阻止访问者打开某些页面
我有一个 ASP.Net 2.0 网站,以 SQL Server 作为数据库,以 C# 2005 作为编程语言。 该网站已基本完成,所有链接都工作正常。 但我想阻止普通用户打开几个页面。 当任何用户单击这些特定链接时,将打开另一个包含 ASP 登录控件的页面。 用户必须提供有效的用户 ID 和密码才能显示指向限制性页面的链接。 但作为一个新手,我不知道如何充分利用 ASP Login 控件的功能。 因为,如果用户知道受限制页面的确切 URL,那么他/她就可以绕过登录控制,通过在地址栏中输入 URL 来直接访问这些页面。 我想阻止这种情况。 如果用户直接在地址栏中键入 url,我希望页面本身应该检查用户是否已通过登录控件进行验证,并显示页面或将用户指向登录页面。
我如何实现这个功能?
谢谢。
拉利特·库马尔·巴里克
I have as ASP.Net 2.0 website with SQL Server as database and C# 2005 as the programming language. The website is almost complete and all the links are working fine. But I want to prevent normal users from opening a couple of pages. When any user clicks on those specific links, another page opens which contains a ASP Login control. The user has to supply a valid userid and password to display the links pointing to the restrictive pages. But being a newbie, I don't know how to leverage the full power of the ASP Login control. Because, if a user gets to know the exact url of the restricted pages, then he/she can bypass the login control and directly access those pages by typing the url into the address bar. I want to prevent this. If the user types the url directly in the address bar, I want that the page itself should check, whether the user has been validated through the Login control and either display the page or point the user to the Login page.
How do I implement this feature??
Thank You.
Lalit Kumar Barik
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
您需要查看网络的位置部分配置。
在该部分中,您可以定义到页面级别的访问权限,因此用户是否知道受保护页面的 URL 并不重要,ASP.NET 不会让他们进入。
因此您可以添加如下内容:
“拒绝用户=”?“”位表示“拒绝所有匿名用户”。
您还可以将其设置为仅允许某些角色(如果您正在使用这些角色)。
有关授权部分的更多信息可以在此处找到:
You'll want to take a look at the location secton of the web config.
In that section, you can define down to the page level the access rights, so it wouldn't matter if the users knew the URL of the secured pages, ASP.NET wouldn't let them in.
So you would add something like:
The "deny users="?"" bit says "Deny all anonymous users".
You can also set it up to only allow certain roles, if you are using those.
More information on the Authorization section can be found here:
这是 ASP.Net 会员服务的食物。 请查看本文以及精彩系列在 4GuysFromRolla 结束。
会员资格允许您存储登录控件使用的用户/密码信息。 与授权配置相结合,您将能够直接将特定页面的访问范围缩小到特定用户或角色。
This is food for the ASP.Net Membership services. Take a look at this article and also the great series over at 4GuysFromRolla.
Membership allows you to store user/password information which is used, among others, by the Login control. Coupled with the authorization configuration you will be able to directly narrow access to specific pages down to specific users or roles.
您将需要一种方法来管理每个用户的登录会话。 以下是一些可以帮助您的教程:
http://www.codeproject.com/ KB/session/NoCookieSessionLogin.aspx
http ://www.dotnetspider.com/resources/5597-Handling-Session-for-Login-Logout.aspx
You will need a way to manage login sessions for each user. The following are some tutorials that could help you:
http://www.codeproject.com/KB/session/NoCookieSessionLogin.aspx
http://www.dotnetspider.com/resources/5597-Handling-Session-for-Login-Logout.aspx
您应该在必须控制权限的页面上的每个
Page_Load()事件中验证用户的登录状态,或者只是将身份验证代码放入将包含在所有其他文件中的 CS 文件中。根据您选择的身份验证架构(只需使用会话变量,或使用 cookie 创建会话 ID),您必须相应地调整您的代码。
最简单的方法是通过会话对象管理登录。 当用户使用正确的凭据正确登录时,您可以设置
Session["logged_in"] = true。 对于您想要保护的页面的每个Page_Load()事件,您需要执行以下检查。在 Page_Load() 函数的开头添加此代码:
请记住,这对于简单的 Intranet 应用程序来说是可以的,但如果您想进入更安全的登录体系结构,请阅读有关该主题的更多信息,因为仅依赖于会话变量不安全,因为会话可能被劫持。
You should verify the user's logged in state at every
Page_Load()event on pages that must control permissions, or simply put the authentication code in a CS file that will be included in all other files.Depending on the authentication architecture that you choose (simply use the session variable, or create a session id with cookies), you must adapt your code accordingly.
The simplest way would be to manage log-ins through the session object. When the user logs in properly with the right credentials, you can set
Session["logged_in"] = true. And on everyPage_Load()event of the pages you want to protect, you'd need to do the following check.Add this code at the beginning of your Page_Load() function:
Please keep in mind that this is okay for simple intranet applications, but if you want to get into more secure login architectures, read up more about the subject, as reloying solely on session variables isn't safe because sessions can be highjacked.
我会为用户制作一个角色表。 每个登录的人都会获得“正常”角色。 您通过其凭据指定的特殊用户将获得分配的角色来访问您网站的页面或部分。 某些用户(例如您自己)将获得管理员角色,自动允许他们访问所有内容。
触发一个名为 CheckIsInRoles('Admin', 'Normal', 'WhateverRoleYouChoose') 的函数,该函数返回一个布尔值。 如果为 true,则加载页面; 如果没有,就不要。
如果角色不正确,最好不要显示链接。
这样做的另一个好处是,每个人登录一次,然后访问他们需要的所有页面,而不必每次都登录。
I would make a role table for users. Everyone who logs in gets the 'normal' role. Special uses whom you designate by their credentials get assigned roles to access a page or section of your website. Certain users (like yourself) would get an administrator role that automatically allows them access to everything.
Fire off a function called CheckIsInRoles('Admin', 'Normal', 'WhateverRoleYouChoose') which returns a boolean. If true, load the page; if not, don't.
Even better don't display a link if not in the correct role.
This has the added benefit of everyone logging on once and then accessing all the pages they need to without having to log on each time.