Asp.net 一点 安全的知识

web.config的配置说明：

    <!-- 向Kim和管理员角色授权，拒绝John和匿名用户 -->

    <authorization>

      <allow users="Kim"/>

      <allow roles="Admins"/>

      <deny users="John"/>

      <deny roles="?"/>

</authorization>

    <!-- 向Kim授权，拒绝任何其他人 -->

    <authorization>

      <allow users="Kim"/>

      <deny roles="*"/>

    </authorization>

    <!-- 只有Kim可以使用POST -->

    <authorization>

      <allow verbs="GET" users="*"/>

      <allow verbs="POST" users="Kim"/>

      <deny verbs="POST" users="*"/>

    </authorization> 

一个Form认证的实例：

指定为Form认证：

    <authentication mode="Forms">

      <forms name="asp" loginUrl="Login.aspx "> //登录页面

      </forms>

    </authentication>

提交按钮处理代码：

    protected void Button1_Click(object sender, EventArgs e)

    {

        bool isSafe = false;

        if (this.TextBox1.Text.Equals("admin") && this.TextBox2.Text.Equals("123"))

        {

            isSafe = true;

        }

        if (isSafe)

        {

            //创建一个票据

            FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, TextBox1.Text, DateTime.Now, DateTime.Now.AddMinutes(30), this.CheckBox1.Checked, "User");

            //加密票据

            string cookieStr = FormsAuthentication.Encrypt(ticket);

            //创建Cookie

            HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, cookieStr);

            if (CheckBox1.Checked)

            {

                cookie.Expires = ticket.Expiration; //意思为如果打上了记住用户的选项，则设置Cookie的过期时间

            }

            cookie.Path = FormsAuthentication.FormsCookiePath;

            Response.Cookies.Add(cookie);

            string strRedirect;

            strRedirect = Request["ReturnUrl"]; //这是请求里的一个属性，是先前请求页面的Url

            if (strRedirect == null)

            {

                strRedirect = "Default.aspx";

            }

            Response.Redirect(strRedirect, true); //完成转向，本页终止

        }

    }

在Default.aspx完成这样的事情：

    protected void Page_Load(object sender, EventArgs e)

    {

        this.Label1.Text = User .Identity.Name; //发出请求的用户的信息

        if (User.IsInRole("admin"))

        {

            Response.Write("<javascript>alert('hello admin')</javascript>");

        }

    }

    protected void Button1_Click(object sender, EventArgs e)

    {

        FormsAuthentication.SignOut(); //注销认证

        Response.Redirect("~/Login.aspx");

}

另一种发放凭证的写法：

        string strRe = Request["ReturnUrl"]; System.Web.Security.FormsAuthentication.SetAuthCookie(this.TextBox1 .Text,true); //在Default页面也能读取到当前用户的标识

        if (strRe != null)

        {

            Response.Redirect(strRe);

        }

        Response.Redirect("Default.aspx");

进行MD5加密的方法：

this.Label1.Text  = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(this.TextBox1.Text,"md5");

利用System.Security.Cryptography生产随机字符

using System.Security.Cryptography;

using System.Text;

    protected void Button1_Click(object sender, EventArgs e)

    {

        this.Label2.Text = BytesToHex(GetRandomByBytes(8));

        Random r = new Random(100);

        this.Label3.Text = r.Next().ToString();

    }

    private byte[] GetRandomByBytes(int iByte)

    {

        RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

        byte[] randomData =new byte[iByte];

        rng.GetBytes(randomData);

        return randomData;

    }

    private string BytesToHex(byte[] byteArr)

    {

        StringBuilder sb = new StringBuilder();

        for (int i = 0; i < byteArr.Length; i++)

        {

            sb.AppendFormat ("{0:X2}",byteArr[i]); //已经转为16进制的字符串

        }

        return sb.ToString();

    }