如果您願意,您可以使用驗證碼。例如與谷歌的驗證碼,你可以安裝microsoft-web-helpers的NuGet,以獲得您的私人/公共密鑰對註冊一個ReCaptcha account,然後簡單地修改您的視圖模型,這樣當你執行遠程調用中包括2個額外的字段:
public class CreateUserModel : EditUserModel
{
[Required]
[StringLength(6, MinimumLength = 3)]
[Remote("IsUID_Available", "Validation", AdditionalFields = "recaptcha_response_field,recaptcha_challenge_field", HttpMethod = "POST")]
[RegularExpression(@"(\S)+", ErrorMessage = "White space is not allowed.")]
[Editable(true)]
public override string UserName { get; set; }
}
,並在視圖:
@using Microsoft.Web.Helpers
@model CreateUserModel
@{
ReCaptcha.PublicKey = "... public key obtained from Google ...";
}
<script src="@Url.Content("~/Scripts/jquery.validate.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.js")" type="text/javascript"></script>
@using (Html.BeginForm())
{
@Html.EditorFor(x => x.UserName)
@Html.ValidationMessageFor(x => x.UserName)
@ReCaptcha.GetHtml(theme: "red")
<button type="submit">OK</button>
}
,並在控制器:
[HttpPost]
public ActionResult IsUID_Available(string username)
{
if (!ReCaptcha.Validate(privateKey: "... private key obtained from Google ..."))
{
return Json("sorry, please enter a correct Captcha first");
}
// TODO: the user entered a correct Captcha => you can proceed
// into usrname existence verification:
bool userExists = _repository.UserExists(username);
return Json(userExists);
}
什麼樣的安全漏洞有你在想什麼?有人可以通過調用遠程驗證方法來識別使用的用戶名?這真的是安全漏洞嗎? – rouen
是的,我想這是一個有點偏執,但我想看看是否有防止腳本反對 – NullReference
做的是確保控制器的動作由遠程驗證電話打到的第一件事情的方式需要授權等等用戶必須至少登錄。然後將日誌記錄放入呼叫中,這樣至少可以捕獲呼叫時間和呼叫的人數。不要對任何被認爲對應用程序敏感的數據使用遠程驗證;它確實是一個方便的方法(並且應該注意**它不驗證服務器端**)。 –