AJAX安全-Session做Token

个人思路，请大神看到了指点

个人理解token是防止扫号机或者恶意注册、恶意发表灌水，有些JS写的token算法，也会被抓出来被利用，个人感觉还是用会过期的Session做token更好，服务器存储，加载到客户端页面，然后进行对比

index.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="index.aspx.cs" Inherits="index" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script type="text/javascript" src="jquery.js"></script>
<script>
function submist() {
if ($("#HDToken").val() != null) {
var JsonData = {
Token: $("#HDToken").val(),
sid: Math.random()
};

$.ajax({
type: "post",
url: "index.ashx",
dataType: "json",
data: JsonData,
success: function (data) {
if (data[0].status == 'success') {

alert("成功" + data[0].message);

}
else {
alert("失败" + data[0].message);

}
},
error: function (data, status, e) {
alert("系统错误" + status + "|" + data[0].message);

}
});
}
else {
alert("回话过期，重新刷新页面");
return;
}
}

</script>
</head>
<body>
<form id="form1" runat="server">
<div>
<input id="HDToken" type="hidden"  runat="server" />
<input id="Button1" type="button" value="提交"  onclick="submist()"/>
<asp:Button ID="Button2" runat="server" Text="清除" onclick="Button2_Click" />
</div>
</form>
</body>
</html>

index.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;

public partial class index : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{

if (!IsPostBack)
{
string Token = "";
if (Session["Token"] == null)
{
Session["Token"] = DateTime.Now.ToString();
Token = Session["Token"].ToString();
HDToken.Value = FormsAuthentication.HashPasswordForStoringInConfigFile(Token, "md5").ToLower();//MD5加密后赋值给隐藏域
//Response.Write(HDToken.Value);

}
else
{
Token = Session["Token"].ToString();
HDToken.Value = FormsAuthentication.HashPasswordForStoringInConfigFile(Token, "md5").ToLower();
// Response.Write(HDToken.Value);

//以下为回话过期，可以放在Global.asax 做定时器
TimeSpan span=DateTime.Now.Subtract(Convert.ToDateTime(Session["Token"]));
int min = span.Minutes + 1;
if (min > 1)
{
Session.Remove("Token");//时间大于1分钟，移除
}
}

}
}
protected void Button2_Click(object sender, EventArgs e)
{
Session.Abandon();
}
}

index.ashx

<%@ WebHandler Language="C#" Class="index" %>

using System;
using System.Web;
using System.Web.Security;
using System.Web.SessionState;

public class index : IHttpHandler, IRequiresSessionState
{

public void ProcessRequest(HttpContext context)
{
context.Response.ContentType = "text/plain";
string Token = context.Request["Token"];//获得隐藏域的值
if (context.Session["Token"] != null)
{

if (FormsAuthentication.HashPasswordForStoringInConfigFile(context.Session["Token"].ToString(), "md5").ToLower() == Token)
{
context.Response.Write("[{\"message\":\"成功\",\"status\":\"success\"}]");
context.Response.End();
return;
}
else
{
context.Response.Write("[{\"message\":\"失败\",\"status\":\"error\"}]");
context.Response.End();
return;
}
}
else
{
context.Response.Write("[{\"message\":\"过期\",\"status\":\"error\"}]");
context.Response.End();
return;
}

}

public bool IsReusable {
get {
return false;
}
}

}

另一种方法，在请求头部加入token

if (!IsPostBack)
{
///生成 Token
string Token = new Random().NextDouble().ToString();
Session["token"] = Token;
System.Web.UI.HtmlControls.HtmlGenericControl script = new System.Web.UI.HtmlControls.HtmlGenericControl("script");
script.Attributes.Add("type", "text/javascript");
script.InnerHtml = @"
$.ajaxSetup({
beforeSend: function (xhr) {
xhr.setRequestHeader(""token"", """ + Token + @""");
}
});
";
Page.Header.Controls.Add(script);
}

在请求结果页面直接获得string Token = context.Request.Headers["token"];