ASP.MVC当URL跳转时候参数的安全性

时间:2022-04-22
本文章向大家介绍ASP.MVC当URL跳转时候参数的安全性,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

      一个页面跳转到另外一个页面直接将参数写在URL上面并不安全比如 http://XXXXXXXXXXX/meeting/shakeGroup?id=5381&uid=o0En_sj1J0bFgIBMPG37WjWMXpqY

参数id和uid需要进行加密,写个简单的例子来实现:

加密类:

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Web;

namespace CnbLogsProject.Util
{
    public class EnCodeHelper
    {
        // url传输参数加密密钥
        public static string strKeys = "abdfajrtrgjfg";

        #region 加密字符串
        /// <summary>
        /// 加密
        /// </summary>
        /// <param name="strValue"></param>
        /// <returns></returns>
        public static string GetEncryption(string strValue)
        {
            //加密标准算法的对象
            DESCryptoServiceProvider provider = new DESCryptoServiceProvider();
            //建立加密对象的密钥和偏移量
            provider.Key = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8));
            //原文使用Encoding.ASCII方法的GetBytes方法
            provider.IV = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8));
            //将要加密的字符放到byte数组中
            byte[] bytes = Encoding.UTF8.GetBytes(strValue);
            //输入的文本必须是英文文本
            MemoryStream stream = new MemoryStream();
            //定义将数据连接到加密转换的流
            CryptoStream stream2 = new CryptoStream(stream, provider.CreateEncryptor(), CryptoStreamMode.Write);
            stream2.Write(bytes, 0, bytes.Length);//将当前字节写入到流中
            stream2.FlushFinalBlock();//清除缓存区
            StringBuilder builder = new StringBuilder();
            //循环遍历每个字节
            foreach (byte num in stream.ToArray())
            {
                builder.AppendFormat("{0:X2}", num);
            }
            stream.Close();//关闭释放资源
            return builder.ToString();
        }
        #endregion

        #region 解密字符串
        /// <summary>
        /// 解密
        /// </summary>
        /// <param name="strValue"></param>
        /// <returns></returns>
        public static string GetDecryption(string strValue)
        {
            //解密标准算法的对象
            DESCryptoServiceProvider provider = new DESCryptoServiceProvider();
            //建立解密密对象的密钥和偏移量
            provider.Key = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8));
            //原文使用Encoding.ASCII方法的GetBytes方法
            provider.IV = Encoding.ASCII.GetBytes(strKeys.Substring(0, 8));
            //将要解密的字符放到byte数组中
            byte[] buffer = new byte[strValue.Length / 2];
            //循环遍历遍历
            for (int i = 0; i < (strValue.Length / 2); i++)
            {
                int num2 = Convert.ToInt32(strValue.Substring(i * 2, 2), 0x10);
                buffer[i] = (byte)num2;
            }
            //输入的文本必须是英文文本
            MemoryStream stream = new MemoryStream();
            //定义将数据连接到解密转换的流
            CryptoStream stream2 = new CryptoStream(stream, provider.CreateDecryptor(), CryptoStreamMode.Write);
            //将当前字节写入到流中
            stream2.Write(buffer, 0, buffer.Length);
            stream2.FlushFinalBlock();//清除缓存区
            stream.Close();//关闭释放资源
            return Encoding.GetEncoding("GB2312").GetString(stream.ToArray());
        }
        #endregion
    }
}
strKeys 为秘钥可以写在配置文件里面控制器(将A页面的参数加密后暴露给客户端跳转到B页面时候解密):
     /// <summary>
        /// A页面
        /// </summary>
        /// <returns></returns>
        public ActionResult Index()
        {
            string id = "5381";
            string uid = "o0En_sj1J0bFgIBMPG37WjWMXpqY";
            id = EnCodeHelper.GetEncryption(id);
            uid = EnCodeHelper.GetEncryption(uid);

            ViewBag.id = id;
            ViewBag.uid = uid;
            return View();
        }


        /// <summary>
        /// B页面
        /// </summary>
        /// <param name="id"></param>
        /// <param name="uid"></param>
        /// <returns></returns>
        public ActionResult Home(string id="",string uid="")
        {
            ViewBag.id =EnCodeHelper.GetDecryption(id);
            ViewBag.uid =EnCodeHelper.GetDecryption(uid);
            return View();
        }

视图:

@{
    ViewBag.Title = "Index";
}
<script src="~/Scripts/jquery-1.8.2.min.js"></script>
<button id="re">跳转</button>
<script>

    $(function () {

        $("#re").click(function () {
            location.href = "Home?id="+"@ViewBag.id"+"&uid="+"@ViewBag.uid";
        });
    });
</script>
@{
    ViewBag.Title = "Home";
}

<input value="@ViewBag.id" />
<input value="@ViewBag.uid"/>
<h2>Home</h2>

效果:

原来的URL:http://localhost:63792/Home/Home?id=282D147B1B12BAE3&uid=29732D957DD4EF753BC3E94797D1018D230457174ABD43EF1ED2FEA651E8351E

跳转到B页面后成功解密:

对应上我们开头的

http://XXXXXXXXXXX/meeting/shakeGroup?id=5381&uid=o0En_sj1J0bFgIBMPG37WjWMXpqY

参数id和uid需要进行加密,写个简单的例子来实现:

当然还有其他很多方法