My website is used to administer customer accounts. If I access CustomerA's account through the website then open a new tab and access CustomerB's account the session holding the customer ID updates to think I'm now working on CustomerB. Then if I click back to CustomerA's tab and start editing that page I am in fact editing the database record for CustomerB. This has happened and caused all sorts of problems so I need to find a fool proof way of stopping it. I don't want to put the customer ID in the URL as this will make it open to abuse.
Session is not a place to hold information like this exactly because of problems you're describing. You need to pass customer ID along with the page itself (either in hidden field or in url), so when you post back the form, it exactly knows what are you trying to do. Session won't protect you nor add any extra security. You need to determine if the user has correct permissions either way, so you should focus on this aspect.
Related
I need to open my page in two different browser tabs and work on both of them simultaneously. I have maintained a session in my code which have all the data from the page. When I try to modify in one tab it gets reflected in second tab. How can I achieve two different sessions for the same page?
You can not do it the way you ask for. Each browser have their cookie to connect with the user.
What alternative you have. The point here is to connect the same user (no matter what browser use) to the same data.
You force the user to login (and there you have the same data base on user)
You use some variable on the url that must be the same on all browsers to have the same data. Eg, on first browser you have a url like http://www.test.com?s=123 and ask to from the user to copy paste either that url either the code on the second browser to been able to connect each other.
On each case session is not do the work, and you need some other database to connect the two data pages.
The tabs in a browser share the same set of cookies, which includes the session cookie - so the pages use the same session.
So you need to find some other way to distinguish those two tabs.
You could add a "tab" parameter to the url that you use on that page, with some tab-specific value. You need to maintain that value in the url when you redirect, you can't store it in Session or a cookie.
The processing must then be done in a tab-specific manner.
If it is just for testing, you could use "private tabs" - they don't leak their cookies into regular tabs. But you do not want to force regular users to use this.
I am little new to programming (especially to web designing). I have learned that the World Wide Web is based upon a protocol called HTTP. And also each and every item (I mean web pages, images, css & js files etc) are transferred according to the HTTP Requests. So my problem is this.
When we fill a web form (especially a login form like fb) and click ok, login or submit button, What Happens Next? Does it send another http request or does it use some special technique?
Is it safe or does anyone can hack our user names and passwords when that requests are traveling through internet?
It actually depends on the person who made it. They can create an output which would show the values entered or it can be entered to a database for other usage. There's so many things can be done and that would actually depend on the need of the user.
Added for 2nd question:
There are a number of ways to encrypt these data to avoid being hacked. If you use a very basic technique in transferring the values that you submit then there would be a huge possibility that it can be hacked. But, not to worry as there are plenty of ways to be safe.
I have a task to list all pages which are opened at that moment and show how many people are on that page.
I am looking for a way to make that happen without keeping any db records or saving information on a text file or smth like that. (Not seccessarily, then. Of course I am going to save that info to a dB, I just wanted to the logic of catching opened page addresses.)
I can of course keep track of every page which are opened till that time, but I want the page address appear on the page when someone opens that address and disappear when user is no longer browsing that address.
Can you give me some ideas how to make that happen using ASP.NET?
Note: I am using web forms with asp.net 4.5
Thanks!
"I just wanted to the logic of catching opened page addresses"
Use javascript in a timed loop (onload and then every 30 seconds perhaps) on every page, to asynchronously post to a page on your server. It should send information identifying the page. This will give you a good idea of how many people currently are on this page.
Store this information in a db in your code-behind, and use this information to report as you wish.
Of course if a user leaves their browser open on one of these pages or opens another tab it will still be reporting as 'open'.
To get the current url in javascript you can use:
var pathname = window.location.pathname;
In google analytics you can see what pages are being used in near-real time.
Why not use that to solve this issue - it's easy to setup.
I am using Drupal 6.28 with Webform 6.x-3.18. I have a multi-step form setup. Some of my fields only show up if you select a radio button. In this particular instance this is a registration form and one of the questions is "Will you be bringing a guest?". If they select yes, then some additional fields drop down pertaining to their guest. So this works great. They can submit the form and everything works. The problem is, if they go back into their form to edit it and decide to go solo and now they are NOT bringing a guest, the guest fields disappear from the form as expected, but the data is still there behind the scenes and specifically in the database. So now when we go to run reports on some specific guest fields, those fields are throwing our reports off because the data is still there in the dB as if they are bringing a guest even though they are not now.
Can anyone think of the best place to handle this issue? Should I make a custom module that hooks into the webform somehow and catches for it and resets all the guest fields? I just don't know the best place to handle this.
THANKS
You could have some logic on the submission of the data. If it is the first time they are submitting (not already in DB), go forward as planned. If the data already exists, do a before and after compare on that field in question. If it toggled off you can clear your DB spots for that user.
You could also have something in the form code, so if that radio button is not checked, always insert some blank/null/however you handle it into the DB. This way, it is always writing in those fields as blank even if the data was there before (if you go ahead and rewrite that entire row in the DB anyway).
I've set up a goal for the signup process on my site, and I can see that users exit the Goal funnel at a page with nothing but a input and a next button, landing on another page on my site.
I'm guessing this is when users create fake profiles in one tab, while having another tab open somewhere else.
Does anyone have any ideas on how to deal with this? I'm not even sure what's best practice here, here's a few ideas:
Force the user to finish these steps as long as he is signed in for the first time and havent completed them, but that would be a development issue.
Setting cookies in the signup steps, and (if first time signed in) add a check globally on the site that redirects the user to the last step.
Other suggestions?
Even if a user has multiple tabs open to GA the requests are serialized and they all look like one browsing session. I do not believe you can check for this with GA at all.