会员系统打通若干问题整理

    public string token = "2CA044BC07D9323D02BB04BC533435B8";
    public string url = "http://www.baidu.com/action/Service.ashx";
    protected void Page_Load(object sender, EventArgs e)
    {
        string meminfo = "{"mobile":"13699214528","mail":"q@163.com","gender":"0","birthday":"1962-08-02","name":"李刚","address":"北三环东路","postcode":"100065","nickname":"小艾"}";//gender 0:男，1：女
        string sign = GetSignVeryfy(meminfo);
        string postdata = string.Format("?meminfo={0}&sign={1}&action={2}", HttpUtility.UrlEncode(HttpUtility.UrlEncode(meminfo)), sign, "yangzi");
        //string result = PostWebRequest(url, postdata, Encoding.GetEncoding("gb2312"));
        Response.Write(string.Format("<script src='{0}'></script>", url + postdata));
    }
    public string PostWebRequest(string postUrl, string paramData, Encoding dataEncode)
    {
        string ret = string.Empty;
        try
        {
            byte[] byteArray = dataEncode.GetBytes(paramData);
            HttpWebRequest webReq = (HttpWebRequest)WebRequest.Create(new Uri(postUrl));
            webReq.Method = "POST";
            webReq.ContentType = "application/x-www-form-urlencoded";

            webReq.ContentLength = byteArray.Length;
            Stream newStream = webReq.GetRequestStream();
            newStream.Write(byteArray, 0, byteArray.Length);
            newStream.Close();
            HttpWebResponse response = (HttpWebResponse)webReq.GetResponse();
            StreamReader sr = new StreamReader(response.GetResponseStream(), dataEncode);
            ret = sr.ReadToEnd();
            sr.Close();
            response.Close();
            newStream.Close();
        }
        catch (Exception ex)
        {

        }
        return ret;
    }
    public string MD5(string toCryString)
    {
        return FormsAuthentication.HashPasswordForStoringInConfigFile(toCryString, "MD5");
    }
    /// <summary>
    /// 获取返回时的签名验证结果
    /// </summary>
    /// <param name="inputPara">通知返回参数数组</param>
    /// <param name="sign">对比的签名结果</param>
    /// <returns>签名验证结果</returns>
    public string GetSignVeryfy(string inputPara)
    {
        //获得签名验证结果
        string isSgin = string.Empty;
        isSgin = MD5(MD5(inputPara).ToUpper() + token).ToUpper();
        return isSgin;
    }

1、接口安全性问题

对传递参数信息进行签名认证；对接口访问引用地址进行验证，防止非法请求（虽然引用地址可以被篡改）

2、如果纯后台接口调用，如PostWebRequest（）方法，通过接口，这种方式是完全行不通的，因为跨域是无法生成对方域下可调用的Cookie！！！

3、用前端Js跨域调用，因为跨域也无法生成对方域下可用的Cookie！！

4、在A域下利用<script src='B域下的一个接口链接，用于生成B域下需要的Cookie信息'></script>,利用<script>的跨域访问特性，在A域下通过调用<script>调用B域下的接口，生成了B域下能够访问的Cookie信息，如用户登录凭证信息。