2012-12-30 131 views
0

您是否對以下函數類有任何建議改進?ASP.net正確的登錄 - 註銷類 - 控制登錄狀態

好怎麼在這裏我做一個註冊會員登錄

HttpCookie LoginInfo = new HttpCookie("LoginInfo"); 
    LoginInfo.Values["UserName"] = srUserName; 
    LoginInfo.Values["Password"] = srPassword; 
    LoginInfo.Values["selectedLanguage"] = srSelectedLanguage; 
    Response.Cookies.Add(LoginInfo); 

這裏我該如何檢查訪客登錄或沒有

public static void controlOfLoginStatus() 
{ 
    string srQuery = ""; 
    string srUserName = ""; 
    string srPassword = ""; 
    string srLang = ""; 

    if (HttpContext.Current.Session["UserId"] == null) 
    { 
     if (HttpContext.Current.Request.Cookies["LoginInfo"] != null) 
     { 
      try 
      { 
       srUserName = HttpContext.Current.Request.Cookies["LoginInfo"]["UserName"].ToString(); 
       srPassword = HttpContext.Current.Request.Cookies["LoginInfo"]["Password"].ToString(); 
       srLang = HttpContext.Current.Request.Cookies["LoginInfo"]["selectedLanguage"].ToString(); 
      } 
      catch 
      { 

      } 
     } 
     string srUserIdTemp = csPublicFunctions.ReturnUserIdUsernamePassword(srUserName, srPassword); 
     if (srUserIdTemp == "0") 
     { 
      HttpContext.Current.Session.Clear(); 
      HttpContext.Current.Session.Abandon(); 
      HttpContext.Current.Response.Redirect("Login"); 
     } 
     else 
     { 
      csPublicFunctions.insertIntoOnlineUsers(srUserIdTemp, HttpContext.Current.Session.SessionID); 
      HttpContext.Current.Session["UserId"] = srUserIdTemp; 
      if (HttpContext.Current.Session["lang"] == null) 
       HttpContext.Current.Session["lang"] = srLang; 
     } 
    } 

    srQuery = "SELECT UserId " + 
    " FROM BannedUsers" + 
    " WHERE UserId = " + HttpContext.Current.Session["UserId"].ToString(); 
    using (DataTable dtTemp = DbConnection.db_Select_DataTable(srQuery)) 
    { 
     if (dtTemp.Rows.Count > 0) 
     { 
      HttpContext.Current.Response.Redirect("exit.aspx"); 
     } 
    } 
} 

這裏我如何註銷

public static void exitLogout() 
{ 
    string srQuery = "delete from OnlineUsers where UserId=" + HttpContext.Current.Session["UserId"].ToString(); 
    DbConnection.db_Update_Delete_Query(srQuery); 

    try 
    { 
     HttpContext.Current.Session["UserId"] = "0"; 
     HttpContext.Current.Session.Clear(); 
     HttpContext.Current.Session.Abandon(); 
    } 
    catch 
    { 

    } 

    try 
    { 
     HttpCookie LoginInfo = new HttpCookie("LoginInfo"); 
     LoginInfo.Values["UserName"] = "21412zxcvzxc343245243vvc"; 
     LoginInfo.Values["Password"] = "21412zxcvzxc343245243vvc"; 
     LoginInfo.Values["selectedLanguage"] = "en"; 
     HttpContext.Current.Response.Cookies.Add(LoginInfo); 
    } 
    catch 
    {    
    } 
} 

csPublicFunctions.ReturnUserIdUsernamePassword使用參數化查詢,所以沒有可能的SQL注入風險

+0

你有可能SQL注入你的'UserID = x' where子句。任何時候你使用字符串連接進行查詢,如果你沒有正確地轉義你的值,你就會冒SQL注入的風險。我不建議將用戶的用戶名和密碼存儲在cookie中,您可以存儲授權令牌,而不在其中包含任何個人身份信息。這個問題可能更適合http://codereview.stackexchange.com。你也有嘗試/抓住,但抓住每一個例外,什麼都不做,這也是不好的形式。 – Matthew

+0

@Matthew謝謝你的推薦。會話userid變量在分配之前總是檢查爲整數和有效。所以沒有可能,除非他們能夠破解服務器並改變會話。 – MonsterMMORPG

+0

這可能是一個更好的習慣,總是使用準備好的語句。 – Matthew

回答

2

我強烈建議你使用asp.net FormsAuthentication並內置成員提供程序。代碼將更加清潔和標準化。

在你的情況下,我會使用SqlMembershipProvider。檢查此鏈接

http://bensteinhauser.wordpress.com/2012/07/16/using-the-sqlmembershipprovider/

下面是登錄代碼樣本

var authTicket = new FormsAuthenticationTicket(1, //version 
    login.UserName, // user name 
    DateTime.Now, //creation 
    DateTime.Now.AddMinutes(30), //Expiration 
    true, //Persistent 
    userId); 

    var encTicket = FormsAuthentication.Encrypt(authTicket); 
    Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)); 

登出很簡單

FormsAuthentication.SignOut(); 

和檢查,如果用戶在短短

登錄
User.Identity.IsAuthenticated