Recently, I've add the user agent string when the guests submit the form to the database. There is a report that is generated weekly containing various statistics. I want to add the device and maybe the browser information to the report.
I was pondering that I would create a new database table that would hold all the know user agent strings and have two extra fields, one for the device info, and maybe the browser in the other one. However, I cannot find a site that you can download the strings. Would any one know of a place?
If that can not be done, I was thinking of a .net alternative. How would I go into doing that in .net?
2 ways to do it:
If you are using ASPNET MVC, you could use the default this.Request.Browser within the controller method call (contains quite a lot of info, example here),
You can also use 51Degrees, which has a light and a complete device db to match devices capabilities
Related
Again I come to you guys for your expertise and advice on an issue that I am having. I was wondering if any of you would know how to detect if a web page has been modified using VB.NET. I need to be able to set up a task which periodically (like once a week) scans the user inputted web pages and if the web page content has changed, I need to fire off an email to an individual that it has changed (not the exact location on the page itself). I'll be storing the HTTP status and of course the page data itself as well as the date of when it was last modified. Of course this needs to be very fault tolerant since it could be another week before the check runs again. Any help would be great. Thank you.
EDIT
New twist on this question sorry. I had more time to think about what we wanted. So... Detecting ANY change on a web page would be kind of silly since time dependent elements of the page would change every so often. Instead, what I would like to do is be able to detect the documents in the page. For instance if there are excel, word docs, or pdfs that get changed on that page. So, I'd run the hash on these documents then on some sort of schedule do a check to see if new documents have been added or if the old documents have been modified. Any suggestions on how to detect the documents embedded on the page and running the hash? Thanks again!
As I mentioned in a comment, this sort of job is what checksums (also known as hash functions) were designed for.
You code for will look something like this:
- for each webpage of interest
- pull webbpage
- calculate checksum of contents
- is current checksum different to last checksum?
- if yes, send email
- store new checksum and other appropriate data
The .Net framework has a number of checksums available. The two most popular are MD5 and sha1
In addition to the checksum option, there are also various Diff function that achieve this, and provide much more information than changed=true/false. This question has more info:
How to tell when a web page has changed by x% in VB.net?
How can I generate a unique download link of a file on Asp.net api? I want to provide a download feature via webservice, each user just got a unique download link at a time.
UPDATE:
I dont want to waste time of user for login.
One user can download multiple file.
The file type can be xml, image, text and sound file.
I am trying to develop an application which sell ebook.
Thanks a lot
Can you give us more details what exactly you are trying to achieve.
I would like to know if users are registered?
Will same user download more than 1 file?
What type of file?
any other scenario you can tell us?
It can be dont in many ways depending upon your scenario.
look for this example & will send you more
http://support.microsoft.com/kb/306654
One way of doing it if it fits your scenario
While you could use a GUID and maybe relate it to your user in your database, you would need to create some business logic around how that GUID is excepted by your application. For example you might say UserA has a GUID, if that GUID is used in the next 15 minutes let UserA log in automatically but after 15 minutes force the user to use a username and password.
Similarly you could make a query string, something like u=UserA&time=1347&date=01282001 and then run it through a hash of some sort. When it comes back in, unhash it (so you couldn't use MD5), check the time stamp and see how long it has been since that timestamp was created. If it is within an acceptable time frame, let the user enter, if not force them to use a username and password. This would not require you to relate anything with your user in your database, so may be a more simple solution compared to a GUID.
Update: If i had to do it then i will take up following approach. It is up to you how you will protect these files from download.
Step 1: I will create a new table & generate a GUID once user make payment & store guid & userID, BookID information in this table. Now you can generate a link based on this information
http://www.xyz.com/download.aspx?BookID=XX&UserID=XXX&GUID=guid-guid-guid-guid-guid-guid
Step 2: Create a HTTPHandler to check if such record is present in the table you created above if so then allow the user to download the book otherwise he should not be able to download the book.
You can keep all downloadable file under FOLDER which user dont have direct access.
I hope you understand what i am trying to say.
This is how i would do, I can either keep all files in protected folder or store them in DATABASE.
i hope this will give you a starting point.
I need to store a few attributes of an authenticated user (I am using Membership API) and I need to make a choice between using Profiles or adding a new table with UserId as the PK. It appears that using Profiles is quick and needs less work upfront. However, I see the following downsides:
The profile values are squished into a single ntext column. At some point in the future, I will have SQL scripts that may update user's attributes. Querying a ntext column and trying to update a value sounds a little buggy to me.
If I choose to add a new user specific property and would like to assign a default for all the existing users, would it be possible?
My first impression has been that using profiles may cause maintainance headaches in the long run. Thoughts?
There was an article on MSDN (now on ASP.NET http://www.asp.net/downloads/sandbox/table-profile-provider-samples) that discusses how to make a Profile Table Provider. The idea is to store the Profile data in a table versus a row, making it easier to query with just SQL.
More onto that point, SQL Server 2005/2008 provides support for getting data via services and CLR code. You could conceivably access the Profile data via the API instead of the underlying tables directly.
As to point #2, you can set defaults to properties, and while this will not update other profiles immediately, the profile would be updated when next it is accessed.
Seems to me you have answered your own question. If your point 1 is likely to happen, then a SQL table is the only sensible option.
Check out this question...
ASP.NET built in user profile vs. old stile user class/tables
The first hint that the built-in profiles are badly designed is their use of delimited data in a relational database. There are a few cases that delimited data in a RDBMS makes sense, but this is definitely not one of them.
Unless you have a specific reason to use ASP.Net Profiles, I'd suggest you go with the separate tables instead.
I'm developing a web application which processes invoices(the functionality is not limited to invoices, but it doesn't matter). One of the parts of the workflow is to print invoice after it was published. This means that the website user is able to select 10-20(and more) invoices and print it at once. Also there may be several invoice templates which may be customizable(this is one of the key requirements).
I should also mention that we decide to generate PDFs from the html code and then print it. So as the PDF creation process may take some time to complete we decided to use a windows service for invoices printing.
So, summarizing we have the following requirements:
There should be customizable invoice
templates;
The website user should be
able to specify which template he
want to use with the invoice item
specified;
There should be a possibility to
print one or several selected
invoices in one click.
Our first idea was to use user controls as invoice templates. The user control will be responsible for invoice layout. This also means there will be a base class for these user controls through which we will be able to define a data source for the controls.
In this case we may even allow users to modify ascx file (or something similar) to edit basic captions if necessary.
The problem begins in the windows service where we are unable to generate output for user controls. So the other solution is to use http handler or web service to generate user controls output and transfer this to the windows service. But this complicates the solution (e.g. we need to use authentication for this and similar problems).
Maybe there is a much more simpler way to do it?
Thanks in advance.
In response to your comment, I suggest you have the website generate the HTML and save it into a 'GeneratedInvoice' field in your DB, which the service then processes (i.e. converts to PDF however your pdf conversion software does it). It's appropriate because you have a 'saved' copy of the generated invoice; i.e. if your invoice processing routine changes (different styles, etc) your old invoices aren't affected, and yet you can regenerate a given bunch in a possibly 'new' format if required.
I'm writing an Asp.Net WebForms app where I am calling an edit page an passing in the data about the record to be edited using query string parameters in the URL.
Like:
http://myapp.path/QuoteItemEdit.aspx?PK=1234&DeviceType=12&Mode=Edit
On a previous page in the app, I have presented the user with a GridView of screened items he can edit based on his account privileges, and I call the edit page with these above parameter list, and the page know what to do. I do NOT do any additional checking on the target page to validate whether the user has access to the passed in PK record value as I planned to rely on the previous page to filter the list down and I would be fine.
However, it is clear the user can now type in a URL to a different PK and get access to edit that record. (Or, he may have access to Mode=View, but not Mode=Edit or Mode=Delete. Basically, I was hoping to avoid validating the record and access rights on the target page.
I have also tested the same workflow using Session variables to store PK, DeviceType, and Mode before calling the target page, and then reading them from Session in the target page. So there are no query string paramaters involved. This would take control away from the user.
So, I'm looking for feedback on these two approaches so that I choose an accepted/standard way of dealing with this, as it seems like a very common app design pattern for CRUD apps.
Agreed, you'll want to validate permissions on the target page, it's the only way to be absolutely sure. When it comes to security, redundancy isn't a bad thing. Secure your database as if you don't trust the business layer, secure your business layer as if you don't trust the UI, and secure the UI as well.
You should always validate before the real execution of the action, especially if passing the parameters by query string. For the second page that does the execution you might not need as much feedback for the user since you do not have to be nice to the user if he tries to cirumvent your security, so error handling should be a lot easier.
Passing the variables per session is acceptable but imho you should still validate the values.
We always use querystrings so records can be bookmarked easily, however always validate in both places, if you write you access control code nicely it should just be a case of re-using the existing code...
I believe the common practice is to do what you're avoiding: On the original page, you need to check to see what the user should have capabilities to do, and display their options appropriately. Then on the actual work page, you need to check the user again to verify they are allowed to be there, with access to that specific task.
From a usability standpoint, this is what the user would want (keeps it simple, allows them to bookmark certain pages, etc), and security on both pages is the only way to do this.
If you really don't want to check access rights on the target page:
You could hash the PK with the UserID and then add the hash value to the query string.
string hash = hashFunction(PK.toString() + UserID.toString());
Then you have to make sure the hash in the queryString equals the hash value calculated before loading the page.
Assuming this is an internal organization Web application.
Session variables can be manipulated as well, although not as easily. Whatever authentication you're using throughout your site, you should definitely use on your target page as well. Otherwise, you'll be open to exposing data you may not want as you have found out.
You could do the following to make your URLs a bit more secure:
-Use Guids for Primary Keys so users cant guess other record ID's
-The Mode couls be implicit: Guid = Edit, no Guid = New
and..
-Server-side validation is the only way to go.