ASP.MVC当URL跳转时候参数的安全性
一个页面跳转到另外一个页面直接将参数写在URL上面并不安全比如 http://XXXXXXXXXXX/meeting/shakeGroup?id=5381&uid=o0En_sj1J0bFgIBMPG37WjWMXpqY
参数id和uid需要进行加密,写个简单的例子来实现:
加密类:
using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Security.Cryptography; using System.Text; using System.Web; namespace CnbLogsProject.Util { public class EnCodeHelper { // url传输参数加密密钥 public static string strKeys = "abdfajrtrgjfg"; #region 加密字符串 /// <summary> /// 加密 /// </summary> /// <param name="strValue"></param> /// <returns></returns> public static string GetEncryption(string strValue) { //加密标准算法的对象 DESCryptoServiceProvider provider = new DESCryptoServiceProvider(); //建立加密对象的密钥和偏移量 provider.Key = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8)); //原文使用Encoding.ASCII方法的GetBytes方法 provider.IV = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8)); //将要加密的字符放到byte数组中 byte[] bytes = Encoding.UTF8.GetBytes(strValue); //输入的文本必须是英文文本 MemoryStream stream = new MemoryStream(); //定义将数据连接到加密转换的流 CryptoStream stream2 = new CryptoStream(stream, provider.CreateEncryptor(), CryptoStreamMode.Write); stream2.Write(bytes, 0, bytes.Length);//将当前字节写入到流中 stream2.FlushFinalBlock();//清除缓存区 StringBuilder builder = new StringBuilder(); //循环遍历每个字节 foreach (byte num in stream.ToArray()) { builder.AppendFormat("{0:X2}", num); } stream.Close();//关闭释放资源 return builder.ToString(); } #endregion #region 解密字符串 /// <summary> /// 解密 /// </summary> /// <param name="strValue"></param> /// <returns></returns> public static string GetDecryption(string strValue) { //解密标准算法的对象 DESCryptoServiceProvider provider = new DESCryptoServiceProvider(); //建立解密密对象的密钥和偏移量 provider.Key = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8)); //原文使用Encoding.ASCII方法的GetBytes方法 provider.IV = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8)); //将要解密的字符放到byte数组中 byte[] buffer = new byte[strValue.Length / 2]; //循环遍历遍历 for (int i = 0; i < (strValue.Length / 2); i++) { int num2 = Convert.ToInt32(strValue.Substring(i * 2, 2), 0x10); buffer[i] = (byte)num2; } //输入的文本必须是英文文本 MemoryStream stream = new MemoryStream(); //定义将数据连接到解密转换的流 CryptoStream stream2 = new CryptoStream(stream, provider.CreateDecryptor(), CryptoStreamMode.Write); //将当前字节写入到流中 stream2.Write(buffer, 0, buffer.Length); stream2.FlushFinalBlock();//清除缓存区 stream.Close();//关闭释放资源 return Encoding.GetEncoding("GB2312").GetString(stream.ToArray()); } #endregion } }
strKeys 为秘钥可以写在配置文件里面
控制器(将A页面的参数加密后暴露给客户端跳转到B页面时候解密):
/// <summary> /// A页面 /// </summary> /// <returns></returns> public ActionResult Index() { string id = "5381"; string uid = "o0En_sj1J0bFgIBMPG37WjWMXpqY"; id = EnCodeHelper.GetEncryption(id); uid = EnCodeHelper.GetEncryption(uid); ViewBag.id = id; ViewBag.uid = uid; return View(); } /// <summary> /// B页面 /// </summary> /// <param name="id"></param> /// <param name="uid"></param> /// <returns></returns> public ActionResult Home(string id="",string uid="") { ViewBag.id =EnCodeHelper.GetDecryption(id); ViewBag.uid =EnCodeHelper.GetDecryption(uid); return View(); }
视图:
@{ ViewBag.Title = "Index"; } <script src="~/Scripts/jquery-1.8.2.min.js"></script> <button id="re">跳转</button> <script> $(function () { $("#re").click(function () { location.href = "Home?id="+"@ViewBag.id"+"&uid="+"@ViewBag.uid"; }); }); </script>
@{ ViewBag.Title = "Home"; } <input value="@ViewBag.id" /> <input value="@ViewBag.uid"/> <h2>Home</h2>
效果:
原来的URL:http://localhost:63792/Home/Home?id=282D147B1B12BAE3&uid=29732D957DD4EF753BC3E94797D1018D230457174ABD43EF1ED2FEA651E8351E
跳转到B页面后成功解密:
对应上我们开头的
http://XXXXXXXXXXX/meeting/shakeGroup?id=5381&uid=o0En_sj1J0bFgIBMPG37WjWMXpqY
参数id和uid需要进行加密,写个简单的例子来实现:
当然还有其他很多方法