I have a classic ASP system that utilizes Frames today but I need to lock down the system for CSS and CSRF. I am newer to this language but have been serching for days and can't find the answer.
I would like to change the calls to the forms from Gets to Post.
Do I need to re-write the aplication to all another Form level in between to accomplish this? Here is the Frame
<FRAMESET COLS="46%,*">
<FRAME NAME="M_LFrame" SRC="M_LFrm.asp" MARGINWIDTH="5" MARGINHEIGHT="5" SCROLLING="auto" FRAMEBORDER="no">
<FRAME NAME="M_RFrame" SRC="M_RFrm.asp" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="auto" FRAMEBORDER="yes">
</FRAMESET>
Both forms with the M_LFrm.asp and the M_RFrm.asp have asp logic calling the Database for information. Prior to calling the DB I would like to have a CSRF token check but am unsure how to pass a token into these forms as they are through Frames which are Gets and visible. Is there a way to call these forms with a POST?
Thank you.
In classic asp using a POST instead of a GET is a matter of changing your form from method="get" to method="post".
The ASP code that handles the form data will have a "request.querystring()" or "request()" instruction for fetching the form data.
request.querystring("[formfield
name]") can access GET data
request.form("[formfield name]") can
access POST data
request("[formfield name]") can
access both POST and GET data
So to change the code from using GET to POST, in the ASP code you will need to change any request.querystring() instructions to request.form() or simply request()
hope this helps,
Related
Ultimately I have to send form post data from an iPad app to a simple ASP.NET page. Before I do that I just want to get the basic ASP.NET page working by sending a simple form post from an HTML page I have directly to the asp.net page. I post the html form to the asp.net page, and the Request.Form object is always null. I know the page is being hit, because the debugger stops on my breakpoints in the codebehind (.cs).
I know that if I sent the form post from the .aspx page it would work; that's the traditional asp.net form post model. But if the page won't process a post from an arbitrary html page then I believe it will also fail when the post comes from the ipad.
This is puzzling to me. Does ASP.NET somehow discriminate on form posts? Does it somehow know that the post didn't originate from its own aspx, and ignore the post? What is going on and how do I solve this? Thanks in advance.
Yes, ASP.NET does discriminate on form POSTs. If you set up an ASP.NET form normally and then use a tool such as Fiddler to see exactly what is being posted, then you will see all the hidden fields and values that ASP.NET requires for that page. Then, you'll be ready to send data from a non-ASP.NET source.
I have a problem posting the data from silverlight to the aspx page which is in same domain.
I need to open aspx page in a new tab that needs data of type combination (id, amount) like
3-XX-YY-ZZ, 12
4-XX-YY-ZZ, 20
5-XX-YY-ZZ, 15
etc...[many]
and process it and display.
I tried to do it using querystrings and HtmlPage.PopupWindow(). It works but that would come with size limits.
Please help.
I think you need to do a HTTP post with WebClient api. This would help you to post data as a web page will do it.
Here is a link which I found this might be helpful to elaborate next steps...
http://viswaug.wordpress.com/2009/09/17/making-a-http-post-in-silverlight-a-k-a-thread-hopping/
HTH
I can access javascript from silverlight application. And this problem was solved by using javascript function from silverlight to post the hidden field data to aspx page.
The goal is to popup an asp.net page from classic asp using post data, however, the asp.net page always has Request.Form variables as empty and shows RequestType get.
I have stripped all the code from asp out, tested receiving the form variables sent from an html page on the asp.net page and this works fine. Copying the same form html to the asp page still gives no request.form data and a RequestType get
<html>
<head></head>
<body>
<form method="post" name="form" action="http://localhost:51307">
<input name="uid" value="1" />
<input type="submit" name="Submit" />
</form>
</body>
The asp site is using frames and the form is sent from a child frame, I'm unsure if this is the issue.
2.
Assuming this worked, I had thought to submit a form in asp and use the onsubmit event of the form to popup the page which would send the form variables as post data. Is this the best way of doing this?
UPDATE
The frames seem to be at fault here somehow, I have posted from the form within the framed page to another classic asp page and then redirected from this to the asp.net page.
This probably happened because "Navigate windows and frames across different domains" is disabled by default in IE browsers, which means you can't pass form data due to security reasons.
ASP.NET requires certain form fields to be set (usually as hidden fields, though HTTP POST obviously does not know the difference) for an inbound request to be treated as valid, thereby populating the relevant variables.
If I recall, you need to set __EVENTTARGET, __EVENTARGUMENT, and __VIEWSTATE.
Then, your ASP.NET code needs to be able to handle what was sent, as the default handlers will expect there to be something in __VIEWSTATE at a minimum. So, you would need to override the ViewState handler in your page. I can update with more information later when I'm at work, since I know I've done this before.
The problem is with the redirect. When you redirect a page, it creates a GET request instead of a POST request, and therefore will not have any form data.
Your options are to :
Append the form values to the query string.
Dynamically generate the form corresponding to the posted Request.Form collection, and submit it to the ASP.NET page using Javascript during the body onload event.
When posting a form in ASP.NET, it adds container information to the request form keys
For example if you have a Textbox field with an ID of: txtFullName
It could end up posting something like this: ctl00_ContentPlaceHolder1_txtFullName
This is fine if you control the page where you are posting to but if you are posting to someone else's page or API then the form keys have to be exact.
I'm looking for an example of how to post a pure HTML for via asp.net or via code in vb.net/c#
TIA
in ASP.Net 4 you have the ClientIDMode="Static" :)
but if you are still not on 4
you can use this solution:
http://www.west-wind.com/Weblog/posts/4605.aspx
but you have to be careful with it.
so just inherit the control you want like textbox and override this properties
and you should get the result you wanted.
Scenario:
The task I have at hand is to enable a single-signon solution between different organizations/websites. I start as an authenticated user on one organization's website, convert specific information into an Xml document, encrypt the document with triple des, and send that over as a post variable to the second organizations login page.
Question:
Once I have my xml data packaged, how do I programmatically perform a post to the second website and have the user's browser redirected to the second website as well.
This should behave just like having a form like:
action="http://www.www.com/posthere" method="post"
... and having a hidden text field like:
input type="hidden" value="my encrypted xml"
This is being written in asp.net 2.0 webforms.
--
Edit: Nic asks why the html form I describe above will not work. Answer: I have no control over either site; I am building the "middle man" that makes all of this happen. Site 1 is forwarding a user to the page that I am making, I have to build the XML, and then forward it to site 2. Site 1 does not want the user to know about my site, the redirect should be transparent.
The process I have described above is what both parties (site A and site B) mandate.
Send back a document that contains the from with hidden input and include an onload handler that posts the form immediately to the other site. Using jquery's document.ready() solves the issue of whether the DOM is loaded before the post occurs, though there are other ways to do this without jquery. You might want to include some small message on the screen to the effect that the user will be redirected shortly and provide a link which also does the post
...headers left out...
<script type='text/javascript'>
$(document).ready( function() {
$('form:first').submit();
});
</script>
<body>
<form action='othersiteurl' method='POST'>
<input type='hidden' value='your-encrypted-xml" />
</form>
</body>
You are thinking about this too process oriented, it would take you a month of sundays to try and work out all the bugs and moving parts with what you suggest.
You are already doing a post to another server so you really don't need to do anything. The form you have is already perfect, and when the other server intercepts the request that is when it makes the decision to either allow to user in and continue in through the site, or redirect them back to their Referer (sic) in the header. When redirecting back to the Referer they may want to tack on a message that says what was wrong, such as ?error=no_auth
I wrote on this for another question a while back. Hope this helps:
How do you pass an authenticaticated session between app domains