1

在这篇文章中它说:“电子邮件确认很有用,因为它可以防止创建虚假帐户。”。但是,如果我查看代码,用户帐户总是会在电子邮件确认过程之前创建。

假设某个黑客注册了数千个虚假用户;ASP.NET Identity 2.0 如何处理这个问题?

    //
    // POST: /Account/Register
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public async Task<ActionResult> Register(RegisterViewModel model)
    {
        if (ModelState.IsValid)
        {
            var user = new ApplicationUser { UserName = model.Email, Email = model.Email };

            // THE USER ALWAYS GETS CREATED HERE:
            var result = await UserManager.CreateAsync(user, model.Password);


            if (result.Succeeded)
            {
                var code = await UserManager.GenerateEmailConfirmationTokenAsync(user.Id);
                var callbackUrl = Url.Action("ConfirmEmail", "Account", new { userId = user.Id, code = code }, protocol: Request.Url.Scheme);
                await UserManager.SendEmailAsync(user.Id, "Confirm your account", "Please confirm your account by clicking this link: <a href=\"" + callbackUrl + "\">link</a>");
                ViewBag.Link = callbackUrl;
                return View("DisplayEmail");
            }
            AddErrors(result);
        }

        // If we got this far, something failed, redisplay form
        return View(model);
    }
4

1 回答 1

3

那篇文章中的措辞并不完全正确。由应用程序决定如何处理未经确认的用户。例如,应用程序可以运行某种后台任务,在 30 天或类似时间后清除未确认的用户。

于 2014-04-28T19:02:07.230 回答