I have many quotes on the website and I want user to be able to vote, Like or Unlike each quote. The problem is that if I save the voted info in a cookie, there is a 4kb limit and if there is a visitor which votes on 100 quotes it may exceed the cookie limit.
What is the best method to store the vote information for non logged users?
The votes are also stored in database, but without any user information saved. Only logged users have saved info for each vote.
You can save votes on a table with columns:
quoteid,
userguid (guid)
And set a cookie on nonregistered users browser with an assigned GUID
when a user visit your site check the user GUID or assign him a new one. This way you can block votes.
You can use HTML5 Local Storage.
I would assign the non-logged in user a random ID and store this ID in the cookie.
The Id can then be used to reference data in your database.
Related
I'm building a simple web form which allows user to edit there data like email, emergency contact etc.
The edit form is rendered using Asp.NET MVC 5. Proper html fields are rendered for Id, email, emergency contact etc.
Lets say the request to save the data is received by the following controller method.
SaveData(recordId, email, emergencyContact)
{
;
}
Question: How do I make sure that recordId was indeed the id that was rendered as part of the edit form? We don't want this user to update another user's record.
I have the following options in mind
1. Create a hash of the record id and send the hash as well.
2. Ensure user is authorized to modify the record indicated in given record id.
Is there any other way? Does MVC 5 provide any features so that I don't have to put this sort of logic in my application logic?
Typical approaches are:
Store the ID of the record as a hidden field. If you are concerned with hijacking, encrypt the value and decrypt on the server.
Store the ID of the record in session; this way, you always pull back the record and keep the value on the server. But when session dies, so does the link to the record.
Yes I'd highly recommend check permissions to the record if you store the ID in the URL.
I am building a website users have to pay for different functions. For example the user have payed for "packet 1" for the current month and it includes "short messages". How can I check, if a user is allowed to send sms? Updating the user/role relations every night or is there anything more dynamic?
You could add custom voter, where you can check if a user is allowed to use certain service. See example here:
http://symfony.com/doc/current/cookbook/security/voters.html
You can create a table in a database which has a foreign key to a table of which contains different packages, a foreign key to your user table and finally a column which indicates the expire date of the package.
If the package is not found for that user and for that expire date then the user is not allowed to send sms.
You can use some other storage procedures but using a database makes most sense.
Basically: You don't want to update anything, you simply want to store certain information like the expire date (and maybe the starting date if you want to change the expire duration) and compare to that selected value.
Question No 1
I am familiar with role management, a particular member in a particular role can do this and access this functionally. What I need to do is Manage individual user, not the role he is in.
For example, lets say I create a role, called "Sales". I setup the role permission what the sales persons can do. Now i want to keep a check on individual user. For example if this is "john", i want to show him the records only he created. If his is peter, I want to show him only that records which he created, not by john or other sales people.
Is there a thing called "User Management" in ASP.NET that we can use? If not we have to create it ourselves and I believe the integration with ASP.NET "Role Management" will not be that smooth.
Question No 2.
I am using control for user login. I want to create a session at this time so I can keep track of which user is signed in so I can show him the records only pertaining to him. How can I do that?
Your Q1 isn't really about Role vs User management (ie: authorizations) at this point. It's about audit tracking within your application.
And the way you do that is you capture the ID of the user who created the record in question with the record, so that later you can filter on that ID.
Pseudo database structure
Table Sales
Field...
Field...
Field...
CreatedByUser int not null, -- Populate this on creation and never change it again
ModifiedByUser int not null - populate this on every row update including insert
See ASP.NET Profile Properties.
Assuming the records in the database correspond to a unique ID for a user, you can store the unique id in a profile property per user.
1) If you want to filter records by the creating user, you need to record in your table the ID of the user who created the record. You can access the name of current user through User.Identity.Name and their ID (provider-dependent) through User.ProviderUserKey.
2) Sessions are created automatically in ASP.NET and provided you have a properly configured MembershipProvider, you can retrieve all the needed user info using the User object as shown above.
It sounds like you are a little unfamiliar with ASP.NET Membership and Roles capabilities, because they are actually set up quite well to accomplish what you are describing. I would recommend checking out this tutorial series:
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
You are talking about Authentication and Authorization. For question 1 you and implement a custom authorization provider to allow for user level control http://msdn.microsoft.com/en-us/library/aa479048.aspx For question 2, once you log in and are Authenticated, the session contains a userprinciple object that has the info in it automatically.
In my project i am sending a mail to the user to create a user account. I want to enable that link for the first time he/she clicks the link. if he clicks the link for more than 2 times,then it should go to custom error page.how to do this?
This depends on how the link is generated.
For example: If your link contains a username as GET-parameter, then you could simply query your database if the username is already in use. I would advise against that, because the user can easily change that GET-Parameter
I would recommend this: Your link should contain a unique identifier, most likly a hash. This hash is stored somewhere, to garantee it's uniqueness, like in the usertable of your database (a column for the hash of the registration link). That might also come handy, because you could create new user rows and already prefill them with necessary information. You could use these information upon rendering to insert text into the textboxes
I have a forgot password page in which i need to ask from the user his user id to provide him his password from the database and it is working but what to do if anyone enters any wrong user id.
Be aware that there's a certain measure of risk in this. If you always respond with a message saying that the User ID is incorrect, then that can be used to guess User IDs in your system. An attacker can brute-force this form with variations of common names and end up with a sizable list of your users. For any given account, that gives them half of the information needed to login as that user.
I would recommend that you display a message saying that an email has been sent to the email address for that account with instructions to reset the password (which includes a time-sensitive key required for the reset), regardless if the User ID was found in the system or not. If they don't get the email, they can always try again (assuming the first attempt included a typo in the User ID). If they don't actually know their User ID, there can be another form to recover that by entering their email address (behaves in a similar manner to this form, always showing success on the form and just sending the email where applicable).
You have to perform following 3 steps to ensure tight security.
1) Based on the userid fetch the user information from database. If the information is null then send an error to the user, saying invalid UserId.
2) a) If you have registration of EmailId at the time of user creation, then send the password to the registered mail.
b) If you don't have registration of EmailId then ask and match the security question selected at the time of user registration.
3) If possible try to combine the a) & b) points of point 2) for more enhanced security.
You must do SELECT to check if that records exists and proceed if so.
Simply return a message stating they have entered an incorrect user id.
If you're asking what do you do if they give you the valid ID of another user entirely, then I'm assuming you're doing something quite unsafe with the password you're recovering (you aren't just showing them the password are you?) - most systems like this will email you the password, at least affording the security that only the associated email account will ever be given the password.
SELECT * FROM users WHERE username = inputhere
if (mysql_num_rows($result) > 0)
{
// found it
}
else
{
// doesn't exist
}
Is that what you were looking for?