如何防止用户直接在ASP.Net MVC 5中访问某些URL [英] How to prevent user from accessing certain URL directly in ASP.Net MVC 5

问题描述

好，所以我正在通过做一些小项目来学习ASP.Net MVC 5.我正在实现忘记密码功能.这是流程:

Ok, So I am learning ASP.Net MVC 5 by doing small projects. I am implementing forgot password functionality. Here is the flow:

1. 用户点击会忘记密码链接.
2. 重定向到用户输入电子邮件的页面.
3. 接收令牌并重定向到页面以输入接收到的令牌
4. 被重定向到密码"和确认密码"页面

现在，所有这些页面都有各自的URL，并且页面应按此顺序打开.但是，如果在浏览器链接中键入第3步(输入令牌)或第4步URL(输入新密码)所需的URL，则可以打开相应的页面.但是我不想要那样.如果某人未遵循步骤1-4，那么他们将无法直接打开任何乱序URL.如何实现上述功能.

Now all these pages have their separate URL and pages should open in that order. But If I type the URL which is required for may be 3rd step (enter the token) or URL of 4th Step (enter the new password) in my browser link I can open the corresponding page. But I do not want that. If someone is not following steps 1 to 4 then they cannot directly open any out of sequence URL. How to achieve above functionality.

注意:如果我们向控制器操作添加[Authorize]属性，则无论我们在浏览器中访问哪个URL，我们总是会重定向到登录页面(假设尚未登录).我可以实现上述目标吗?因此，如果有人尝试直接打开/VerifyToken页面，则应将其重定向到页面/SendEmailForReceiveingToken.

Note: If we add a [Authorize] attribute to our controller action then no matter which URL we access in browser we always get redirected to login page (provided not already logged in). Can I achieve something like above. So, if someone tries to open /VerifyToken Page directly then he should be redirected to page /SendEmailForReceiveingToken .

编辑1

好，这是东西.为了识别合适的人，我正在使用令牌.但是为了检查数据库中的令牌字段，我想唯一地认识用户.为此，我正在使用电子邮件ID.因此，基本上，我使用电子邮件ID查询数据库以查找用户，然后检查该行中设置的令牌.但是，如果有人直接去验证令牌，那么我将无法知道他的电子邮件ID.到目前为止，我正在token page和resetpassword page

Ok, Here is the thing. In order to identify the right person, I am using the token. But in order to check the token field in my Database I want to uniquely know the user. For that I am utilizing the email Id. So basically I query the DB with email ID to find the user and then check the token set in that row. But if someone directly goes to verify token, then I will not be able to know his email Id. As of now I am passing the email as hidden field among token page and resetpassword page

编辑2 因此，在12:00 AM，用户获得了令牌.但是他没有继续使用重置密码". 2分钟后，他来了，直接进入/VerifyToken页面并输入令牌.因此，现在我无权访问电子邮件ID.我现在如何验证令牌.我不想查询整个令牌列并匹配相应的行.

EDIT 2 So at 12:00 AM user got the token. But he did not go ahead with the "Reset Password". He comes after 2 mins and directly goes to /VerifyToken page and enters the token. So now I do not have access to the email id. How can I verify the token now. I do not want to query entire token column and match the corresponding row.

推荐答案

假设您的令牌实际上是唯一的，那么您实际上不需要知道用户的电子邮件地址/用户名.令牌充当用户记录的(临时)唯一ID，因此您只需在输入新密码"视图中保留该令牌，然后在重置逻辑中使用该令牌即可:

Assuming your tokens are actually unique, you don't actually need to know the email address / user name for the user. The token acts as a (temporary) unique ID for a user record, so you can just persist that token within the "enter your new password" view, and use that within your reset logic:

public bool UpdatePasswordForToken(string token, string newPassword)
{
    bool success = false;

    var user = Context.Users.SingleOrDefault(u => u.ResetToken.Equals(token, StringComparison.OrdinalIgnoreCase));
    if (user != null)
    {
        var password = Crypto.HashPassword(newPassword);
        if (!string.IsNullOrWhiteSpace(password))
        {
            user.Password = password;
            user.ResetToken = null;

            Context.SaveChanges();

            success = true;
        }
    }

    return success;
}

这假定您不只是在用户完成密码重置后登录.我重定向到登录页面(带有成功消息).即使有人设法猜测出有效的重置令牌(这意味着令牌并不是唯一的)，他们也需要知道他们刚刚重置了哪个用户名，才能以(现在受到威胁)的用户身份登录.

This assumes that you don't just log the user in when they complete the password reset. I redirect to the login page (with a success message). Even if someone managed to guess a valid reset token (which means the tokens aren't really unique), they would need to know which user name they just reset, in order to log in as the (now compromised) user.

如果仅在工作流程之后才真正对用户进行设置，那么显而易见的答案似乎是检查Request.UrlReferrer值，如果不是要执行此操作的操作，则将该用户从当前操作中退回.不过，UrlReferrer并不是防弹的，因此，我建议像上面提到的那样简化您的工作流程.

If you're really set on a user only following your workflow, the obvious answer seems to be checking the Request.UrlReferrer value, and bouncing the user from the current action if it's not the action you wanted to proceed this action. UrlReferrer isn't bulletproof, though, so I would recommend just simplifying your workflow like I note above.

这篇关于如何防止用户直接在ASP.Net MVC 5中访问某些URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！