我们最近完全重写了我们的 ASP.NET 2.0 Web Forms 网站,它现在是一个 MVC 4.0 网站。我们遇到了创建虚假帐户的问题。当我查看我的 IIS 日志时,IP 地址大多来自中国。我们的 ASP.NET 2.0 Web Forms 网站从未经历过任何虚假帐户被创建,所以我想知道我是否做错了什么,突然得到了这么多。下面是我们帐户注册页面的精简版,以说明我在做什么......
控制器
<RequireHttps()>
Function Register() As ActionResult
Dim ad As New AccountDetails
Return View("AccountDetails", ad)
End Function
<RequireHttps()>
<ValidateAntiForgeryToken()>
Function Register(model As AccountDetails) As ActionResult
If ModelState.IsValid Then
If Not String.IsNullOrEmpty(model.FormValue1) OrElse Not String.IsNullOrEmpty(model.FormValue2) Then
' Add Code here to display an error
Else
Dim SerialNo As Integer = AccountDetailsRepository.InsertRecord(model)
If SerialNo > 0 Then
Dim Roles As String = "Standard"
FormsAuthentication.Initialize()
Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, model.FirstName + " " + model.Surname, DateTime.Now, DateTime.Now.AddMinutes(FormsAuthentication.Timeout.TotalMinutes), False, Roles, FormsAuthentication.FormsCookiePath)
Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(fat)))
Return RedirectToAction("Account")
Else
' Add code here to display an account error
End If
End If
End If
Return View("AccountDetails", model)
End Function
看法
@ModelType User.AccountDetails
<div class="Account">
<h1 class="PageTitle">Register</h1>
<div class="AccountDetails">
<p class="PageHeader">Please enter your account details</p>
@Using Html.BeginForm()
@Html.AntiForgeryToken()
@Html.ValidationSummary(True, "Please correct the following errors:-", New With {.id = "AccountDetailsValidationSummary", .class = "TopValidationSummary"})
@<div class="AccountDetailsContainer">
@Html.TextBoxFor(Function(model) model.FormValue1, New With {.id = "FormValue1"})
@Html.HiddenFor(Function(model) model.FormValue2, New With {.id = "FormValue2"})
<fieldset id="NameGroup" class="FieldGroup">
<legend>Name</legend>
<div class="FieldRow">
<label for="FirstName" class="FieldLabel">First Name</label>
@Html.TextBoxFor(Function(model) model.FirstName, New With {.autocomplete = "off", .class = "Field", .id = "FirstName", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.FirstName)
</div>
<div class="FieldRow">
<label for="Surname" class="FieldLabel">Surname</label>
@Html.TextBoxFor(Function(model) model.Surname, New With {.autocomplete = "off", .class = "Field", .id = "Surname", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.Surname)
</div>
</fieldset>
<fieldset id="AddressGroup" class="FieldGroup">
<legend>Address</legend>
<div class="FieldRow">
<label for="Address1" class="FieldLabel">Address 1</label>
@Html.TextBoxFor(Function(model) model.Address1, New With {.autocomplete = "off", .class = "Field", .id = "Address1", .MaxLength = 50})
@Html.ValidationMessageFor(Function(model) model.Address1)
</div>
<div class="FieldRow">
<label for="Address2" class="FieldLabel">Address 2</label>
@Html.TextBoxFor(Function(model) model.Address2, New With {.autocomplete = "off", .class = "Field", .id = "Address2", .MaxLength = 50})
</div>
<div class="FieldRow">
<label for="Address3" class="FieldLabel">City</label>
@Html.TextBoxFor(Function(model) model.City, New With {.autocomplete = "off", .class = "Field", .id = "Address3", .MaxLength = 35})
@Html.ValidationMessageFor(Function(model) model.City)
</div>
<div class="FieldRow">
<label for="Address4" class="FieldLabel DropDown">State</label>
@Html.TextBoxFor(Function(model) model.State, New With {.autocomplete = "off", .class = "Field", .id = "Address4", .MaxLength = 4})
@Html.ValidationMessageFor(Function(model) model.State)
</div>
<div id="PostcodeContainer" @(If(Not Model.International, Html.Raw("style=""display: block;"""), Html.Raw("style=""display: none;""")))>
<label for="PostCode" class="FieldLabel">Zip Code</label>
@Html.TextBoxFor(Function(model) model.PostCode, New With {.autocomplete = "off", .class = "Field", .id = "PostCode", .MaxLength = 15})
@Html.ValidationMessageFor(Function(model) model.PostCode)
</div>
</fieldset>
<fieldset id="ContactDetailsGroup" class="FieldGroup">
<legend>Contact Details</legend>
<div class="FieldRow">
<label for="Email" class="FieldLabel">E-mail</label>
@Html.TextBoxFor(Function(model) model.Email, New With {.autocomplete = "off", .class = "Field", .id = "Email", .MaxLength = 100})
@Html.ValidationMessageFor(Function(model) model.Email)
</div>
<div class="FieldRow">
<label for="ConfirmEmail" class="FieldLabel">Confirm E-mail</label>
@Html.TextBoxFor(Function(model) model.ConfirmEmail, New With {.autocomplete = "off", .class = "Field", .id = "ConfirmEmail", .MaxLength = 100})
@Html.ValidationMessageFor(Function(model) model.ConfirmEmail)
</div>
<div class="FieldRow">
<label for="TelNo1" class="FieldLabel">Tel No</label>
@Html.TextBoxFor(Function(model) model.TelNo1, New With {.autocomplete = "off", .class = "Field", .id = "TelNo1", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.TelNo1)
</div>
</fieldset>
<fieldset id="PasswordGroup" class="FieldGroup">
<legend>Password</legend>
<div class="FieldRow">
<label class="FieldLabel" for="WebPassword">Password</label>
@Html.PasswordFor(Function(model) model.WebPassword, New With {.autocomplete = "off", .class = "Field", .id = "WebPassword", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.WebPassword)
</div>
<div class="FieldRow">
<label class="FieldLabel" for="ConfirmWebPassword">Confirm Password</label>
@Html.PasswordFor(Function(model) model.ConfirmWebPassword, New With {.autocomplete = "off", .class = "Field", .id = "ConfirmWebPassword", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.ConfirmWebPassword)
</div>
</fieldset>
</div>
@<div class="ButtonBar">
<input type="submit" name="SubmitValue" class="SubmitButton" value="Create Account" id="AccountDetailsSaveDetailsButton" />
</div>
End Using
</div>
</div>
我的布局视图包含 jQuery 脚本,并且我也在客户端使用不显眼的验证。
如上所示,我尝试了一些事情:- 1. 添加 AntiForgeryToken。2. 添加一个名为 FormValue1 的文本框,我用 CSS 将其隐藏。3. 添加一个名为 FormValue2 的隐藏字段。
FormValue1 和 FormValue2 我检查它们是否已被填写。作为用户应该无法看到这些,如果它们已被填写,我认为这是某种自动破解并且不注册帐户。
我可以考虑诸如 reCAPTCHA 之类的事情,但我只是想尝试找出我是否做错了什么,特别是因为这个问题似乎只是从我们的 MVC 4.0 网站开始,并且在 ASP.NET 2.0 Web 表单中没有遇到这个问题.
我能做些什么来改善这一点?