Prevent cookies from modifying ID to cheat login

When developing a website , Often need to be saved in Cookie Medium id recovery Session Sign in . Malicious users modify Cookie Medium id Spoofing login , for example , In developer mode ：

  The author designed an automatic re Application session The mechanism of （ See the previous article for details ）, When session Be overdue , I can create a new one session life . To prevent modification id, Check code mechanism can be adopted ：

（1） Create a check code when logging in ：check_key And generate the verification sequence check_code

（2） take id And verification string check_code Save to cookie in , take check_key Save to the user table record field

（3） Need to pass through cookie When restoring web pages , take cookie The authentication string in and stored through the user table check_key Compare the calculated verification string , So as to realize anti deception

（4） because cookie Medium id The verification string is attached , It needs to be cleared when logging in , Prevent text boxes （ set up id by txtUserID） Auto search fill ：

    $(document).ready(function () {
        var c_input = $("#txtUserID").val();
        if (c_input.indexOf("|") != -1)
            $("#txtUserID").val(c_input.split("|")[0]);
    });

（5） Verification in web pages ：

HttpCookie readcookie = Request.Cookies["userID"];
string[] a_uid = readcookie.Value.ToString().Split('|');
string cuid = a_uid[0];
string ccheck = a_uid[1];
if (Users.CookieCheck(cuid, ccheck) == false) Response.Redirect("login.aspx");

（6）Users Class to create validation methods

public bool CookieCheck(string cuserid, string ccheckstring)
{
            DataBase DB = new DataBase();
            string sql = "select user_check from users where USERID='" + cuserid + "'";
            DataSet ds = DB.GetDataSetSql(sql);
            if (ds.Tables[0].Rows.Count <= 0)
            {
                return false;
            }
            else
            {
                string c_user_check = ds.Tables[0].Rows[0].ItemArray[0].ToString();
                if (String.IsNullOrEmpty(c_user_check) || c_user_check.ToLower()=="null") return false;
                int nkey = int.Parse(ds.Tables[0].Rows[0].ItemArray[1].ToString());
                if (ccheckstring == CreateCookieCheck(cuserid, nkey))
                    return true;
                else
                    return false;
            }
}

public string CreateCookieCheck(string cuserid, int nkey)
{
    // according to cuserid and nkey Generate validation string 
    ......
}