Edit: To make my point, I need some back story.
I was shopping online today and entered my credit card number as well as tons of other info to the e-commerce site. Then e-commerce site redirected me to my bank's page which asks an confirmation code sent to my mobile phone. I entered the code and the bank redirected me to e-commerce paid failed page.
I needed to enter all the information I gave to e-commerce site again because hitting back won't help for security reasons. So I started to think, how would I write that e-commerce site payment page, so that it opens a new tab for my bank's page asking confirmation code and won't go any further until my bank confirms payment. I don't think this is as easy as parsing response because bank does not respond directly to first request. Think this like "login using Facebook account" button. You need like 10 steps and a token to do that. (which I cannot understand how it works, since I am a newbee)
I hope I am clear now.
Original post:
I am new at this, please bear with me. I googled to find a solution but got more confused.
I am writing a login system like this for learning:
user form (login.aspx) -> posts to 3rd party server -> 3rd party server asks more credentials -> 3rd party server calls logedin.aspx (if successful) or failedlogin.aspx (if fails)
That is easy to implement. I wonder if I can do something like this:
on user form (login.aspx), user clicks on submit button
onclick event posts to 3rd party server and waits for it to request either logedin.aspx or failedlogin.aspx
resume running and display authentication result on login.aspx
So user won't see logedin.aspx or failedlogin.aspx
I think I need an object in login.aspx to wait, until it is released in logedin.aspx or failedlogin.aspx or a timeout is hit.
How to wait in a page and resume from a trigger on another page? Please point some direction for me to look at.
Thanks.
You can make an HTTP request to the 3rd party server with something like the HttpWebRequest object (or HttpClient). The response from that request would have the information you're looking for.
Based on the comments above, it sounds like the response is an HTTP redirect. In that case the header(s) in the response would have the information you need. For example, if the headers contain this:
HTTP/1.1 302 Found
Location: http://www.yourdomain.com/logedin.aspx
Then the request resulted in a redirect to logedin.aspx. Based on that information you can perform your server-side logic and respond back to your user as you need.
Related
This question probably exist in different forms but I would need to get explained to me how to accomplish the following...
I'm working on a windows forms application (C#). When I click a button on the form I want to navigate to a specific page (all in code behind), find an input[type=text] on that page by id or class, input a password, and click on the login button next to the input.
Then I need to wait for the page that will load after the login button is clicked before I continue identifying more elements. F.e I want to find a html table and traverse it.
If someone could give me a good example and tell me if I need any additional controls in my form I would be most grateful.
Now, as I wrote above, I'm not interested in opening a browser and navigating to that page. I want it all to take place in the code so to speak..
Thanks in advance!
You don't need to scrape the website and find the input of type=text. Forms works with GET or POST requests. Login form is generally a POST request to the server, you should search for the form inside that page and see where it points the action. Let's say it is done this way:
<form action="login.php" method="post">
So you know that login.php will handle the request and that it's using the post method.
Now you should write some C# code to send a POST request to http://yoururl.com/login.php (Please see HttpWebRequest).
Once you get that, since it's a login, you should find a way to keep cookies active so that you can send another request to the page you have to access after the login. Keeping cookies active means that you're logged and your session is active with the user you logged in the previous POST request.
To achieve this part you should have a look to HttpWebRequest.CookieContainer.
Once you get your cookies you should now send a GET request to the next page where you can then scrape the information you need. The GET request to a web page send you the whole html page as response. You should then use a scraping library such as HttpAgilityPack to get the table you need.
Try to write some code and come back when you face a problem, opening another question. I hope I provided you some useful information!
I have a C# MVC (using Umbraco) site that I need to submit a payment through paypal. I have setup a sandbox merchant and buyer account. I am able to submit the payment and everything is working well there. However, my site needs to know when the payment has completed successfully as I will send an email and do some database operations, and here is where I'm having the problem. I cannot get paypal to auto return to my site. I need the return URL to be:
http://localhost:56733/payment-confirmation
This is not a duplicate of this question:
Setting PayPal return URL and making it auto return?
I am using C#, not PHP. Also, I am trying to run this locally. The solutions listed on the above question DO NOT WORK. The behavior and results are the same.
I do get the screen that shows the following:
You just completed your payment. XXXX, you just completed your payment. Your transaction ID for this payment is: XXXXXXXXXXXXX.
We'll send a confirmation email to XX#XXXX.com. This transaction will appear on your statement as PAYPAL.
Go to PayPal account overview
It is not recommended to handle post-payment processing on any return URL. Even with Auto-Return enabled there is no guarantee the user will make it there, and if they don't, that code will never run and you'll end up with tasks not getting completed like you expect.
Even if you're using Express Checkout API's so that you are guaranteed to end up on your own site, it's still not wise to handle all your data updates and email stuff there because the payment could be pending. You wouldn't want to deliver any product or anything like that until the pending payment cleared.
The way to handle all of that correctly is to use Instant Payment Notification (IPN). This will be triggered regardless of whether or not the user makes it back to the return URL, and you'll get multiple IPN's for transactions where the status updates so you can handle those automatically, in real-time as well.
Take a look at the documentation for IPN, but don't let it freak you out just because there's a lot of info there. It's really nothing more than a POST of data to a listener URL that you specify. In that script, you'll receive the data just like you would a form POST. It's really a pretty simple thing to setup, and you can do all sorts of cool things with it.
Ok, I am building a site with MS Webmatrix and ASP.net, c#, javascript.
I want to have my clients enter info, then if I can verify it on my database, go to paypal for payment. So the flow would be
client enters info
validate against the db
go to PayPal for payment.
So I really don't want a pay now button to go directly to paypal. I can easily route the pay now to html that verifies and if failed, displays appropriate msgs and prompts.
If the info verifies, how can I route to PayPal without the user clicking another button?
Is there code that I can put in my script to send to paypal without clicking or programmatically force the click without client intervention?
Also, I would like the ability to recall the clients billing address in the future if a refund is requested so I can mail a check. I prefer to manually mail a check. Can I capture/store a PayPal transaction id, then use the transaction id to request the billing address months later (if needed) so I don't have to store the address in my database?
You can use the WebClient class to make an HTTP request to PayPal and to manage its response.
You want to redirect server sided ? Just use the Web Classes then.
About PayPal: There is a SOAP/XML API, there you can do such stuff like TransactionSearch. Just check https://developer.paypal.com/ or check this: https://cms.paypal.com/cms_content/GB/en_GB/files/developer/PP_API_Reference.pdf
I've got a strange one to solve today. A client needs their site to not allow people being logged in, going to a different site, then still being logged in if they hit the back button in their browser.
Simple I thought... until I couldn't find a page event that got fired when the back button was pressed from another site.
I thought of just using JavaScript and working with the referrer object, but this won't achieve my goal as I need to access the .NET Membership system and log the user out of their session.
Has anyone got around this problem? If so, how? Any help would be appreciated, potentially I'm just missing something that I could achieve in the Global.asax? If it helps, I'm using .NET 4.5 / C#.
Reasoning:
Due to, say, if one operator went and left their machine unlocked, visited Google, then another operator went on the same machine maliciously and hit the back button to gain access to that operator's logon (the client is very security cautious)
So you would like to log out user whenever they leave your site? You cah have global javascript that sends a request to a server every minute saying "Hey, server, I'm here! I'm user Joe Blogs, i'm still on the site". If the server does not get this message from a user longer than a minute, log them out.
Overriding back button is just not going to work. What would you do if user opens up another tab/window and goes to google there?
Update:
you can try using .unload() from jquery to catch page leave. And destroy the cookies on that event.
However, when the machine is just left unattended, nothing stop malicious user to go grab the access.
Update 2 you can just set very short session life! if user is inactive (or left the page) - log them out. To prevent possible annoyance for logging out when user looking on the screen for too long (fills in very long form) - make javascript to do regular (every 5 minutes) to a server to a dummy page - to keep the session live while the page is loaded.
Here is the source: Force users to logout when they leave my php website?
There is perhaps a "magical" solution for the problem but the key thing here is in the reasoning: Operator A is not allowed to use the site with the credentials of Operator B.
From a client and server perspective there is no way that the server or client (browser) can tell that persons changed seats at whatever moment in time.
That's the problem you have to solve.
But perhaps implementing face-detection is a little over the top?
If you were designing the site from the ground up you can do this by adding a header to specify that you do not want caching.
Cache-Control: no-cache
Pragma: no-cache
But you would then have to have all your site access through a single page. The page need not be displayed the same and can contain different controls etc, but it's content would be decided by POST parameters rather than through the normal ASP.NET model.
e.g. Default.aspx and to navigate you would POST back at least two parameters. One would be the page to navigate to, and another would be an unpredictable token.
e.g. Token=3Zd2f4O61Z&Page=OrderHistory
Upon each page load you would validate the token and page title combination, and if OK you would display the page and generate new post-back data links for any navigation or actions you would like the user to take at that point. If the user were to try accessing the same page with the old token, it would expire the session and then log out the user. This is the most secure way to do this as then clicking the back button would prompt the user to resubmit their post data again. If OK was clicked, the browser would submit it but the server would recognise that the token was now invalid (as it has already been used, and discarded by the server) and then log out the user.
This method also protects against CSRF as you are validating a token in the payload of each request rather than just checking cookie values.
I know this won't help you unless you can reengineer your site, but I thought I'd add this solution in case anyone lands here with the requirement from the beginning.
You can have a landing page of your site to contain nothing by a JS redirect to reals homepage this way when person hits back button he will go back first to the damy redirecting page that move him back to home page.
But it will be possible to override this if user chooses to skip number of pages at once or just opens another window.
Could you provide further information about why exactly is its needed ? I think in your case, there is a possible solution of may be having a separate Database table or field for marking or flagging such users who have been redirected to another site just treat them as signed off and then once they hit your sites URL you can probably check for the flag and sign them back in, automatically.
JQuery unload() function will solve your problems as wel as the javascript window.onbeforeunload...
I am building a chat system in an asp.net MVC website, if the user has no actions on the website for more than 2 minutes I will set his status to away.
My question is, how to know if the user is offline, offline means he closed the website or signer out.
I knew that there is an isOnline property in the Membership classes but I am not using Membership for secure login in this website.
Is there a way to know if the user is online or not,
Or how this membership.IsOnline is implemented to make the same in my code.
To know if the user is on the site, you could send an AJAX request every minute from the client to the server and server-side check the time between the received requests to see if he is no longer on the page.
If you want to the detect if the user is "AFK" but might still have the website opened on his browser, you'll have to add global events for key presses, mouse presses and mouse move, and only send the AJAX request each minute if there has been one of those event fired in the last minute.