i have u question about security ins aps.net
i have a page http://localhost:1522/Public/ViewPost.aspx?PostID=40
i want to disable function when user in addresbar deletes id 40 like this
http://localhost:1522/Public/ViewPost.aspx?PostID=
it redirects to page viewpost and it is a problem i want to disabel this or redirect
if(Request.QueryString["PostID"]==null)
{
// your logic here
}
in the page load, you can check for the PostID value and if it is empty you can redirect the page.
There's more to what you need to know here than just checking if it's blank ( which the others have already posted simply a check if your item == null)
What if a user enters in an Id they don't have access to? postId=120 for example belongs to another user. You need to check if the current user also has access to the specified record.
Since we don't know your app or schema we can't give specifics but keep in mind how you need to validate that PostId actually is valid for the current user
Related
For a Drupal 7 site, I need to create a secured page with a list (view) of documents(.pdf's). There will be one page with a list of documents (a view of pdf's). To get to that page and be able to download any of the .pdf's, the user must be logged in with their own unique username/password. So what I believe needs to be done is the following.
Set up a page with a view of the documents (can do).
Make sure the docs (pdf's) can't be viewed with a direct URL (I think private file)
Prevent access to the page by non-logged in users. (no idea. help!)
Create a menu item for the page that only displays when the user is logged in. (no idea. help!)
Define permissions for accessing the page and add the permissions to specific roles. (I think I can do)
Can anyone provide info on how to do this? Is there a module for this functionality?
thank you,
You can use content_access module to do this. You will be able to restrict access to any content (you list page) by role.
If you create a link to this page in the main/secondary nav (for example) then this link should only appear to a user that has the appropriate permissions (as defined in the role).
LF
create some permissions and assign that to particular user then in your hook_meny you can use user_acccess function to check that whether the logged in user has that permisiion or not and according to that return true or false.
if(user_access(YOUR_PERMISSION_HERE)) {
return TRUE;
}
else {
return FALSE
}
You can also write your sql query inside that. You can put this code in your function and call that function in your access callback for that particular form menu definition
I want to force anonymous to register an account before submitting the form.
So I have to allow permission for anonymous to access the form,
Then I use hook_form_FORM_ID_alter to edit form. Then I wanted to redirect submit button to another link if it is clicked by anonymous.(I still have no idea how to do it. It would be nice if anyone can tell me)
Is this the right solution?
For now,
I have a pop-up a login form (Modal forms and Facebook OAuth). In the form there is a register button. Then If user choose to register I want to keep the form that he have already input and show it after he confirm his email.
Thank you.
Off the top of my head, I would allow the form to be submitted either by an anonymous user or a registered one.
in my function MYMODULE_MYFORM_submit() I would check to see if the user is logged in.
If yes proceed as normal, if no, store the form, either in a temp SESSION variable or into a custom MySQL table and forward the user to login/register page (mysite.com/user) using drupal_goto('user')
once the user was registered you could then check for the existence of the form in the SESSION array or your MySQL table, and then carry on with the process as you would if the user had been logged in in the first place
Hope this makes sense or is of help
I would like to track a login event on my website.
The user writes username and pass then clicks on login, the form is submited and server checks if password is correct then redirect to the home page if it is.
But how could I add a Login event to GA? If I add it to the login button it wont be totally accurate as it will count even the failed login attempts.
Any ideas on how to solve this?
Thanks
Chris
Great question!
I think what you want is the Custom Variables that google analytics offers.
Simply put, for each page your user visits you set a custom variable with it's username for example.
I don't think you are interested in the login event, rather you are interested in what a logged in user visits - and this solution solves your problem
The Custom Variables answer will serve your purposes as outlined below but if you want another alternative (or actually really want to use Track Events) you could also add in a parameter to a successful logon which you can then read and process as you wish.
So for example:
Login
This will create a link to your login page. If the login is successful it will redirect back to the current page with the parameter login=true in the URL.
(You could check this parameter via JS for example and fire the Analytics track event call based on this).
One way to do this is let your login redirect to a page which says something like: "Thank you for logging in" and register this pageview to Google Analytics. And then have that page auto redirect you after 5 seconds to the page you were viewing. I've seen this done on a good amount of websites. If your login is using partial refresh you could even do it without having the user pass by a seperate page.
The simplest way is to use virtual pageviews (tutorial). It's a small piece of JS code, that you execute on any event you want. It makes GA think that there was a pageview. So you make a conditional statement like "if login == OK -> create a virtual pageview with URI "virtual/login/OK". Then you simply set this URI as a goal.
Custom Vars can be used for individual users but you need to set up a unique ID so that only you could recognise that once you pull the data out of GA. So in your dbase set a GoogleAnalyticsID against each user, then send that as a custom var to track users.
I have a web app with loads of pages and most of them require some session variables in order to function.
i want to put some defensive code in my master page's page_load or init events to detect if the user has a session (meaning any session variable instead of a particular variable) and if not redirect them to the homepage to start all over.
whats the best way to do this? should i use session_end instead?
a simple solution for this would be best.
EDIT:
so i am guessing the master page is the place i want to add this to?
Can you not just go:
if(Session.Count == 0)
{
// no session variables
}
?
You can get the count of session variables and if it equals 0, then redirect.
If Session.Count = 0 Then
'Redirect
End If
The session is created as soon as the user enters your site. To detect if the session was created the way you wanted it, set a property in the session like
Session["is_valid"] = true
Check on other pages if this is set, and if not, Page.Redirect the user to the appropriate page.
I have written an application in ASP.net, that is designed to let the user add records to a database. The page is set up that when a user adds a record, the ID number of the newly added record is set in session, the page Response.Redirects to a "Thank you for submitting" page, then redirects back to the original page to allow further edits. Users can also use the Back button on this screen to go back to the original record adding page, which allows them to make edits to the data.
However, I have found that storing the ID in session isn't a terribly good solution, as a user might try to create two documents in different tabs or windows. I have also tried setting the ID in a literal control, but this causes the problem that when the user uses the Back button, the literal control isn't set to the ID, and new records get added instead of one being edited.
Is there any kind of solution for this?
I'd recommend storing your ID in the QueryString. After the record is added, redirect to your "thankyou" page, which then I am guessing contains a link to the edit form which you will generate with the ID in the querystring. When that link is followed, the edit page shouild pull the ID out of the query string in order to load up the correct record to edit.
Your add and edit form can even be the same page, when an ID is provided in the querystring, your form knows to edit that record, otherwise your form adds a new record.
Silly question, why can the user use the back button to edit the data just accepted in a post?
If the edit previously posted data is a common scenario why not just redirect to a page when the data is accepted that lets them edit it. Then if the hit the back button they would be going back to the original "clean" insert/add new data page.
This would give the following flows
Add->[Post]->Edit->.....
Add->[Post]->Edit->[Back button]->Add->[Post]->Edit->[Post]->Edit....
Have you tried adding the ID in the querystring? Then you could read it, and add it to the session as needed (say on a user clicking the back button).
Seems like a lot of problems allowing editing of an object in a page rendered when using the back button. Would it be too much to give them an edit button instead?
The controls save their state in the ViewState. If you choose to use SessionState instead of ViewState to store the information, then the controls will save their state in the session state and it won't work properly with multiple tabs.
I have not yet found a way to bypass this issue while still using SessionState. Our solution was to use the normal ViewState.
I've tried storing the ID in the querystring (which is mostly fine for editing), but the problem with that is when the information is stored in session for when they use the Back button. If the user does the following:
User creates a record (1st record), the ID is passed along in the querystring, and temporarily stored in session.
User creates another record (2nd record), the ID is passed along in the querystring, temporarily stored in session.
User uses the Back button on the first record to go to the page that doesn't have the querystring.
It's probably a far-fetched scenario, but it's one that may happen. The only solution I have is to block the usage of the Back button to go back to the adding page, by using window.history.forward() in JavaScript. But this as a solution is terrible.
My question for you is why are you storing anything in the session to begin with? If you can avoid storing anything in the session, I think you will be better off altogether.
Having thought about this, does the following sound like a decent solution to the problem I outlined above?
When first adding a record, store a timestamp of when the add page was accessed in a hidden field.
This timestamp is passed through session when the user clicks save. Along with the ID.
If the user opens another tab at the same time and saves, then the new page's timestamp gets passed through session.
If the user tries to access the add page of first record (using the back button), the system looks up session, and sees if there is a timestamp, and whether it matches the one in the hidden field for that page.
If it doesn't match, then the user gets a prompt, and told to edit the record properly.
Does this sound reasonable, or too overly complex?