I have an aspx page, which is a "User Log-In" area. I want to pass the userid to another page which is linked from the aspx page.
the link I have looks something like this:
www.abcdefg.com/Home/Redirect/?authtkn=123456abcd=xxxx
I need the xxxx to be a session variable which in this case is userid.
**userid is not sensative information, this is simply to redirect the user to another page for specified information.
Any thoughts on how to pass a session variable to a URL, or if this can be done. The example www.abcdefg.com is a different domain (on a different server) from the original aspx page.
Why not appending like this?
string.Format("www.abcdefg.com/Home/Redirect/?authtkn=123456abcd={0}",
Session["UserId"]);
if i understood you correctly.
Think your question is how to maintain cross domain session or authentication.
Check this link Maintaining Session State Across Domains, may give you some idea
Or this one How can I share a session across multiple subdomains?
You don’t need to pass a session variable via the url. You can just start session on the next page and have access to all your session variables! If you do want the variables up there so you can quickly get to different userids with just a quick url change, send userid to the url on your previous page with with $_GET[ ].
Related
I am a bit new to VB.NET. I have a page that sets 2 session variables and does a redirect to second page. The second pages is at least using one of the session variables. I can tell because on the second page, if the session variable is not correct the user is redirected to an access denied page. The second page also uses the session variable in question. It will read it an fill a gridview based on the value of the variable. I set the variable like so
Session("ID") = Convert.ToInt32(a_value)
and on the second page I retrieve the variable like this
a_page_variable = Session("ID")
What I find strange is that when I run this code in visual studio it works as expected but when I deploy and run it, I get 0 from my session variable instead of the true value of "a_value". I have tried a few things like making sure the data types match up from page to page and trying different ways to retrieve the variable such as
Session("userID")
and
CType(Session.Item("userID"), Int32)
I've also tried to see what is coming in to the second page by using
Response.Write
I also tried to use SQL Profiler to see what kind of call is being made to fill the gridview but I haven't had any luck. The gridview gives me an empty dataset and the Profiler does not detect a call being made from the application. I thought working with session variables was pretty straight forward but obviously, I am missing something.
Thanks for your help,
Billy
One possibility (and the only one that could be guessed at with how little information we have) could be the response.redirect causing the application to terminate due to an exception.
When redirecting, you want to always pass a false, and then call complete request.
Response.Redirect(urlstring, False)
Response.CompleteRequest()
not following these steps can cause exceptions, which may drop session.
Additionally, resolve virtual paths, as some browsers (mobile especially) can see those redirects as new requests entirely, thus generating new session tokens.
Dim urlstring As String
urlstring = Page.ResolveUrl("~/default.aspx")
that said, there are a number of possible causes for this situation.
Application Pool restarts
App Domain restarted
Code changing value unexpectedly
AV tinkering with files
deployed to web farm
With the description provided above, we just don't have enough information to really troubleshoot.
Thank you ADyson, Stephen Wrighton and everyone else who took a stab at helping me figure this out. I was able to find out what was going on by adding code that wrote to a log file on the server. Found the logging code here. I found that I never reached the code that set the session variable and that is the reason it never populated on the second page. I was trying to get the logon name for the user by using Environment.UserName which will return the user name of the person who is currently logged on to the operating system. But what I really wanted to do was get the logon name of the user that was visiting my site. For this I used User.Identity.Name. This works great when you need to know which user from an Active Directory domain is visiting your site.
I have a page "Demo.aspx". I need to set some parameters using post method and redirect the page to "DemoTest.aspx".
Is there any way to set parameters in post method in asp.net? I don't want to set "Querystring" due to security propose.
Also I need server side code for this. I am not able to use "Javascript" or "Jquery" for the same.
Here is some more description for the same.
Right now I am using Response.Redirect("www.ABC.Com/DemoTest.aspx?P1=2"). So the page is simply redirect to the given URL.
Now I don't want to pass that "P1" in "Querystring". Instead of query string I want to use Post method.
Please note that redirection page is not in my own application. So I cant maintain session or "Viewstate".
Thanks in advance.
Use a session variable and response.redirect to the next page.
Session["MyVariable"] = "someThing";
Response.Redirect("DemoTest.aspx");
The value stored in Session variables will be accessible across application.
you can store in session like this :
Session["id"] = "anyID";
To get values On another page you need to write
string id = Convert.ToString(Session["Id"]);
However
By default, in .NET pages post() do the things automatically.
You will need to do sumthing like this:
Server.Transfer("DemoTest.aspx", True)
I need to check where did the incoming request came from before loading a page
ex:
for user to view www.mysite/page1.aspx
request should come through www.othersite/page1.aspx
so on page1 load in mysite i need to check whether the request came from page1 in othersite.
i have tried Page.Request.UrlReferrer but i saw there some posts which tells every browser might not support Page.Request.UrlReferrer.
i can not pass visible parameters on URL.
This is a common issue when you do not want to allow request from arbitrary sites.
What you can do is, create a variable in session and put this variable in the Page1.aspx. When the page posts back, you should get that variable back and it should also match the one stored in the session. If it does not, you can be sure that the request is from some other server.
You can use PostBackUrl on the start page
And access your parameters with PreviousPage in the arrived page
if (this.PreviousPage != null)
{
var control = Page.PreviousPage.FindControl("..."); //Adjust your Id and add cast
}
Nota : This was also created to provide greater security redirection setting.
I am kind of new to ASP.NET.
I wonder is there any way to restrict user can only enter from a specify page?
Like, I have a Page A to let them enter some information, then when submit, I will use Response.Redirect to Page B. But I don't want the user can go into Page B directly from URL....
If I use Session, then if the user didn't close the browser to end the session, the another user can just go into Page B directly...
Because the computer that access to these pages is using by the public, so I want to see if there is anyway to make sure they only do one way process? Can't go back to previous or jump to another page.
Thanks in Advance.
If you control the other page, start a session and set a session variable to a value that can be reversed that only your server could (or should) create, much like serial keys. For example 72150166 because the sum of every second number equals the sum of every other number (7 + 1 + 0 + 6 = 2 + 5 + 1 + 6) but you could choose an algorithm as complex or as simple as you want. When the user navigates to the second page, check the session variable. This is not invincible security, but it is better than checking the referrer (especially since some browsers do not set it) and I imagine security based on coming from a certain page doesn't have to be that strict.
Edit: You should also add it to a database and link it with the particular user's IP so someone else can't use the same key.
You can use Request.UrlReferrer property in the Page Load of PageB to see which page is the request coming from. If the request is not coming from PageA then redirect the user to PageA.
Check this link for more information: http://msdn.microsoft.com/en-us/library/system.web.httprequest.urlreferrer.aspx
Note: UrlReferrer is dependent on a request header and someone can set the header to mimic the request coming from PageA.
You could have the page that redirects send some sort of specifically generated hash/key in the query string that expires quickly and/or once viewed. This should be a lot more solid on the security side.
You will still need some way to store this key or value producing the hash so you can validate it on the receiving end- I would think your DB.
I provide sessionstate in my web.config file like this
sessionstate mode="InProc" cookieless="UseUri
That way each tab generates a new unique session ID in the URL with the format like this :
http://www.domain.com/(S(kbusd155dhzflbur53vafs45))/default.aspx
It worked, but when I copy the url and paste it on another tab then the previous session value is inheriting. How can I solve this issue? Is there anyother method to solve issue?
A possible solution to this situation would be issue a ticket (guid or seomthing like that) in each response you write to the client. In the request the client would send this ticket and the server would 1) Check to see if it is valid and 2) Invalidate it so just one request (the original one) could be made with it. This way your user wouldn't be able to take advantage of new tabs or even copy/paste of URLs.
If the user pastes a URL containing an existing session token into a new tab, your application cannot possibly know that this is a new tab and not an existing tab. I'm afraid that short of some hacky browser plugin there isn't much you can do about this.