1

This thing is really show stopper, i've been thinking about event validation and is this really necessary. I am looking into ways to avoid event validation for building a webservice-javascript oriented page where dropdownlists are loaded based on webservice data. I could disable event validation for the page but i would like some insights(mostly how you think they might do it) as to how biggies like Google, Yahoo perform such validations. These organizations are hugely public based and use web services for almost all their services, rely heavily on ajax for making their things simpler.

How should i validate the post values in the case, event validation is disabled.

4

1 回答 1

2

事件验证确保页面上触发的任何事件都可能在加载时从页面状态中发生。例如,如果一个按钮触发了一个 Click 事件,那么它会使用散列算法检查该按钮是否存在于原始页面的 HTML 输出中。

事件验证通过组合控件的 UniqueID 属性的散列和该控件的每个合法值的散列来工作。

这些哈希值存储在页面上一个名为__EVENTVALIDATION.

这是 ASP.NET Web 窗体提供的一种故障安全机制,只要您以无状态方式正确编码应用程序,则没有必要。例如,如果您的应用程序只允许某些用户删除一篇文章,那么您的删除按钮事件处理程序最好检查该用户在触发时是否仍有删除该文章的权限。不要依赖触发 Button Click 事件这一事实来假设用户具有权限。

将此主体应用于应用程序的所有输入。手动检查从下拉列表、单选按钮、复选框等传递的值对于当前页面和状态的用户会话是否有效,并且不依赖 ASP.NET 事件架构来验证用户输入。当您确定这一点时,您可以安全地关闭事件验证。

于 2012-02-28T17:26:17.850 回答