How to restrict previous , operation after re submission. example if I click on one button if I resubmit (f5) that page will refresh , whatever we previously clicked button will execute once again. so I don't want to execute once again. So can you help me to solve this problem ?
You should read about PRG pattern:
Post/Redirect/Get (PRG) is a web development design pattern that
prevents some duplicate form submissions, creating a more intuitive
interface for user agents (users). PRG implements bookmarks and the
refresh button in a predictable way that does not create duplicate
form submissions.
More about this here.
Short explanation of the way it works:
When a web form is submitted to a server through an HTTP POST request,
a web user that attempts to refresh the server response in certain
user agents can cause the contents of the original HTTP POST request
to be resubmitted, possibly causing undesired results, such as a
duplicate web purchase. To avoid this problem, many web developers use
the PRG pattern1 — instead of returning a web page directly, the
POST operation returns a redirection command.
You could consider redirecting the user to another web page, so that the subsequent request is made using GET.
The goal here is that the act of loading the submission action page is what causes the browser to resubmit on refresh. After all, you are literally requesting that same submission action a second time. By redirecting to another page, your request will now be done using GET, and the page that is loaded will not be the one that performs submit logic.
This is also known as the Post/Redirect/Get pattern.
Related
This question probably exist in different forms but I would need to get explained to me how to accomplish the following...
I'm working on a windows forms application (C#). When I click a button on the form I want to navigate to a specific page (all in code behind), find an input[type=text] on that page by id or class, input a password, and click on the login button next to the input.
Then I need to wait for the page that will load after the login button is clicked before I continue identifying more elements. F.e I want to find a html table and traverse it.
If someone could give me a good example and tell me if I need any additional controls in my form I would be most grateful.
Now, as I wrote above, I'm not interested in opening a browser and navigating to that page. I want it all to take place in the code so to speak..
Thanks in advance!
You don't need to scrape the website and find the input of type=text. Forms works with GET or POST requests. Login form is generally a POST request to the server, you should search for the form inside that page and see where it points the action. Let's say it is done this way:
<form action="login.php" method="post">
So you know that login.php will handle the request and that it's using the post method.
Now you should write some C# code to send a POST request to http://yoururl.com/login.php (Please see HttpWebRequest).
Once you get that, since it's a login, you should find a way to keep cookies active so that you can send another request to the page you have to access after the login. Keeping cookies active means that you're logged and your session is active with the user you logged in the previous POST request.
To achieve this part you should have a look to HttpWebRequest.CookieContainer.
Once you get your cookies you should now send a GET request to the next page where you can then scrape the information you need. The GET request to a web page send you the whole html page as response. You should then use a scraping library such as HttpAgilityPack to get the table you need.
Try to write some code and come back when you face a problem, opening another question. I hope I provided you some useful information!
Say I have three endpoints
First/foo/bar
Second/fizz/buzz
Third/whatever
Only one of these endpoints is valid at a time, starting with first, then second, and so on. This is a problem is the user tries to go back, or they pick one of these endpoints from their history -- they'll be presented with an error dialog.
I thought I could use SessionState to keep track of the most recently accessed (and thus valid) endpoint and redirect with action filters based on that information, but my team has disabled SessionState.
So does MVC have a canonical way to ensure a user navigates certain endpoints in order?
MVC doesn't provide any behavior over what a browser does. That is, it is using the HTTP protocol and there is no way to prevent a user from manually typing in a URL in their browser (unless you have written your own browser that does this).
However, you could design your application as a single page that uses a JavaScript framework (such as JQuery or AngularJS) so the browser doesn't actually change URLs. This would prevent the browser from tracking the interaction between the JavaScript code and the server. Then you can guarantee that the user can only view the "pages" in the correct order.
I have a ActionResult in Asp.net mvc website. it's read a lot of data when request made and show them on page.
Now I thing their is a problem. If the person make ajax request using Firebug and make loop of the request then my server got enough workload.
What I means is suppose I write a loop and make 1000 Fake ajax request then my server have run 1000 time sql queries and all the workload is useless.
how i can track it. Do someone have any help regarding this.
MVC's Anti-Forgery Token support writes a unique value to an HTTP-only cookie and then the same value is written to the form. When the page is submitted, an error is raised if the cookie value doesn't match the form value.
It's important to note that the feature prevents cross site request forgeries. That is, a form from another site that posts to your site in an attempt to submit hidden content using an authenticated user's credentials. The attack involves tricking the logged in user into submitting a form.
The feature doesn't prevent any other type of data forgery or tampering based attacks.
To use it, decorate the action method or controller with the ValidateAntiForgeryToken attribute.
I found that information from question answered by Richard Szalay :
ValidateAntiForgeryToken purpose, explanation and example
For blocking multiple requests from same Ip/ DDOS, please check the question's answers:
How to block multiple requests coming from same IP
I've got a strange one to solve today. A client needs their site to not allow people being logged in, going to a different site, then still being logged in if they hit the back button in their browser.
Simple I thought... until I couldn't find a page event that got fired when the back button was pressed from another site.
I thought of just using JavaScript and working with the referrer object, but this won't achieve my goal as I need to access the .NET Membership system and log the user out of their session.
Has anyone got around this problem? If so, how? Any help would be appreciated, potentially I'm just missing something that I could achieve in the Global.asax? If it helps, I'm using .NET 4.5 / C#.
Reasoning:
Due to, say, if one operator went and left their machine unlocked, visited Google, then another operator went on the same machine maliciously and hit the back button to gain access to that operator's logon (the client is very security cautious)
So you would like to log out user whenever they leave your site? You cah have global javascript that sends a request to a server every minute saying "Hey, server, I'm here! I'm user Joe Blogs, i'm still on the site". If the server does not get this message from a user longer than a minute, log them out.
Overriding back button is just not going to work. What would you do if user opens up another tab/window and goes to google there?
Update:
you can try using .unload() from jquery to catch page leave. And destroy the cookies on that event.
However, when the machine is just left unattended, nothing stop malicious user to go grab the access.
Update 2 you can just set very short session life! if user is inactive (or left the page) - log them out. To prevent possible annoyance for logging out when user looking on the screen for too long (fills in very long form) - make javascript to do regular (every 5 minutes) to a server to a dummy page - to keep the session live while the page is loaded.
Here is the source: Force users to logout when they leave my php website?
There is perhaps a "magical" solution for the problem but the key thing here is in the reasoning: Operator A is not allowed to use the site with the credentials of Operator B.
From a client and server perspective there is no way that the server or client (browser) can tell that persons changed seats at whatever moment in time.
That's the problem you have to solve.
But perhaps implementing face-detection is a little over the top?
If you were designing the site from the ground up you can do this by adding a header to specify that you do not want caching.
Cache-Control: no-cache
Pragma: no-cache
But you would then have to have all your site access through a single page. The page need not be displayed the same and can contain different controls etc, but it's content would be decided by POST parameters rather than through the normal ASP.NET model.
e.g. Default.aspx and to navigate you would POST back at least two parameters. One would be the page to navigate to, and another would be an unpredictable token.
e.g. Token=3Zd2f4O61Z&Page=OrderHistory
Upon each page load you would validate the token and page title combination, and if OK you would display the page and generate new post-back data links for any navigation or actions you would like the user to take at that point. If the user were to try accessing the same page with the old token, it would expire the session and then log out the user. This is the most secure way to do this as then clicking the back button would prompt the user to resubmit their post data again. If OK was clicked, the browser would submit it but the server would recognise that the token was now invalid (as it has already been used, and discarded by the server) and then log out the user.
This method also protects against CSRF as you are validating a token in the payload of each request rather than just checking cookie values.
I know this won't help you unless you can reengineer your site, but I thought I'd add this solution in case anyone lands here with the requirement from the beginning.
You can have a landing page of your site to contain nothing by a JS redirect to reals homepage this way when person hits back button he will go back first to the damy redirecting page that move him back to home page.
But it will be possible to override this if user chooses to skip number of pages at once or just opens another window.
Could you provide further information about why exactly is its needed ? I think in your case, there is a possible solution of may be having a separate Database table or field for marking or flagging such users who have been redirected to another site just treat them as signed off and then once they hit your sites URL you can probably check for the flag and sign them back in, automatically.
JQuery unload() function will solve your problems as wel as the javascript window.onbeforeunload...
In a Website environment how do you make an ajax post to Handler.ashx secure and how do you stop people calling that handler.ashx directly and putting rubbish in and possibly breaking things server side?
With firefox and firebug you can pretty much hack the post quickly and easily.
I was thinking of these ideas.
In the handler check if you are logged in.
List item on the load of the site create a unique ID is saved as a cookie and
when the handler is called then that ID must exist in the Ajax and
the handler
List item the ajax call must come from a certain page
Do you have any other ideas?
Thanks
Short answer
Use authentication (Windows, Forms, etc) and validate your input.
Slightly longer answer
If your site is configured with an authentication provider, your handler will follow the same rules.
You should always validate any user input or web service input. Don't assume that your client is giving you pristine input. As you have mentioned, anyone with basic web development skills can spoof a POST. Keep that in mind when validating.