会员系统打通若干问题整理

    public string token = "2CA044BC07D9323D02BB04BC533435B8";
    public string url = "http://www.baidu.com/action/Service.ashx";
    protected void Page_Load(object sender, EventArgs e)
    {
        string meminfo = "{\"mobile\":\"13699214528\",\"mail\":\"q@163.com\",\"gender\":\"0\",\"birthday\":\"1962-08-02\",\"name\":\"李刚\",\"address\":\"北三环东路\",\"postcode\":\"100065\",\"nickname\":\"小艾\"}";//gender 0:男,1:女
        string sign = GetSignVeryfy(meminfo);
        string postdata = string.Format("?meminfo={0}&sign={1}&action={2}", HttpUtility.UrlEncode(HttpUtility.UrlEncode(meminfo)), sign, "yangzi");
        //string result = PostWebRequest(url, postdata, Encoding.GetEncoding("gb2312"));
        Response.Write(string.Format("<script src='{0}'></script>", url + postdata));
    }
    public string PostWebRequest(string postUrl, string paramData, Encoding dataEncode)
    {
        string ret = string.Empty;
        try
        {
            byte[] byteArray = dataEncode.GetBytes(paramData);
            HttpWebRequest webReq = (HttpWebRequest)WebRequest.Create(new Uri(postUrl));
            webReq.Method = "POST";
            webReq.ContentType = "application/x-www-form-urlencoded";

            webReq.ContentLength = byteArray.Length;
            Stream newStream = webReq.GetRequestStream();
            newStream.Write(byteArray, 0, byteArray.Length);
            newStream.Close();
            HttpWebResponse response = (HttpWebResponse)webReq.GetResponse();
            StreamReader sr = new StreamReader(response.GetResponseStream(), dataEncode);
            ret = sr.ReadToEnd();
            sr.Close();
            response.Close();
            newStream.Close();
        }
        catch (Exception ex)
        {

        }
        return ret;
    }
    public string MD5(string toCryString)
    {
        return FormsAuthentication.HashPasswordForStoringInConfigFile(toCryString, "MD5");
    }
    /// <summary>
    /// 获取返回时的签名验证结果
    /// </summary>
    /// <param name="inputPara">通知返回参数数组</param>
    /// <param name="sign">对比的签名结果</param>
    /// <returns>签名验证结果</returns>
    public string GetSignVeryfy(string inputPara)
    {
        //获得签名验证结果
        string isSgin = string.Empty;
        isSgin = MD5(MD5(inputPara).ToUpper() + token).ToUpper();
        return isSgin;
    }

 

1、接口安全性问题

对传递参数信息进行签名认证;对接口访问引用地址进行验证,防止非法请求(虽然引用地址可以被篡改)

2、如果纯后台接口调用,如PostWebRequest()方法,通过接口,这种方式是完全行不通的,因为跨域是无法生成对方域下可调用的Cookie!!!

3、用前端Js跨域调用,因为跨域也无法生成对方域下可用的Cookie!!

4、在A域下利用<script src='B域下的一个接口链接,用于生成B域下需要的Cookie信息'></script>,利用<script>的跨域访问特性,在A域下通过调用<script>调用B域下的接口,生成了B域下能够访问的Cookie信息,如用户登录凭证信息。

 

posted on 2016-11-30 14:50  jianiu  阅读(216)  评论(0编辑  收藏  举报