或通过将数据表中的信息与 GUID 关联作为参考来重定向到信息?

If using a GUID is an acceptable approach, should the site then redirect to the information via URL rewriting or by associating the information in a datatable with the GUID as a reference?

使用 URL 重写会隐藏数据的真实来源吗?

Will using a URL rewriting hide the true source of the data?

我是否应该考虑使用 TSQL 的 SELECT NEWID() 作为 .NET 实现的 GUID 生成器?

Should I consider using TSQL's SELECT NEWID() as the GUID generator over the .NET implementation?

我解决这个问题的方法完全错了吗?

Am I completely wrong with my approach to this problem?

非常感谢,

卡尔

推荐答案

  1. 是的,2 已经足够长了.
  2. 不,GUID 实现旨在生成唯一 GUID,而不是随机的.您应该使用 加密安全 随机数生成器(例如 RNGCryptoServiceProvider) 生成 16 个随机字节并初始化一个 Guid 结构.
  3. 是的,总体而言,这是一种可以接受的方法.两者都可以.
  4. 是的,如果你不提供任何其他线索
  5. 不,转到 2
  6. 不,还可以.您只需要使用加密安全的随机数生成器来生成 GUID.
  1. Yes, 2 is long enough.
  2. No, GUID implementations are designed to generate unique GUIDs rather than random ones. You should use a cryptographically secure random number generator (e.g. RNGCryptoServiceProvider) to generate 16 random bytes and initialize a Guid structure with that.
  3. Yes, it's an acceptable approach overall. Both will work.
  4. Yes, if you don't give out any other clues
  5. No, goto 2
  6. No, it's pretty OK. You just need to use a cryptographically secure random number generator to generate the GUID.

这篇关于实施安全、独特的“一次性"ASP.NET (C#) 中的激活 URL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-06 02:02
Powered by LMLPHP ©2024 中的激活 0.050412