问题描述

我已经读过通过GUID保护AJAX请求和保护Ajax请求.现在让我解释一下我的情况，下面是可以帮助您解释主题的代码段.

I already readSecuring AJAX Requests via GUIDandSecuring an ajax request. Now let me explain my scenario, below would be code snippet that may aid at explaining in the subject matter.

[WebMethod[EnableSession = True]
[ScriptMethod]

    public static string CreateTitle(string strTitleName)
    {
    string strResult = "Custom jSon string";
    if(Session["Authorized"] == "True" && !String.IsNullOrEmpty(strTitleName))
    {
         String strTitle = Server.HtmlEncode(strTitleName);
         InsertRecordInDB(strTitle);
         strResult = "Custom jSOn string" + EncryptMD5("record id");
    }
           return strResult;
    }

及以下是用于发送参数的javascript调用. btnCreateTitle_click是按钮客户端的click事件. txtTitle是接受标题名称的文本框.页面上也会创建验证器以验证文本框.CreateTitle是我使用scriptmanager调用的页面方法

and below is the javascript call to send in the parameters. btnCreateTitle_click is the click event of the button client side. txtTitle is the textbox accepting the title name. Validators are created on the page to validate the textbox too.CreateTitle is a page method i call using scriptmanager

function btnCreateTitle_Click(evnt){
if(Page.ClientValidate()){
if($get("txtTitle")){
PageMethods.CreateTitle($get("txtTitle").value,success,failure,context);
}}}

函数成功显示一条咆哮消息，表明标题已创建，并显示带有加密记录ID的链接，作为查询字符串的URL，以查看所创建标题的详细信息.

the function success shows a growl message that title was created and shows a link with encrypted record id as query string to the url to view the details of created title.

现在是一个亟待解决的问题，

Now the burning question,

1. 这样够安全吗?我想念什么?
2. 我如何使该过程更安全，更快捷?

推荐答案

虽然将任何方法都限制在经过身份验证和授权的用户上是微不足道的，但是当您在查询字符串中公开数据库ID时，确实会打开经过身份验证和授权的用户的可能性可能会试图访问他们没有得到的记录.当db id是整数或其他容易猜到的标识符时，尤其如此.将Guid用作db id可以减轻这种风险，尽管不是绝对的.

While it is trivial to restrict any method to authenticated and authorised users, when you expose db id's in query strings you do open the possibility that an authenticated and authorised user may seek to access records that they aught not. This is particularly so when the db id's are integers or some other easily guessed identifier. Using Guids as db ids may mitigate the risk of this, though not absolutely.

您始终需要记住的是不要信任输入".通过模糊(即加密等)进行的安全性不是一种可靠的技术.您的服务应始终验证是否允许当前用户检索他们所请求的记录.有时，这被称为行级安全性.这只能以编程方式完成.

What you always need to remember is DO NOT TRUST INPUT. Security through obscurity (ie encryption etc) is not a reliable technique. Your service should always verify the the current user is allowed to retrieve the records they have requested. Sometimes this is known as row level security. This can only be done programmatically.

例如，您不仅需要确定某人有权查看记录，还需要验证他们是否确实有权访问他们所请求的记录.

eg instead of only determining that someone is authorised to view a record, you need to verify that they have rights in fact to access the record they are requesting.

这意味着您需要某种方式将记录与经过身份验证的用户相关联.

This means you need some way of relating records to an authenticated user.

顺便说一句:验证任何HTTP请求是否具有潜在的危险输入.

BTW: any HTTP request is validated for potentially dangerous input.

希望这会有所帮助，

这篇关于通过身份验证的Webform保护ASP.net中的Ajax请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！