【发布时间】:2016-02-08 11:03:38
【问题描述】:
我是 ASP.net 的新手,这是我的第一个 WebApp。我在我的应用程序中遇到的关于会话的问题是,当我注销并按下浏览器的按钮时,它再次将我推入应用程序。我正在使用如下代码:
protected void Page_Load(object sender, EventArgs e)
{
if (Session["LiveUser"] != null)
{
}
else
{
Response.Redirect("InvalidForm.aspx");
}
}
protected void ButtonLogOut_Click(object sender, EventArgs e)
{
Response.Redirect("LoginForm.aspx");
Session["LiveUser"] = null;
}
按钮注销:
<asp:Button ID="ButtonLogOut" runat="server" CssClass="btnLogout"
Text="Log Out" OnClick="ButtonLogOut_Click" />
后面的登录按钮代码:
protected void btnSubmit_Click(object sender, EventArgs e)
{
string query = "select UserActive from nWorksUser where Username='" + this.txtUsername.Text + "' and _password='" + Encrypt(this.txtPassword.Text) + "';";
MySqlCommand cmd = new MySqlCommand(query, conn);
MySqlDataReader rdr;
conn.Open();
rdr = cmd.ExecuteReader();
string ActiveUser = "";
while (rdr.Read())
{
ActiveUser = rdr.GetString("UserActive");
}
conn.Close();
if (ActiveUser == "true")
{
if (trylogin(txtUsername.Text, txtPassword.Text) == true)
{
Session.Add("LiveUser",GetUsername());
Response.Redirect("AttendanceForm.aspx");
}
else
{
lableMessage.Text = "Wrong Credentials. Please try again";
}
}
else
{
conn.Open();
query = "select UserActive from nWorksUser where Username='" + this.txtUsername.Text + "';";
MySqlCommand cmd1 = new MySqlCommand(query, conn);
MySqlDataReader rdr1;
rdr1 = cmd1.ExecuteReader();
ActiveUser = "";
while (rdr1.Read())
{
ActiveUser = rdr1.GetString("UserActive");
}
conn.Close();
if (ActiveUser == "true")
{
lableMessage.Text = "Wrong Credentials. Please try again";
}
else if (ActiveUser == "")
{
lableMessage.Text = "User is anavailable..!!";
}
else
{
lableMessage.Text = "User is expired..!!";
}
}
如果您在注销后单击浏览器的返回按钮预期的行为是要求用户名/密码不要在应用程序中再次推送。应该怎么解决?
【问题讨论】:
-
您的用户名/密码的 SQL 注入存在巨大的安全问题!永远不要像这样组合 SQL 字符串,使用 sql 参数!