Store verification code in cookies
Generally speaking, we will store the value of the verification code in Session. By comparing the verification code submitted by the user with the verification code in the Session, we can know whether the input is correct. Since the Session will occupy server resources, I once thought about whether the value of the verification code can be encrypted and stored in a cookie. But it turns out that this is just a whim.
Assume that the value of the verification code is a, the value obtained after encryption through sha1 is b = sha1(a), and b is stored in the cookie. The verification code value submitted by the user is c. By determining whether sha1(c) is equal to b, you can know whether the entered verification code is correct. However, cookies are controlled by the client. If the user sees the value of the verification code through his naked eyes in advance and knows from the cookie that the encryption value at this time is b, then he can pass the verification forever as long as he changes the value of the cookie to b before submitting and the submitted verification code value is a.
No non-empty judgment was made
This situation can be explained directly by code:
if (Request["captcha"] == Session["captcha"] as string)
{
// Verification is passed, continue operation
}
Suppose the user bypasses the form provided by the system and submits the data directly, the verification code has not been generated yet and Session["captcha"] is empty. Request["captcha"] is also empty when the user does not submit the verification code. So, the verification was passed.
To solve this problem, you can actually just add a non-empty judgment:
if (!(Request["captcha"]) &&
Request["captcha"] == Session["captcha"] as string)
{
// Verification is passed, continue operation
}
No verification code was destroyed in time
One principle must be followed when using verification codes. After a comparison, the verification code must be destroyed immediately regardless of whether the user input is correct or not.
If you do not do this, the following can occur:
Assuming that the user enters the wrong input and the verification code is not regenerated, he can keep trying until it is correct. Although the machine has a relatively low one-time recognition rate for images, it can still be recognized if you give it unlimited chances for the same image.
Assuming that the user input is successful and the verification code is not destroyed, he can use this verification code to pass the verification before the Session expires.