经典ASP产生和验证反伪造物
我已经被困住了很长时间了,我希望有人可以帮助我。
我有一个用ASP Classic编写的应用程序。我必须以验证数据的形式实施抗托法令牌。 我的页面是这样组成的,
<% Dim token
token = GetGUID()
Session("token")=token
%>
<html>
<head>
</head>
<boby>
...
...
<form method="post" action="../includes/CENT_FUNCTIONS.ASP">
<input type="hidden" value="<%=Session("token")%> name="token">
</form>
</body>
</html>
正如您打开页面时在ASP代码的顶部所看到的,我生成了一个指导,我将保存在会话变量中。 我使用此VBS函数生成GUID,
FUNCTION GetGUID()
GetGUID = CreateObject("Scriptlet.TypeLib").GUID
END FUNCTION
因此我将在表单的隐藏字段中保存会话变量。表格的操作用于调用另一个ASP文件,我将去收集表单数据以调用SQL数据库中的存储过程。 文件是这样写的
<%
IF Request("token") = Session("token") THEN
ID_CENT=Request.QueryString("ID_CENT")
IDAZIENDA_CENT=Request("IDAZIENDA_CENT")
ELSE
Response.Redirect "../notallowed.asp"
END IF
set command = Server.CreateObject("ADODB.Command")
command.ActiveConnection = conn
command.CommandText = "CAR_CENTRALINI_FUNZIONI"
command.CommandType = adCmdStoredProc
set objParameter = command.CreateParameter ("@ID_CENT", adInteger, adParamInput,,ID_CENT)
command.Parameters.Append objParameter
set objParameter = command.CreateParameter ("@IDAZIENDA_CENT", adInteger, adParamInput,,IDAZIENDA_CENT)
command.Parameters.Append objParameter
command.Execute , , adExecuteNoRecords
Set command=Nothing
Set objParameter=Nothing
Response.Redirect "../Fonia/UT_Fonia_CENTRALINI.asp"
%>
,因此在收集表单数据之前,我要检查到达是否与会话变量中存储的代币相同。 但是,我在条件下进行的这种比较总是返回false。
我用这种方式来生成和验证反伪造令牌正确吗?我在做什么错?
感谢您的答复
I have been stuck in this topic for a long time and I hope someone can help me.
I have an application written in asp classic. I must implement an antiforgery token in the form where I go to validate the data.
My page is composed like this
<% Dim token
token = GetGUID()
Session("token")=token
%>
<html>
<head>
</head>
<boby>
...
...
<form method="post" action="../includes/CENT_FUNCTIONS.ASP">
<input type="hidden" value="<%=Session("token")%> name="token">
</form>
</body>
</html>
As you can see at the top in the asp code when opening the page I generate a GUID that I am going to save in a session variable.
I generate the GUID with this vbs function
FUNCTION GetGUID()
GetGUID = CreateObject("Scriptlet.TypeLib").GUID
END FUNCTION
So I'm going to save the session variable in a hidden field of the form. The action of the form goes to call another asp file where I will go to collect the form data to call a store procedure in the sql database.
The file is written like this
<%
IF Request("token") = Session("token") THEN
ID_CENT=Request.QueryString("ID_CENT")
IDAZIENDA_CENT=Request("IDAZIENDA_CENT")
ELSE
Response.Redirect "../notallowed.asp"
END IF
set command = Server.CreateObject("ADODB.Command")
command.ActiveConnection = conn
command.CommandText = "CAR_CENTRALINI_FUNZIONI"
command.CommandType = adCmdStoredProc
set objParameter = command.CreateParameter ("@ID_CENT", adInteger, adParamInput,,ID_CENT)
command.Parameters.Append objParameter
set objParameter = command.CreateParameter ("@IDAZIENDA_CENT", adInteger, adParamInput,,IDAZIENDA_CENT)
command.Parameters.Append objParameter
command.Execute , , adExecuteNoRecords
Set command=Nothing
Set objParameter=Nothing
Response.Redirect "../Fonia/UT_Fonia_CENTRALINI.asp"
%>
So before collecting the form data I go to check if the token arrived is the same as the one stored in the session variable.
But this comparison that I make in the IF condition always returns false.
Is this way I am using to generate and validate the anti forgery token correct? What am I doing wrong?
Thanks for any replies
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论