I've got a problem that may either be a limitation in my approach or asp.net web forms technology. The main driver for this solution is the simple fact that when users sit on an individual page for an extended period of time, they are redirected to our CAS server and back to the page itself which results in all of the form inputs being cleared as if the user did not enter any information (i.e. losing the ViewState/control state). With that being said I was exploring other options such as:
Using HTML localStorage to store a JSON string of all values on the page that can be parsed into an object and loaded into the form later if needed.
Even though this solution allowed me to store values on each page in individual key/value pairs (page instance 1 in localStorage[ID1], page instance 2 in localStorage[ID2] etc.), there was still a limitation on the server side of validating which page the user is saving. Right now I am using the session to maintain which form the user is viewing ie. the user is only associated with 1 page. To continue the example, the session information would result in the user being associated with either localStorage[ID1] or localStorage[ID2], not both ---which is precisely my problem. I need to communicate from the client-side which one page is to be saved. I've explored the following options, and come up with the following questions:
A static class that contains a static collection of objects on the server side storing which users have which pages open--> problem: communicating which page is actually being saved.
Dynamically rendering my save buttons with IDs that include an encrypted version of the page identifier at hand.
Storing the current value being edited in the Querystring
A cookie value that stores the value of the ID that the user wishes to change on post back-->how will the cookie get its value--especially when an ID is new (user is filling out form for the first time)?
I may be over complicating this and I know there is an easier way.
Many sites solve this problem by displaying a dialog when the user has sat on the page too long, asking if they still want to maintain their session. If the user doesn't click "Yes", then lose the session.
Another solution would be to permit a user who knows he's going to not use the page for a while to save the results so far and to restore them later, and continue.
Before proceeding with a technological solution, I'd try to find out why the users are sitting on the page so long. Whatever their reason is, you'll want to try to accommodate it if it's a good reason.
If the reason is "because we don't really care about your page and just didn't bother to close it", then your current solution works fine.
I just wanted to close out my own issue. I will resolve my problem by storing encrypted values in the query string to maintain page state. From there I will all values the user enters on the page within stringified json objects within localStorage. For example: page 1 with id: aa will have one key value pair within localStorage in the format [appName_pageId]. Page 2 with id bb will have a similar key value pair. If the user gets redirected to our CAS server and lands back on my page with all values cleared, I will be able to load the correct inputs from localStorage based on the value in the query string parameter (aa or bb). The important principle to remember here is that central control belongs on the server and distributed control should be done on the client.
Related
Currently I'm trying to implement an auto login link for the emails sent from the site.
One of the requirements is that the user is able to see the link but not the rest of the site unless he manually logs in.
My current problem is that I cannot get the logout part right. The current flow goes something like this:
Check if the user is logged in
If not, check the url query string and do some calculation to check
the code
If everything is alright I log the user in, update the CurrentUser
and all the Session object
Then I need to use HttpContext.Response.Redirect() because the way
the system is made (as far as I have read using Redirect is a quite
abrupt way to cut the Request, but my current issue is that the
system will keep checking other things and redirect me to the LogIn
page if I don't cut it here)
At this point the user is Logged In
If they click on a new link inside the page, on this new Request it will check some Session properties
created on step 4 and if they exist it will log the
user out.
My problem is that it works some times and some other times it doesn't. A pretty consistent thing I notice is that is not working when I open the link in a new browser instance, but generally works when opening on an already open browser.
I guess something could be happening with the Session object between the Redirect and the new Request specially on a new browser instance, but not sure why.
Edit: The problem is happening on step 6
I'm not sure if i totally understand your question, but here are some ideas related to session problems.
Probably when opening the new instance a new Session is created. Therefore your data is gone.
A work around might be storing the needed values in the cache. This is dangerous because cache items can be deleted if iis thinks there is not enough memory.
https://support.microsoft.com/en-us/kb/323290
Another workaround might be saving the needed values in a database.
Or send the needed data through the headers.
Hello All I need all your help badly. We have made a role,ID based application in asp.net(C#) where the menu appear as per his roles. This is fine now the users are trying to directly type the link in address bars and using them. Cant restrict them in page loads and sessions as this is a production site which is already slow. So my intension is to show the url in encrypted format which expires in certain time where the user cant copy and paste it. Is there any possible way...
Cant restrict them in page loads and sessions as this is a production site which
is already slow.
Fix that crappy code and / or add more servers. Because this is the ONLY way it makes sense to do it. Anything else is the type of security that gets broken into and then you run around blaming the world for being unfair.
So my intension is to show the url in encrypted format which expires in certain
time where the user cant copy and paste it.
? So the menu has an encrypted URL that is only valid like for half a second? What if the user browses the source code of the page? He can see all the source there.
This is not security, it is hogwash. Sorry to be blunt, but this is not going to work and you are making a bad job here.
Checking this in page load will take less than a millisecond (assuming you cache roles in the session). WAY less.
Check for user role in page_load event and if the user does not have permission then redirect him to a page showing permission denied.
Please provide code if you need further help.
Yeah.... you've painted yourself into a corner here.
Short answer:
No, there's no clean way to do this and whatever type of 'special' url implementation you create will be open to abuse/spoofing and still require you to add code anyway.
Long answer:
I can't see any viable solution other than injecting some code into Page_Load.
I take it you're not using WIF/Claims-based security, just some bespoke written user login, database store based code? So your best approach (at this point) is to make a simple class in App_Code: When the user logs in, load their permissions into something like a DataTable and store that in a session variable. That way you can avoid doing database requests every time the page loads/posts back, this'll probably speed your site up a bit too.
Build a non-static method in a class that is to be used on Page_Load, where this will get the URL (or page id) being accessed, then check that against the session stored DataTable. If that check fails redirect them to an access denied page.
Building the class foundation is key, don't attempt to shortcut and copy-paste chunks of code into each page. With the 'security' class you can standardise your code and reduce testing down to a few simple checks.
I have now been working as a web developer for two weeks and have written my first page connected it to database have everything setup the way I want and now my next big hurdle. I want to get to this page from another page. the second page emulates written forms and the first page will have a grid of the submitted forms. Looking through the net I have found Iframes and there are a couple of other options I am still reading up about, but i wanted to pose the question here as well. What is the generally accepted / good practice method for navigating from page to page in asp.net. Going from database to web has been a trip but its one i am enjoying.
Thank you for any suggestions
Response.Redirect("Default1.aspx"):
we want to redirect the request to some plain HTML pages on our server or to some other web server
we don't care about causing additional roundtrips to the server on each request
we do not need to preserve Query String and Form Variables from the original request
we want our users to be able to see the new redirected URL where he is redirected in his browser (and be able to bookmark it if its necessary)
Server.Transfer("Default1.aspx") :
we want to transfer current page request to another .aspx page on the same server
we want to preserve server resources and avoid the unnecessary roundtrips to the server
we want to preserve Query String and Form Variables (optionally)
we don't need to show the real URL where we redirected the request in the users Web Browser
If you wanted to simply redirect the user you could use Response.Redirect(url), this will redirect the user to the specified relative page. For example, if you were in Page1.aspx and wanted to redirect to Page2.aspx you would simply write
Response.Redirect("~/Page2.aspx");
Please keep in mind, this is a very simple approach to redirecting, and information submitted from Page1 to Page2 won't get persisted, so you'll need to either save these in the database, or in the session.
Hope this helps a bit. :)
Edit
Reading your question further; if you wanted to load a form after selecting it in Page1, you would want to somehow pass it through to Page2. The easiest way would be to append it to the query string, and then check if the query string value exists on Page2 loads.
You can navigate to another page using
Response.Transfer("Default2.aspx");
Else you can use
Server.Transfer("Default.aspx")
but it is bulky since it transfer that data of previous page too..
Response.Redirect does the job of navigating from one page to another. Below is good article which explains the correct use of it, hope this helps.
http://blogs.msdn.com/b/tmarq/archive/2009/06/25/correct-use-of-system-web-httpresponse-redirect.aspx
We have a Review System in place where I work. A manager selects an employee to review, which then sets the EmployeeID as a Session["EmpID"] variable. Now, the manager can enter in the information for the said employee.
Our Issue:
When a manager opens another tab or window in the browser (ie. Internet Explorer), searches for a different employee, it sets Employee #2 ID as the Session["EmpID"] variable, over-writing the first one. When the manager switches back to Employee #1 and enters information, they believe they are entering information for #1, however it enters it as #2 since they selected it last.
Does anyone have ideas to prevent this from happening?
When using tabbed browsing you actually use the same asp.net session, and therefore, if you don't uniquely seperate one page's cache from the others, you get the same data.
If your pages uses the session to store data, use a unique identifier (such as a GUID) as a prefix for the key. Store the guid in a hiddenfield or in the ViewState.
Maybe it'll suffice to store the EmpID in the ViewState. Then Tab1 will keep it's value even if Tab2 had another value.
ASP.NET session id shared amongst browser tabs
Way around ASP.NET session being shared across multiple tab windows
http://forums.asp.net/t/1227829.aspx/1
It sounds more feasible to store the empID in a hidden field/tag in the contents of the page. Save your record based off that string record = span.innerText , because that will be on the page not the session
Hi I have a RadGrid in my asp.net application and basically I am being asked to persist the sorting clicked on the header name throught out the user session so basically lets say I have the RadGrid with the following headings.
ID Name OrderNumber Shipped
So by default it is sorted in ASC order by name when you first arrive at the page, but now.. if the User resorts it by clicking on the Name heading again it will make it in DESC order. So what I am being asked to do is to make the web remember the sorting option no matter if the user navigates to a different page within the application. So when the user comes back he should see the gridview in the order he/she picked before leaving to another page within the appliacation.
How can I do this with a RadGrid, without using HttpCookie ?
I do not think I should show my code as it is the plain default set up of a RadGrid BUT if necessary I will just grab something and put it here, I am just not sure the best way to go about it.
Thank you
I don't think this is a feature that we should be looking from a third party control, rather than an implementation item when using it in a project.
So if the requirement is only to persist within the user session, HttpCookie or even ASP.Net session would work. But if the requirement is to maintain even across same users next log-ins, even database would be a go od option rather than putting the weight on the ASP.Net session or Cookie transferring client to server every time.