CreateUserWizard用户名和电子邮件枚举

时间:2014-05-29 18:48:26

标签: asp.net security

我一直在对我们的网站进行安全审核,发现CreateUserWizard存在问题。 我们不允许人们使用重复的电子邮件地址或用户名注册。 CreateUserWizard将为我验证这一点,但问题是我可以编写一个脚本来命中我们的服务器并尝试使用用户名,并通过枚举来快速获取用户名列表。

我想添加recaptcha但我似乎无法在验证用户名之前验证这一点。有没有办法做到这一点?

    <asp:CreateUserWizard ID="CreateUserWizard1" runat="server" OnCreatedUser="CreateUserWizard1_CreatedUser" ContinueDestinationPageUrl="~/PleaseVerify.aspx" CssClass="CreateUserWizard" StepNextButtonStyle-CssClass="NextButton" StartNextButtonStyle-CssClass="NextButton" FinishCompleteButtonStyle-CssClass="FinishButton" CreateUserButtonText="Create my ID"
        CompleteSuccessText="Your account has been created, but before you can login you must first verify your email address. A message has been sent to the email address you specified. Please check your email inbox and follow the instructions in that email to verify your account."
        DisableCreatedUser="True" OnSendingMail="CreateUserWizard1_SendingMail" DuplicateUserNameErrorMessage="That username is already in use, if you think this is you can LINK REMOVED Otherwise try a different username."
        DuplicateEmailErrorMessage="That email is already in use, try to <a href='/ForgotPassword.aspx'>recover your password</a>." InvalidPasswordErrorMessage="Please supply at least five letters in your password.">

2 个答案:

答案 0 :(得分:0)

我不相信用户端验证了用户名,因此您可以覆盖CreateUserWizard的CreateUserError事件处理程序,检查验证码并且不会传回有关正在使用的用户名的错误。我使用从www.codinghorror.com(http://www.codinghorror.com/blog/2004/11/captcha-control-coda.html)拼凑而成的自定义控件验证码,它在后端代码尝试创建用户并确定用户名/电子邮件正在使用之前触发。

答案 1 :(得分:0)

我最终没有使用创建用户向导,只是在按钮处理程序中进行简单登录。

    recaptcha.Validate();
    if (!recaptcha.IsValid)
    {
        ErrorMessage.Text = "Invalid Code.";
        return;
    }
    if (!IsValid)
    {
        return;
    }
    var duplicateEmail = Membership.FindUsersByEmail(Email.Text);
    if (duplicateEmail.Count > 0)
    {
        ErrorMessage.Text = "That email is already in use, try to <a href='/ForgotPassword.aspx'>recover your password</a>.";
        return;   
    }
    var duplicateUsername = Membership.FindUsersByName(UserName.Text);
    if (duplicateUsername.Count > 0)
    {
         ErrorMessage.Text = "That username is already in use, if you think this is you can <a href='http://www.nanaimo.ca/dashboard/'>login</a>, otherwise try a different username.";
         return;   
    }
    var newUser = Membership.CreateUser(UserName.Text, Password.Text, Email.Text);
    newUser.IsApproved = false;
    Membership.UpdateUser(newUser);
相关问题
最新问题