我们最近完全重写了我们的ASP.NET 2.0 Web Forms网站,它现在是一个MVC 4.0网站。我们遇到了创建虚假帐户的问题。当我查看我的IIS日志时,IP地址主要来自中国。我们的ASP.NET 2.0 Web窗体网站从来没有经历任何虚假帐户被创建,所以我想知道我是否做错了什么突然得到这么多。以下是我们的帐户注册页面的简化版本,以说明我在做什么......
控制器
<RequireHttps()>
Function Register() As ActionResult
Dim ad As New AccountDetails
Return View("AccountDetails", ad)
End Function
<RequireHttps()>
<ValidateAntiForgeryToken()>
Function Register(model As AccountDetails) As ActionResult
If ModelState.IsValid Then
If Not String.IsNullOrEmpty(model.FormValue1) OrElse Not String.IsNullOrEmpty(model.FormValue2) Then
' Add Code here to display an error
Else
Dim SerialNo As Integer = AccountDetailsRepository.InsertRecord(model)
If SerialNo > 0 Then
Dim Roles As String = "Standard"
FormsAuthentication.Initialize()
Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, model.FirstName + " " + model.Surname, DateTime.Now, DateTime.Now.AddMinutes(FormsAuthentication.Timeout.TotalMinutes), False, Roles, FormsAuthentication.FormsCookiePath)
Response.Cookies.Add(New HttpCookie(FormsAuthentication.FormsCookieName, FormsAuthentication.Encrypt(fat)))
Return RedirectToAction("Account")
Else
' Add code here to display an account error
End If
End If
End If
Return View("AccountDetails", model)
End Function
查看
@ModelType User.AccountDetails
<div class="Account">
<h1 class="PageTitle">Register</h1>
<div class="AccountDetails">
<p class="PageHeader">Please enter your account details</p>
@Using Html.BeginForm()
@Html.AntiForgeryToken()
@Html.ValidationSummary(True, "Please correct the following errors:-", New With {.id = "AccountDetailsValidationSummary", .class = "TopValidationSummary"})
@<div class="AccountDetailsContainer">
@Html.TextBoxFor(Function(model) model.FormValue1, New With {.id = "FormValue1"})
@Html.HiddenFor(Function(model) model.FormValue2, New With {.id = "FormValue2"})
<fieldset id="NameGroup" class="FieldGroup">
<legend>Name</legend>
<div class="FieldRow">
<label for="FirstName" class="FieldLabel">First Name</label>
@Html.TextBoxFor(Function(model) model.FirstName, New With {.autocomplete = "off", .class = "Field", .id = "FirstName", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.FirstName)
</div>
<div class="FieldRow">
<label for="Surname" class="FieldLabel">Surname</label>
@Html.TextBoxFor(Function(model) model.Surname, New With {.autocomplete = "off", .class = "Field", .id = "Surname", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.Surname)
</div>
</fieldset>
<fieldset id="AddressGroup" class="FieldGroup">
<legend>Address</legend>
<div class="FieldRow">
<label for="Address1" class="FieldLabel">Address 1</label>
@Html.TextBoxFor(Function(model) model.Address1, New With {.autocomplete = "off", .class = "Field", .id = "Address1", .MaxLength = 50})
@Html.ValidationMessageFor(Function(model) model.Address1)
</div>
<div class="FieldRow">
<label for="Address2" class="FieldLabel">Address 2</label>
@Html.TextBoxFor(Function(model) model.Address2, New With {.autocomplete = "off", .class = "Field", .id = "Address2", .MaxLength = 50})
</div>
<div class="FieldRow">
<label for="Address3" class="FieldLabel">City</label>
@Html.TextBoxFor(Function(model) model.City, New With {.autocomplete = "off", .class = "Field", .id = "Address3", .MaxLength = 35})
@Html.ValidationMessageFor(Function(model) model.City)
</div>
<div class="FieldRow">
<label for="Address4" class="FieldLabel DropDown">State</label>
@Html.TextBoxFor(Function(model) model.State, New With {.autocomplete = "off", .class = "Field", .id = "Address4", .MaxLength = 4})
@Html.ValidationMessageFor(Function(model) model.State)
</div>
<div id="PostcodeContainer" @(If(Not Model.International, Html.Raw("style=""display: block;"""), Html.Raw("style=""display: none;""")))>
<label for="PostCode" class="FieldLabel">Zip Code</label>
@Html.TextBoxFor(Function(model) model.PostCode, New With {.autocomplete = "off", .class = "Field", .id = "PostCode", .MaxLength = 15})
@Html.ValidationMessageFor(Function(model) model.PostCode)
</div>
</fieldset>
<fieldset id="ContactDetailsGroup" class="FieldGroup">
<legend>Contact Details</legend>
<div class="FieldRow">
<label for="Email" class="FieldLabel">E-mail</label>
@Html.TextBoxFor(Function(model) model.Email, New With {.autocomplete = "off", .class = "Field", .id = "Email", .MaxLength = 100})
@Html.ValidationMessageFor(Function(model) model.Email)
</div>
<div class="FieldRow">
<label for="ConfirmEmail" class="FieldLabel">Confirm E-mail</label>
@Html.TextBoxFor(Function(model) model.ConfirmEmail, New With {.autocomplete = "off", .class = "Field", .id = "ConfirmEmail", .MaxLength = 100})
@Html.ValidationMessageFor(Function(model) model.ConfirmEmail)
</div>
<div class="FieldRow">
<label for="TelNo1" class="FieldLabel">Tel No</label>
@Html.TextBoxFor(Function(model) model.TelNo1, New With {.autocomplete = "off", .class = "Field", .id = "TelNo1", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.TelNo1)
</div>
</fieldset>
<fieldset id="PasswordGroup" class="FieldGroup">
<legend>Password</legend>
<div class="FieldRow">
<label class="FieldLabel" for="WebPassword">Password</label>
@Html.PasswordFor(Function(model) model.WebPassword, New With {.autocomplete = "off", .class = "Field", .id = "WebPassword", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.WebPassword)
</div>
<div class="FieldRow">
<label class="FieldLabel" for="ConfirmWebPassword">Confirm Password</label>
@Html.PasswordFor(Function(model) model.ConfirmWebPassword, New With {.autocomplete = "off", .class = "Field", .id = "ConfirmWebPassword", .MaxLength = 25})
@Html.ValidationMessageFor(Function(model) model.ConfirmWebPassword)
</div>
</fieldset>
</div>
@<div class="ButtonBar">
<input type="submit" name="SubmitValue" class="SubmitButton" value="Create Account" id="AccountDetailsSaveDetailsButton" />
</div>
End Using
</div>
</div>
我的布局视图包含jQuery的脚本,我也在客户端使用不显眼的验证。
如上所述,我尝试了一些事情: - 1.添加AntiForgeryToken。 2.添加一个名为FormValue1的文本框,我用CSS隐藏它。 3.添加一个名为FormValue2的隐藏字段。
FormValue1和FormValue2我检查他们是否已被填写。由于用户不应该看到这些,如果他们已被填写我认为它是某种自动黑客并且不注册帐户。
我可以考虑像reCAPTCHA之类的东西,但我只想尝试弄清楚我是否做错了什么,特别是因为这个问题似乎只是从我们的MVC 4.0网站开始并且没有遇到过ASP.NET的这个问题2.0 Web表单。
我能做些什么来改善这个?
答案 0 :(得分:1)
我怀疑它与您使用的ASP.NET版本有什么关系。你的网站更有可能获得普及,从而引起中国机器人的愤怒。顺便说一句,AntiForgeryToken用于保护CSRF,而不是用于调用您网页的机器人。并且添加隐藏字段以尝试欺骗它们几乎不被视为安全措施。
reCAPTCHA是您最好的选择。除非这是一个人们无法注册账户的中国研讨会,否则你完全会遇到不同的问题。