在ASP.NET中创建安全的web站点

<?xml version="1.0" encoding="utf-8" ?> <configuration>   

<system.web>   

<!-- 动态调试编译 设置 compilation debug="true" 以将调试符号（.pdb 信息） 插入到编译页中。因为这将创建执行起来 较慢的大文件，所以应该只在调试时将该值设置为 true，而所有其他时候都设置为 false。有关更多信息，请参考有关 调试 ASP.NET 文件的文档。 --> <compilation defaultLanguage="vb" debug="true" /> <!-- 自定义错误信息 设置 customErrors mode="On" 或 "RemoteOnly"

以启用自定义错误信息，或设置为 "Off" 以禁用自定义错误信息。 为每个要处理的错误添加 <error> 标记。 --> <customErrors mode="RemoteOnly" /> <!-- 身份验证 此节设置应用程序的身份验证策略。可能的模式是 /“Windows/”、 /“Forms/”、/“Passport/”和 /“None/” --> <authentication mode="Windows" />     <!-- 授权 此节设置应用程序的授权策略。可以允许或拒绝用户或角色访问 应用程序资源。通配符："*" 表示任何人，"?" 表示匿名 （未授权的）用户。 --> <authorization> <allow users="*" /> <!-- 允许所有用户 --> <!-- <allow users="[逗号分隔的用户列表]" roles="[逗号分隔的角色列表]"/> <deny users="[逗号分隔的用户列表]" roles="[逗号分隔的角色列表]"/> --> </authorization> <!-- 应用程序级别跟踪记录 应用程序级别跟踪在应用程序内为每一页启用跟踪日志输出。 设置 trace enabled="true" 以启用应用程序跟踪记录。如果 pageOutput="true"，则 跟踪信息将显示在每一页的底部。否则，可以通过从 Web 应用程序 根浏览 "trace.axd" 页来查看 应用程序跟踪日志。 --> <trace enabled="false" requestLimit="10" pageOutput="false"

traceMode="SortByTime" localOnly="true" />     <!-- 会话状态设置 默认情况下，ASP.NET 使用 cookie 标识哪些请求属于特定的会话。 如果 cookie 不可用，则可以通过将会话标识符添加到 URL 来跟踪会话。 若要禁用 cookie，请设置 sessionState cookieless="true"。 --> <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;user id=sa;password=" cookieless="false" timeout="20" />

<!-- 全球化 此节设置应用程序的全球化设置。 --> <globalization requestEncoding="utf-8" responseEncoding="utf-8" /> </system.web> </configuration> 

<authentication mode="Forms"> <forms name="yourAuthCookie" loginUrl="login.aspx" protection="All" path="/" /> </authentication> <authorization> <deny users="?" /> </authorization>

<location path="test.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location>

<%@ Page language="c#" Codebehind="login.aspx.cs" AutoEventWireup="false" Inherits="secure.login" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD> <title>Secure Site</title> <meta content="Microsoft Visual Studio 7.0" name="GENERATOR"> <meta content="C#" name="CODE_LANGUAGE"> <meta content="javascript" name="vs_defaultClientScript"> <meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema"> </HEAD> <body MS_POSITIONING="GridLayout"> <form id="login" method="post" runat="server"> <table cellSpacing="0" cellPadding="0" border="0"> <tr> <td vAlign="top" align="left"> <asp:label id="Message" Runat="server" ForeColor="#ff0000"> </asp:label> </td> </tr> <tr> <td vAlign="top" align="left"> <b>E-mail:</b> </td> </tr> <tr> <td vAlign="top" align="left"> <asp:textbox id="username" Runat="server" Width="120"> </asp:textbox> </td> </tr> <tr> <td vAlign="top" align="left"> <b>Password:</b> </td> </tr> <tr> <td vAlign="top" align="left"> <asp:textbox id="password" Runat="server" Width="120" TextMode="Password"> </asp:textbox> </td> </tr> <tr> <td vAlign="top" align="left"> <asp:checkbox id="saveLogin" Runat="server" Text="<b>Save my login</b>"> </asp:checkbox> </td> </tr> <tr> <td vAlign="top" align="right"> <asp:imagebutton id="btnLogin" Runat="server" ImageUrl="/images/w2k/login/btnLogin.gif"> </asp:imagebutton> </td> </tr> </table> </form> </body> </HTML>

private void InitializeComponent() { this.btnLogin.Click += new System.Web.UI.ImageClickEventHandler(this.btnLogin_Click); . . . }

private void btnLogin_Click(object sender, System.Web.UI.ImageClickEventArgs e) { CCommonDB sql = new CCommonDB(); string redirect = ""; if((redirect = sql.AuthenticateUser(this.Session, this.Response, username.Text, password.Text, saveLogin.Checked)) != string.Empty) { // Redirect the user Response.Redirect(redirect); } else { Message.Text = "Login Failed!"; } }

CCommonDB.cs namespace secure.Components { public class CCommonDB : CSql { public CCommonDB() : base() { } public string AuthenticateUser( System.Web.SessionState.HttpSessionState objSession, // Session Variable System.Web.HttpResponse objResponse, // Response Variable string email, // Login string password, // Password bool bPersist // Persist login ) { int nLoginID = 0; int nLoginType = 0; // Log the user in Login(email, password, ref nLoginID, ref nLoginType); if(nLoginID != 0) // Success { // Log the user in System.Web.Security.FormsAuthentication.SetAuthCookie(nLoginID.ToString(),

bPersist); // Set the session varaibles objSession["loginID"] = nLoginID.ToString(); objSession["loginType"] = nLoginType.ToString(); // Set cookie information incase they made it persistant System.Web.HttpCookie wrapperCookie = new System.Web.HttpCookie("wrapper"); wrapperCookie.Value = objSession["wrapper"].ToString(); wrapperCookie.Expires = DateTime.Now.AddDays(30); System.Web.HttpCookie lgnTypeCookie = new System.Web.HttpCookie("loginType"); lgnTypeCookie.Value = objSession["loginType"].ToString(); lgnTypeCookie.Expires = DateTime.Now.AddDays(30); // Add the cookie to the response objResponse.Cookies.Add(wrapperCookie); objResponse.Cookies.Add(lgnTypeCookie); return "/candidate/default.aspx"; } case 1: // Admin Login { return "/admin/default.aspx"; } case 2: // Reporting Login { return "/reports/default.aspx"; } default: { return string.Empty; } } } else { return string.Empty; } } /// <summary> /// Verifies the login and password that were given /// </summary> /// <param name="email">the login</param> /// <param name="password">the password</param> /// <param name="nLoginID">returns the login id</param> /// <param name="nLoginType">returns the login type</param> public void Login(string email, string password, ref int nLoginID,

ref int nLoginType) { ResetSql(); DataSet ds = new DataSet(); // Set our parameters SqlParameter paramLogin = new SqlParameter("@username", SqlDbType.VarChar, 100); paramLogin.Value = email; SqlParameter paramPassword = new SqlParameter("@password", SqlDbType.VarChar, 20); paramPassword.Value = password; Command.CommandType = CommandType.StoredProcedure; Command.CommandText = "glbl_Login"; Command.Parameters.Add(paramLogin); Command.Parameters.Add(paramPassword); Adapter.TableMappings.Add("Table", "Login"); Adapter.SelectCommand = Command; Adapter.Fill(ds); if(ds.Tables.Count != 0) { DataRow row = ds.Tables[0].Rows[0]; // Get the login id and the login type nLoginID = Convert.ToInt32(row["Login_ID"].ToString()); nLoginType = Convert.ToInt32(row["Login_Type"].ToString()); } else { nLoginID = 0; nLoginType = 0; } } } abstract public class CSql { private SqlConnection sqlConnection; // Connection string private SqlCommand sqlCommand; // Command private SqlDataAdapter sqlDataAdapter; // Data Adapter private DataSet sqlDataSet; // Data Set

public CSql() { sqlConnection = new SqlConnection(ConfigurationSettings.AppSettings

["ConnectionString"]); sqlCommand = new SqlCommand(); sqlDataAdapter = new SqlDataAdapter(); sqlDataSet = new DataSet(); sqlCommand.Connection = sqlConnection; } /// <summary> /// Access to our sql command /// </summary> protected SqlCommand Command { get { return sqlCommand; } } /// <summary> /// Access to our data adapter /// </summary> protected SqlDataAdapter Adapter { get { return sqlDataAdapter; } } /// <summary> /// Makes sure that everything is clear and ready for a new query /// </summary> protected void ResetSql() { if(sqlCommand != null) { sqlCommand = new SqlCommand(); sqlCommand.Connection = sqlConnection; } if(sqlDataAdapter != null) sqlDataAdapter = new SqlDataAdapter(); if(sqlDataSet != null) sqlDataSet = new DataSet(); } /// <summary> /// Runs our command and returns the dataset /// </summary> /// <returns>the data set</returns> protected DataSet RunQuery() { sqlDataAdapter.SelectCommand = Command; sqlConnection.Open(); sqlConnection.Close(); sqlDataAdapter.Fill(sqlDataSet); return sqlDataSet; } } }