我正在使用 Ajax 发布方法,但不知道这些方法是否安全。我担心 Ajax 的安全性。下面的代码如何保护我的应用程序。我使用了普通的帖子形式,AntiForgeryToken
有没有像 ajax 这样的。
Javascript:
$(function() {
var btn = $('.alignleft').find('input[name=loginbutton]');
btn.click(function() {
$.post("/profile/login", { us: $('#User').val(), pw: $('#Pass').val(), ajaxForm: true },
function(result) {
if (result == "empty")
noty({ text: 'Şifre ve kullanıcı bilgilerinizi girin', type: 'information' });
else if (result == "wrong")
noty({ text: 'Kullanıcı adı/eposta veya şifre yanlış.', type: 'warning' });
else if (result == "blok") {
noty({ text: 'Tekrar eden yanlış denemelerden dolayı sisteme girişiniz 15 dk. engellendi.', type: 'error' });
$('#dialog').delay(2000).fadeOut(200);
$('#dialog-mask').delay(1000).removeClass('dialogmask');
} else if (result == "ok") {
$('#dialog').fadeOut(1000);
$('#dialog-mask').removeClass('dialogmask');
var url = '/';
location.href = url;
} else if (result == "ban") {
location.href = '/error/banned';
}
});
return false;
});
});
ActionResult 正在返回 JSON 数据
[HttpPost]
[OnlyAjaxRequest]
public ActionResult Login(string pw, string us)
{
if (Request == null || !Request.IsAjaxRequest())
return RedirectToAction("c404", "error");
if (!AuthFail.CheckInvalidCount(us.Trim()))
{
return Json(new[] { "blok" });
}
if (string.IsNullOrEmpty(pw) || string.IsNullOrEmpty(us))
{
return Json(new[] { "empty" });
}
try
{
var ps = GetSha1(pw);
var loginUser = (from s in _member.UserProfiles
where ((s.Password == ps) && (s.Username == us || s.Email == us))
select s).FirstOrDefault();
if (loginUser != null)
{
if (loginUser.Status == 0)
{
return Json(new[] {"ban"});
}
AuthFail.Clear(us.Trim());
Session["___profile___"] = loginUser;
return Json(new[] { "ok" });
}
AuthFail.IncreaseInvalidCount(us.Trim());
return Json(new[] { "wrong" });
}
catch { }
return RedirectToAction("c404", "error");
}