Vs2005中有关session及输入url跳过验证的问题.急等!
我有两问题:
各位,我做了一个验证页面测试,具体思路是在global.asax中用application_start()读取数据库的历史访问记录,同时在此设置在线人数为0;在session_start中此两值均加1,session_end中在线人数
Application["online"]-1;且Applicaion_end中将总访问记录(Applicaion["totle"])写入数据库.
可是为什么我的总访问人数老是不按程序逻辑来增加?我在数据库中设置初始访问量为1000,可是运行后访问量老是自动乘10(比如我运行一次人数应该是1001,可是页面却是10001,这是什么原因?
代码如下:
void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup
System.Data.SqlClient.SqlConnection con = con_Count.creatCon();
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("select * from countPeople", con) ;//数据库中取总访问量
int count=Convert.ToInt32(cmd.ExecuteScalar());
Application["totle"] = count;//总的访问人数->从数据库中取出
Application["online"] = 0;//在线人数
con.Close();
}
void Application_End(object sender, EventArgs e)
{
// Code that runs on application shutdown
System.Data.SqlClient.SqlConnection con = con_Count.creatCon();
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("update countPeople set num=" + Convert.ToInt32(Application["totle"])+ 1, con);
cmd.ExecuteNonQuery();
con.Close();
}
void Session_Start(object sender, EventArgs e)
{
// Code that runs when a new session is started
Session.Timeout = 1;//为了效果明显我设置为1分钟有效
Application.Lock();
Application["totle"] = (int)Application["totle"] + 1;
Application["online"] = (int)Application["online"] + 1;
Application.UnLock();
}
void Session_End(object sender, EventArgs e)
{
// Code that runs when a session ends.
// Note: The Session_End event is raised only when the sessionstate mode
// is set to InProc in the Web.config file. If session mode is set to StateServer
// or SQLServer, the event is not raised.
Application.Lock();
Application["online"] = (int)Application["online"] - 1;
Application.UnLock();
}
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
问题2:
另外,我还做了一登录页面,相关代码如下:
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = con_Count.creatCon();
string constr = "select count(*) from userTable where userName ='" +this.userName.Text+ "'and userPwd='" +this.userPwd.Text+"'";
SqlCommand cmd = new SqlCommand(constr, con);
int flag=(int)cmd.ExecuteScalar();
con.Close();
if (flag > 0)
{
Session["flag"]=true;//这是为了防止直接在地址栏中输入url的
Response.Redirect("main.aspx");
}
else
{
Session["flag"]=false;
this.lblError.Visible = true;
}
其中main.aspx的page_load事件代码如下,
protected void Page_Load(object sender, EventArgs e)
{
if (Session["flag"] == null || Session["flag"].ToString() == "flase")
{
Response.Redirect("Default.aspx");
}
}
}
在我没有点击"登录"按钮时而在地址栏中输入url时,可以很好的阻止,但是当有有点击"登录"按钮时(此时我没有输入任何的用户信息),再在地址栏输入url时,却不可以被阻止,这是为什么?有什么好的方案可以阻止url输入绕过?