How do things like google classroom do this:
classroom.google.com/c/(random characters here)
When you go to that link, because of the random characters, it knows what information to show
how would I do something like that in asp.net
Well, in .net you often might have grid or pick list of say hotels. When the user clicks on a hotel from that list, then you can jump/navigate to the hotel and display information. In these cases you actually want to AVOID having to use parameters in the URL. So, you can use session() to pass the value to the new web form/page.
However, often you might want to say email a link to someone else, or say send a email with a link called:
Click here for your Hotel Booking details.
So for above? What is often done is you create a table in the database. I often call it tblHotelJump or whatever. In that table you have this:
ID: (standard PK value all tables have).
CusotmerID: the PK of the customer - you might not need this, but if you using logons
and security - then you might only want the the link to work for the given
user.
HotelID: - PK value of hotel. This is where you can now pull the Hotel information
from the hotel table. (or maybe the booking table ID
JumpGUID: {3434sl%$#*} - a random generated number or GUID is often used.
userLogonID: internal user logon ID - obtained from logon authentication system.
So, now, we can pass a URL like this:
www.MyBookings.com/HotelInformation.aspx?JID={3434sl%$#*}
So the above is now a link you can send to a user.
They click on above, and your code behind on the page load does this:
If Not IsPostBack Then
' get parms
Dim strGuid As String
strGuid = Request.QueryString("JID")
So the above gets/grabs that parameter.
Now you code pulls that one row from the tblHotelsJump like this:
Dim cmdSQL As New SqlCommand("SELECT * from tblHotelJump
where JumpGUID = #GUID ORDER BY WhenTime DESC", GetCon())
cmdSQL.Parameters.Add("#GUID", SqlDbType.NVarChar).Value = strGuid
Dim rstGUID As DataTable = MyrstP(cmdSQL)
If rstGUID.Rows.Count > 0 Then
' Ok, valid jump row, get Hotel information and display it.
So now we can display hotel information since we have the HotelID and can display that data record.
Now in some cases, you might see something like:
www.MyBookings.com/ShowHotel.aspx?ID=343
And again the code will now simply use ID 343 and pull that hotel information from the database table with ID = 343. This idea ONLY works if you don't need security. So, say weather for a city. But you can't and don't want to use the actual database ID like above, since then users can type in ANY number and not just 343 in above example
In fact in the VERY early days of the internet, apparently a credit card company used a ID with customer number. if you typed in someone else customer number, then you could see their information!!! So using parameters is not appropriate for all cases. For public data, sure, it works well and makes sense. No harm done if you change the city parameter in the URL for weather.
So, that's why a GUID or some next to impossible number to guess is often used. Now for weather in a city? Well, then that don't matter and the WHOLE idea is to allow users to get/see the weather in any location. But for sensitive data? Then you need GUID.
And on top of the above, in that "jump table", I also included the User ID, and thus I would not display that web page unless:
The user is logged on (so a page protected by valid logons).
The Hotel information I pulled from that jump table ALSO matches the user logon id.
So, in a lot of cases? I think the parameters in the URL is VERY ugly and messy. However, for VERY large scale web sites they often use the parameters in the URL since then their server side code does NOT have to chew up memory and resources to hold/retain/keep the session() data. But with session() then you can jump around and use URL's without ugly parameters. So in .net we often avoid parameters, but in some cases the parameters in the URL is desired since then you can send/share that link. So for a say "click here" to view your order? Then sure, a GUID in the link may well be used. But even then, once that first page is hit with the GUID (along with above security), then any additional pages to view things about the order will not in fact require the parameters.
So paramters are easy, often used, and they reduce loads on the server side software, and as above shows, most development languages for the web have a "ready made" easy way to grab/get/use parameters in the URL. However, as noted, unless you building the next google, or say you need to send a customer a "link" to allow jumping to a particular order? Well then in .net we tend to avoid the parameters because we don't need them most of the time and .net has a whole bunch of really cool OTHER ways to store/keep values and pass them from one web form to the next web form without having to use parameters.
But if you using a limited web scripting language, then using parms in the URL is often your only practical choice.
Related
In an MVC application I have a two pages process. On the first page we gather information that will allow us to identify which database record to update. On the second page we gather new values used to update this record. In order for this to work, we need a way to persists information between the two pages, including some record id.
I though of two way to do this and both have some problem.
Store the information in the Session object.
This works as long as the user does not open a second browser window or tab. If he does there is a risk that he'll apply the modifications to the wrong record. Suppose he opens tab 1 and complete the first step. Record id 1 is stored in the Session object. The user then open tab 2 and complete the first step. Record id 2 is then stored in the Session object overwriting record id 1. The user then come back to the first tab and complete the second step thinking he is editing record 1, but in fact he will be editing record 2.
Store the information in an hidden field on the page.
This would solve the problem solution 1 has, but it would be trivial for a ill-intentioned user to change the record id to overwrite any record.
While typing this question I just though of a third solution. That is an hybrid of theses two, but I'm not sure it's completely safe. We could store a random id in an hidden field on the page and use this to prefix the key we use to access data in the session object. I think this would work. Could this be exploited as solution 2 could?
Any other good way to securely store data "per tab" instead of "per session"?
Considering way 2 you may check security server side. If a user does not have modification rights on a specific record then server must not save it. Otherwise he/she is modifying a record that has modifications rights on it and does not matter if he/she is doing it by standard UI or hacking under it.
I think you are mixing up two things - authorization and passing data.
If user is authorized to do stuff with "another record", it's not important if he "tempers the hidden", because he is authorized to change another record as well. Nobody is going to do that intentionally. Means - you just need to check if user is authorized to do stuff in every post from the user i.e. in each controller method (and this is normal practice to always validate all user input server-side).
I would suggest you go with "hidden field".
If you want to separate info in different tabs you should use sessionStorage that differs for each open browser tab.
You can set it like this:
sessionStorage.setItem("perTabValue", "true");
Then you can get your value:
var x = sessionStorage.getItem("perTabValue");
if(x === "yourValue"){
//do anithing you want
}
I have read this and many other links the past few days.
The problem is that I need to have a unique identifier for each tab or browser that a user has open for mysite.com (example site name)
I cannot use a unique session, as when I open mysite.com and have e.g. selected "carrots" in the session, then all the other tabs/browsers for mysite.com now has "carrots" in the specific session value.
But still the server obviously identifies each browser/tab uniquely. Is there a way to get hold of this unique browser/tab ID, or to create a unique one?
I am not referring to generating a unique ID oneself via JavaScript, I saw some good examples on StackOverflow. The problem would be that I'd need to implement it on each master page and carry it around between master/non master pages. Also for e.g. In my instance it won't work as I can have the browser open and it would generate 20 different IDs if I ran it 20 times across a few pages e.g. when I cannot transfer the value across ports.
So please, not to waste everyone's time, this is not a random GUID creation question, this question relates to obtaining a unique recreatable ID (if it gets lost)for each tab/browser, preferably identifying by the link to the server.
This is a big topic you've touched on.
If you only need to persist the ID during a form submit, you can take the approach of the client-side window.name property and use the window.onload to propagate a hidden field with that value.
But this won't work when user is following hyper-links (click on a link on a site).
onload: check if window.name is set; if not set, assign a GUID. if set, set a hidden field=window.name. So, on submit, your form will have the hidden field with the window.name GUID.
You can also use the HTML5 window.sessionStorage which will solve all your troubles, but that don't work on older browsers.
If you need support backward-browser AND non-submit type, then you will need to write some pretty complex cookie/session management on the client side. Not pretty. Just hope the above 2 is sufficient.
In any social network, you can follow a person, a post or anything, everything you followed will be displayed in your wall, now I wanna implement the same feature in asp.net mvc, but I have problem on design table to query all following things of a user. This is tables I designed:
[User(id,name,email,password)]
[Following(id,personId,followingId,source)]
[Post(id,title,description,authorId)]
So when a user followed other user,a new record will be pushed on Following table with followingId is userId, and source is "User" table, the same as with following a post with followingId is postId and source is "Post" table.
The problem is when fetch data from what your following, the query join many tables to return result if user followed more things than a Post, and Other User (such as a Tag, a Topic...). this will be not good performance and query time to return data to user.
Do you have any idea about this ? I'm very appreciate to hear your solution, thanks a lot!
Your database design is flawed, instead of one "link" table with a string to identify where the "Followed thing" resides makes it hard to query effectively.
Instead you need one link table per thing linked. SO in your simplified example you might have
[User(id,name,email,password)]
[Post(id,title,description,authorId)]
[UserFollowingUser(id, userId, followedUserId]
[UserFollowPost(id,userId,postId)]
Therefore to get all users following a post, or all posts followed by a user, or get all users following a particular user, or get all users followed by a particular user is easy as pie.
Does anyone have some code or a link as to how to create the user login name as a parameter during a sql query in ASP.NET?
Basically I want to use the default membership structure with a new field ClubID, then I want to add a new table called aspnet_Clubs which contains things such as Club Name, stadium name, Balance etc etc... and then use a relationship between ClubID and a field in the aspnet_Clubs table to tie things together.
Then when each user logs in they should see the clubs information specific to their loginID.
I know the syntax to use for the query, its getting the loginname parameter and being able to use/assign it as part of the search that is causing me the problem.
In general it is not recommended to break the default schema of the aspnetdb where the Membership data is stored. It can bring you to unexpected consequences in the future.
I had a similar question a couple of days ago, please check it here, may be you will be able to adopt something from the discussion to your situation.
I have a web application which has a Sql Server database on the backend. As the site will be rolled out to different clients (or different virtual directories in IIS), each client derivative of the site will use the same backend.
There is an admin page where text on the site can be changed (enter text in a listview, and choose the page to select where that text will show up, and also you can see company-specific details in the other listviews. As this is a shared database, that means a client can see each other's data.
What I am trying to do is store the accountId (a guid returned from the database from login_authenticate), and stick this into session. I then retrieve this on the admin page, and I want to use this value (But it's always 0000-0000 etc), to limit the records returned in the listview.
Is there an example of this? Also, how can I set the default value (this is in the where clause of SqlDataSource), to programatically what the account id is (so I can give me all records = what the current accountid is, or perhaps, what the login is - this is stored in the account table).
Thanks
This is what I tried.
What I am confused about, though, is whether the where clause, when using a session object, is getting an object that I have written the code to retrieve from the session, or an object I have only added but not retrieved. I get the accountID when logging in (verified via stepping in - obviously - or the login will fail).
I will try again with storing the object in session # the login page when I have just retrieved the accountid variable, and then retrieve it on another page.
For some reason I keep getting 0s so I will look at this in my application.
It sounds like your method should be working. I would follow a debugging process:
Check that you are getting the accountID value from the database. Print it on screen immediately after retrieving the value for the first time.
If this is working, store the value in the Session and immediately retrieve it, and check that you are getting the value back.
Create 2 test pages, one where you set the Session variable and another where you retrieve it.
I know this seems really basic, but the failure is being introduced somewhere in the above 3 places. If you can find which step fails, you will be able to fix it.