在尝试阻止Anti-XRF令牌失败时(当用户在按下并且页面已经加载后攻击'登录'按钮时)我决定让ASP按钮不可见,并放置一个HTML按钮在它的位置。附加到HTML按钮的JS检查页面是否有效(我有用户名文本框和密码文本框的必填字段验证器),如果是,则禁用HTML按钮,并触发实际的ASP按钮单击
我遇到问题并且似乎无法理解的主要测试用例是当我输入错误的用户名和密码时。按钮被正确禁用并单击ASP按钮,页面重新加载来自后面代码中的Login_Click函数的“用户名和密码错误”消息,但此时无论是否输入了某个特定于texbox的内容,在一次'登录点击'后,该按钮被禁用(意味着它通过了if(Page_isValid)行)并且显示了警告(“asp按钮已被点击”),我直接在触发asp按钮的行之后,但它似乎asp按钮实际上从未被触发,因为页面没有加载,并且我从来没有到达后面代码中的login_click函数的断点。我错误地使用了RequiredField Validators或Page_IsValid功能吗?或者有更好的方法来实现这一目标吗?所有相关代码如下。我希望我提供足够的信息以获得帮助,如果您需要我澄清或添加任何内容请告诉我。
校验:
<asp:TextBox ID="tbUserName" runat="server" Width="250px"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator1" runat="server" onpropertychange ="reEnable()" ControlToValidate="tbUserName" CssClass="field-validation-error" ErrorMessage="The user name field is required." EnableClientScript="true" />
<br>
<asp:Label ID="lblPassword" runat="server" AssociatedControlID="tbPassword">Password:</asp:Label>
<asp:TextBox ID="tbPassword" runat="server" TextMode="Password" Width="250px"></asp:TextBox>
<asp:RequiredFieldValidator ID="RequiredFieldValidator2" runat="server" onpropertychange ="reEnable()" ControlToValidate="tbPassword" CssClass="field-validation-error" ErrorMessage="The password field is required." EnableClientScript="true" />
使用Javascript:
<script type="text/javascript">
function clientClick() {
if (Page_IsValid) {
alert("Page is valid")
document.getElementById('btnLoginSubmit').disabled = true;
alert("HTML BUTTON DISABLED")
document.getElementById('<%= btnLogin.ClientID %>').click();
alert("asp button has been clicked")
}
else { document.getElementById('btnLoginSubmit').disabled = false; }
return true;
}
function reEnable() {
document.getElementById('btnLoginSubmit').disabled = false;
return true;
}
Login_Click方法:
protected void Login_Click(object sender, EventArgs e)
{
btnLogin.Enabled = false;
String adPath = "LDAP://xxx-xxx.xxxxxxxxx.net:999/XX=Xxxx-Xxxxx-Xxxxxx,DC=xxxxxxxx,DC=net"; //Fully-qualified Domain Name
CentralLogin.ADRoleProvider.LdapAuthentication adAuth = new CentralLogin.ADRoleProvider.LdapAuthentication(adPath);
try
{
if (true == adAuth.IsAuthenticated("xxxxxxxxx.net", tbUserName.Text, tbPassword.Text))
{
FormsAuthentication.SetAuthCookie(User.Identity.Name.ToString(), false);
String groups = "no groups";
//Create the ticket, and add the groups.
bool isCookiePersistent = false;
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1, tbUserName.Text,
DateTime.Now, DateTime.Now.AddMinutes(60), isCookiePersistent, groups);
//Encrypt the ticket.
String encryptedTicket = FormsAuthentication.Encrypt(authTicket);
//Create a cookie, and then add the encrypted ticket to the cookie as data.
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
if (true == isCookiePersistent)
{
authCookie.Expires = authTicket.Expiration;
}
//Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
//You can redirect now.
//Response.Redirect(FormsAuthentication.GetRedirectUrl(tbUserName.Text, false));
Response.Redirect(FormsAuthentication.GetRedirectUrl(tbUserName.Text, true));
System.Diagnostics.Debug.WriteLine(authTicket);
System.Diagnostics.Debug.WriteLine(authCookie);
}
else
{
errorLabel.Text = "Authentication Failed. Username or Password are Incorrect.";
tbPassword.Focus();
}
}
catch (Exception ex)
{
//errorLabel.Text = ex.Message;
errorLabel.Text = "Authentication Failed. Username or Password are Incorrect.";
tbPassword.Focus();
}
}
}
}
如果您已经读过这篇文章,那么您已经是冠军了。谢谢。