个人思路,请大神看到了指点
个人理解token是防止扫号机或者恶意注册、恶意发表灌水,有些JS写的token算法,也会被抓出来被利用,个人感觉还是用会过期的Session做token更好,服务器存储,加载到客户端页面,然后进行对比
index.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="index.aspx.cs" Inherits="index" %><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"><title></title><script type="text/javascript" src="jquery.js"></script><script>function submist() {if ($("#HDToken").val() != null) {var JsonData = {Token: $("#HDToken").val(),sid: Math.random()};$.ajax({type: "post",url: "index.ashx",dataType: "json",data: JsonData,success: function (data) {if (data[0].status == 'success') {alert("成功" + data[0].message);}else {alert("失败" + data[0].message);}},error: function (data, status, e) {alert("系统错误" + status + "|" + data[0].message);}});}else {alert("回话过期,重新刷新页面");return;}}</script> </head> <body><form id="form1" runat="server"><div><input id="HDToken" type="hidden" runat="server" /><input id="Button1" type="button" value="提交" onclick="submist()"/><asp:Button ID="Button2" runat="server" Text="清除" onclick="Button2_Click" /></div></form> </body> </html>
index.cs
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.Security; using System.Web.UI; using System.Web.UI.WebControls;public partial class index : System.Web.UI.Page {protected void Page_Load(object sender, EventArgs e){if (!IsPostBack){string Token = "";if (Session["Token"] == null){Session["Token"] = DateTime.Now.ToString();Token = Session["Token"].ToString();HDToken.Value = FormsAuthentication.HashPasswordForStoringInConfigFile(Token, "md5").ToLower();//MD5加密后赋值给隐藏域//Response.Write(HDToken.Value); }else{Token = Session["Token"].ToString();HDToken.Value = FormsAuthentication.HashPasswordForStoringInConfigFile(Token, "md5").ToLower();// Response.Write(HDToken.Value);//以下为回话过期,可以放在Global.asax 做定时器TimeSpan span=DateTime.Now.Subtract(Convert.ToDateTime(Session["Token"]));int min = span.Minutes + 1;if (min > 1){Session.Remove("Token");//时间大于1分钟,移除 }}}}protected void Button2_Click(object sender, EventArgs e){Session.Abandon();} }
index.ashx
<%@ WebHandler Language="C#" Class="index" %>using System; using System.Web; using System.Web.Security; using System.Web.SessionState;public class index : IHttpHandler, IRequiresSessionState {public void ProcessRequest(HttpContext context){context.Response.ContentType = "text/plain";string Token = context.Request["Token"];//获得隐藏域的值if (context.Session["Token"] != null){if (FormsAuthentication.HashPasswordForStoringInConfigFile(context.Session["Token"].ToString(), "md5").ToLower() == Token){context.Response.Write("[{\"message\":\"成功\",\"status\":\"success\"}]");context.Response.End();return;}else{context.Response.Write("[{\"message\":\"失败\",\"status\":\"error\"}]");context.Response.End();return;}}else{context.Response.Write("[{\"message\":\"过期\",\"status\":\"error\"}]");context.Response.End();return;}}public bool IsReusable {get {return false;}}}
另一种方法,在请求头部加入token
if (!IsPostBack){///生成 Tokenstring Token = new Random().NextDouble().ToString();Session["token"] = Token;System.Web.UI.HtmlControls.HtmlGenericControl script = new System.Web.UI.HtmlControls.HtmlGenericControl("script");script.Attributes.Add("type", "text/javascript");script.InnerHtml = @"$.ajaxSetup({beforeSend: function (xhr) {xhr.setRequestHeader(""token"", """ + Token + @""");}});";Page.Header.Controls.Add(script);}
在请求结果页面直接获得string Token = context.Request.Headers["token"];
