在Web应用程序之间传递ID [英] Passing IDs between web applications

问题描述

我们有几个Web应用程序创建购物车，将其保存到数据库，然后重定向到集中式Web应用程序，以处理和接受购物车的付款。现在，我们将GUID用于购物车ID，并将这些GUID在查询字符串中传递到付款应用程序。我们正在使用GUID，以便用户不能轻易猜到其他用户的购物车ID，并将该ID插入到URL中。

We have several web applications that create a shopping cart, save it to a database, then redirect to a centralized web application to process and accept payment for the shopping cart. Right now, we are using GUIDs for the shopping cart IDs and passing those GUIDs in the querystring to the payment application. We are using GUIDs so that a user cannot easily guess the shopping cart ID of another user and simply plug that ID into the URL.

现在，在数据库中使用GUID URL中的索引和使用GUID不好，不能真正阻止用户访问另一个购物车。然而，使用传递整数会使它变得太容易。

Now, using GUIDs in the database is bad for indexing and using GUIDs in the URL does not truly prevent a user from accessing another cart. However, using passing integers around would make it too easy.

从各个应用程序将ID传递到集中式支付应用程序是最好最安全的方法？

What is the best and most secure way to pass the IDs from the individual applications to the centralized payment application?

我知道有些人可能会说：谁在乎别人想支付别人的购物车？然而，当我们将ID传递到显示收据的页面时，我们也有同样的关注。

I know that some people may say, "Who cares if someone else wants to pay for someone else's shopping cart?" However, we have the same concern when passing IDs to the page that displays the receipt and that page includes the customer's name.

推荐答案

您可以将ID作为整数传递，同时还会带有一个标记，该标记将是Cart ID的一个（密码较强的）哈希值和一个随机的秘密字符串。支付处理器将知道秘密，因此它可以执行哈希本身并进行比较以查看它是否有效。

You could pass the ID as an integer along with a "token" which would be a (cryptographically strong) hash of the cart ID and a random secret string. The payment processor would know the secret so it could perform the hash itself and compare to see if it is valid.

例如，您可以使用以下（未测试的）代码创建令牌：

For example you can use the following (untested) code to create the token:

public static string GenerateHash(long CartID)
{
    string SourceText = CartID.ToString();
    //Salt the source text (secret)
    SourceText += "5E95C91F7F947BD92ACA2CF81C3ADBD9B563839D85EA69F9DEA5A2DC330D0F50";
    //Create an encoding object to ensure the encoding standard for the source text
    UnicodeEncoding Ue = new UnicodeEncoding();
    //Retrieve a byte array based on the source text
    byte[] ByteSourceText = Ue.GetBytes(SourceText);
    //Instantiate an MD5 Provider object
    System.Security.Cryptography.SHA1CryptoServiceProvider SHA1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
    //Compute the hash value from the source
    byte[] ByteHash = SHA1.ComputeHash(ByteSourceText);
    //And convert it to String format for return, also modify for URL use
    return Convert.ToBase64String(ByteHash).Replace("=", "").Replace("+", "-").Replace("/", "_");
}

传递此功能的结果以及您的购物车ID，因为散列是一个不能逆转的单向函数。在付款处理器上，您可以在传递的购物车ID中调用相同的功能，并将其与令牌进行比较。

Pass the result of this function, along with your cart ID, since a hash is a one-way function that cannot be reversed. On the payment processor you would call the same function on the passed in cart ID and compare it to the token.

这将防止篡改查询字符串，但允许您使用整数。

This will prevent tampering with the query string yet allow you to use integers.

这篇关于在Web应用程序之间传递ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！