0
您是否對以下函數類有任何建議改進?ASP.net正確的登錄 - 註銷類 - 控制登錄狀態
好怎麼在這裏我做一個註冊會員登錄
HttpCookie LoginInfo = new HttpCookie("LoginInfo");
LoginInfo.Values["UserName"] = srUserName;
LoginInfo.Values["Password"] = srPassword;
LoginInfo.Values["selectedLanguage"] = srSelectedLanguage;
Response.Cookies.Add(LoginInfo);
這裏我該如何檢查訪客登錄或沒有
public static void controlOfLoginStatus()
{
string srQuery = "";
string srUserName = "";
string srPassword = "";
string srLang = "";
if (HttpContext.Current.Session["UserId"] == null)
{
if (HttpContext.Current.Request.Cookies["LoginInfo"] != null)
{
try
{
srUserName = HttpContext.Current.Request.Cookies["LoginInfo"]["UserName"].ToString();
srPassword = HttpContext.Current.Request.Cookies["LoginInfo"]["Password"].ToString();
srLang = HttpContext.Current.Request.Cookies["LoginInfo"]["selectedLanguage"].ToString();
}
catch
{
}
}
string srUserIdTemp = csPublicFunctions.ReturnUserIdUsernamePassword(srUserName, srPassword);
if (srUserIdTemp == "0")
{
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
HttpContext.Current.Response.Redirect("Login");
}
else
{
csPublicFunctions.insertIntoOnlineUsers(srUserIdTemp, HttpContext.Current.Session.SessionID);
HttpContext.Current.Session["UserId"] = srUserIdTemp;
if (HttpContext.Current.Session["lang"] == null)
HttpContext.Current.Session["lang"] = srLang;
}
}
srQuery = "SELECT UserId " +
" FROM BannedUsers" +
" WHERE UserId = " + HttpContext.Current.Session["UserId"].ToString();
using (DataTable dtTemp = DbConnection.db_Select_DataTable(srQuery))
{
if (dtTemp.Rows.Count > 0)
{
HttpContext.Current.Response.Redirect("exit.aspx");
}
}
}
這裏我如何註銷
public static void exitLogout()
{
string srQuery = "delete from OnlineUsers where UserId=" + HttpContext.Current.Session["UserId"].ToString();
DbConnection.db_Update_Delete_Query(srQuery);
try
{
HttpContext.Current.Session["UserId"] = "0";
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
}
catch
{
}
try
{
HttpCookie LoginInfo = new HttpCookie("LoginInfo");
LoginInfo.Values["UserName"] = "21412zxcvzxc343245243vvc";
LoginInfo.Values["Password"] = "21412zxcvzxc343245243vvc";
LoginInfo.Values["selectedLanguage"] = "en";
HttpContext.Current.Response.Cookies.Add(LoginInfo);
}
catch
{
}
}
csPublicFunctions.ReturnUserIdUsernamePassword
使用參數化查詢,所以沒有可能的SQL注入風險
你有可能SQL注入你的'UserID = x' where子句。任何時候你使用字符串連接進行查詢,如果你沒有正確地轉義你的值,你就會冒SQL注入的風險。我不建議將用戶的用戶名和密碼存儲在cookie中,您可以存儲授權令牌,而不在其中包含任何個人身份信息。這個問題可能更適合http://codereview.stackexchange.com。你也有嘗試/抓住,但抓住每一個例外,什麼都不做,這也是不好的形式。 – Matthew
@Matthew謝謝你的推薦。會話userid變量在分配之前總是檢查爲整數和有效。所以沒有可能,除非他們能夠破解服務器並改變會話。 – MonsterMMORPG
這可能是一個更好的習慣,總是使用準備好的語句。 – Matthew