0
您是否对以下函数类有任何建议改进?ASP.net正确的登录 - 注销类 - 控制登录状态
好怎么在这里我做一个注册会员登录
HttpCookie LoginInfo = new HttpCookie("LoginInfo");
LoginInfo.Values["UserName"] = srUserName;
LoginInfo.Values["Password"] = srPassword;
LoginInfo.Values["selectedLanguage"] = srSelectedLanguage;
Response.Cookies.Add(LoginInfo);
这里我该如何检查访客登录或没有
public static void controlOfLoginStatus()
{
string srQuery = "";
string srUserName = "";
string srPassword = "";
string srLang = "";
if (HttpContext.Current.Session["UserId"] == null)
{
if (HttpContext.Current.Request.Cookies["LoginInfo"] != null)
{
try
{
srUserName = HttpContext.Current.Request.Cookies["LoginInfo"]["UserName"].ToString();
srPassword = HttpContext.Current.Request.Cookies["LoginInfo"]["Password"].ToString();
srLang = HttpContext.Current.Request.Cookies["LoginInfo"]["selectedLanguage"].ToString();
}
catch
{
}
}
string srUserIdTemp = csPublicFunctions.ReturnUserIdUsernamePassword(srUserName, srPassword);
if (srUserIdTemp == "0")
{
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
HttpContext.Current.Response.Redirect("Login");
}
else
{
csPublicFunctions.insertIntoOnlineUsers(srUserIdTemp, HttpContext.Current.Session.SessionID);
HttpContext.Current.Session["UserId"] = srUserIdTemp;
if (HttpContext.Current.Session["lang"] == null)
HttpContext.Current.Session["lang"] = srLang;
}
}
srQuery = "SELECT UserId " +
" FROM BannedUsers" +
" WHERE UserId = " + HttpContext.Current.Session["UserId"].ToString();
using (DataTable dtTemp = DbConnection.db_Select_DataTable(srQuery))
{
if (dtTemp.Rows.Count > 0)
{
HttpContext.Current.Response.Redirect("exit.aspx");
}
}
}
这里我如何注销
public static void exitLogout()
{
string srQuery = "delete from OnlineUsers where UserId=" + HttpContext.Current.Session["UserId"].ToString();
DbConnection.db_Update_Delete_Query(srQuery);
try
{
HttpContext.Current.Session["UserId"] = "0";
HttpContext.Current.Session.Clear();
HttpContext.Current.Session.Abandon();
}
catch
{
}
try
{
HttpCookie LoginInfo = new HttpCookie("LoginInfo");
LoginInfo.Values["UserName"] = "21412zxcvzxc343245243vvc";
LoginInfo.Values["Password"] = "21412zxcvzxc343245243vvc";
LoginInfo.Values["selectedLanguage"] = "en";
HttpContext.Current.Response.Cookies.Add(LoginInfo);
}
catch
{
}
}
csPublicFunctions.ReturnUserIdUsernamePassword
使用参数化查询,所以没有可能的SQL注入风险
你有可能SQL注入你的'UserID = x' where子句。任何时候你使用字符串连接进行查询,如果你没有正确地转义你的值,你就会冒SQL注入的风险。我不建议将用户的用户名和密码存储在cookie中,您可以存储授权令牌,而不在其中包含任何个人身份信息。这个问题可能更适合http://codereview.stackexchange.com。你也有尝试/抓住,但抓住每一个例外,什么都不做,这也是不好的形式。 – Matthew
@Matthew谢谢你的推荐。会话userid变量在分配之前总是检查为整数和有效。所以没有可能,除非他们能够破解服务器并改变会话。 – MonsterMMORPG
这可能是一个更好的习惯,总是使用准备好的语句。 – Matthew