i want to make something like a friend status if he is online or offline.
c# code behind, javascript , html5
There is a similar question but it uses .php and i dont know anything about php.
Anyway I was thinking that for the online, you can track when the user has actually logged on.(turn a field in the DB for online to true)
But how do you send that info to the person who needs to know if the other user logged in? can the codebehind or the js have like a receiving function/method that is called when he gets online?(like an observer pattern?)
also then when it updates we dont want a whole page refresh but the least possible #flickering for the page. post-back?
Finally to track if the user is offline it could be like a http response to check for a responce from the online user if he is still online. But how? :P
If we finally get that its offline can we use the same receiving function/method that we informed the other person that he was online?
Any help would be much appriciated. Hope this could become a reference for similar threads.
But how do you send that info to the person who needs to know if the other user logged in?
You can't send the information to the user. He must get the information himself. What I mean is that http is a "pull protocol", which means that you can't push information to the client, you just give him what he requests.
Now, what you want is the client to request the information without noticing the fact that his browser is sending requests. The best way to do this is to use Ajax in javascript to send a request to a web service. This way, you can get information from your server without doing any postbacks. Then, to give an impression of live information, you'll want to set your ajax call in a setTimeout to get the information any given time interval (30 seconds, 1 minute, your choice).
To simplify - a lot - your ajax calls, have a look at Jquery Ajax.
If you don't know any of this, don't give up, it may look more complicated than it actually is.
Finally to track if the user is offline
What I suggest is that you keep track of every request from that user, and after a certain time without any request, you declare this user as logged out.
Hope this helps!
Related
I have a C# MVC (using Umbraco) site that I need to submit a payment through paypal. I have setup a sandbox merchant and buyer account. I am able to submit the payment and everything is working well there. However, my site needs to know when the payment has completed successfully as I will send an email and do some database operations, and here is where I'm having the problem. I cannot get paypal to auto return to my site. I need the return URL to be:
http://localhost:56733/payment-confirmation
This is not a duplicate of this question:
Setting PayPal return URL and making it auto return?
I am using C#, not PHP. Also, I am trying to run this locally. The solutions listed on the above question DO NOT WORK. The behavior and results are the same.
I do get the screen that shows the following:
You just completed your payment. XXXX, you just completed your payment. Your transaction ID for this payment is: XXXXXXXXXXXXX.
We'll send a confirmation email to XX#XXXX.com. This transaction will appear on your statement as PAYPAL.
Go to PayPal account overview
It is not recommended to handle post-payment processing on any return URL. Even with Auto-Return enabled there is no guarantee the user will make it there, and if they don't, that code will never run and you'll end up with tasks not getting completed like you expect.
Even if you're using Express Checkout API's so that you are guaranteed to end up on your own site, it's still not wise to handle all your data updates and email stuff there because the payment could be pending. You wouldn't want to deliver any product or anything like that until the pending payment cleared.
The way to handle all of that correctly is to use Instant Payment Notification (IPN). This will be triggered regardless of whether or not the user makes it back to the return URL, and you'll get multiple IPN's for transactions where the status updates so you can handle those automatically, in real-time as well.
Take a look at the documentation for IPN, but don't let it freak you out just because there's a lot of info there. It's really nothing more than a POST of data to a listener URL that you specify. In that script, you'll receive the data just like you would a form POST. It's really a pretty simple thing to setup, and you can do all sorts of cool things with it.
I've got a strange one to solve today. A client needs their site to not allow people being logged in, going to a different site, then still being logged in if they hit the back button in their browser.
Simple I thought... until I couldn't find a page event that got fired when the back button was pressed from another site.
I thought of just using JavaScript and working with the referrer object, but this won't achieve my goal as I need to access the .NET Membership system and log the user out of their session.
Has anyone got around this problem? If so, how? Any help would be appreciated, potentially I'm just missing something that I could achieve in the Global.asax? If it helps, I'm using .NET 4.5 / C#.
Reasoning:
Due to, say, if one operator went and left their machine unlocked, visited Google, then another operator went on the same machine maliciously and hit the back button to gain access to that operator's logon (the client is very security cautious)
So you would like to log out user whenever they leave your site? You cah have global javascript that sends a request to a server every minute saying "Hey, server, I'm here! I'm user Joe Blogs, i'm still on the site". If the server does not get this message from a user longer than a minute, log them out.
Overriding back button is just not going to work. What would you do if user opens up another tab/window and goes to google there?
Update:
you can try using .unload() from jquery to catch page leave. And destroy the cookies on that event.
However, when the machine is just left unattended, nothing stop malicious user to go grab the access.
Update 2 you can just set very short session life! if user is inactive (or left the page) - log them out. To prevent possible annoyance for logging out when user looking on the screen for too long (fills in very long form) - make javascript to do regular (every 5 minutes) to a server to a dummy page - to keep the session live while the page is loaded.
Here is the source: Force users to logout when they leave my php website?
There is perhaps a "magical" solution for the problem but the key thing here is in the reasoning: Operator A is not allowed to use the site with the credentials of Operator B.
From a client and server perspective there is no way that the server or client (browser) can tell that persons changed seats at whatever moment in time.
That's the problem you have to solve.
But perhaps implementing face-detection is a little over the top?
If you were designing the site from the ground up you can do this by adding a header to specify that you do not want caching.
Cache-Control: no-cache
Pragma: no-cache
But you would then have to have all your site access through a single page. The page need not be displayed the same and can contain different controls etc, but it's content would be decided by POST parameters rather than through the normal ASP.NET model.
e.g. Default.aspx and to navigate you would POST back at least two parameters. One would be the page to navigate to, and another would be an unpredictable token.
e.g. Token=3Zd2f4O61Z&Page=OrderHistory
Upon each page load you would validate the token and page title combination, and if OK you would display the page and generate new post-back data links for any navigation or actions you would like the user to take at that point. If the user were to try accessing the same page with the old token, it would expire the session and then log out the user. This is the most secure way to do this as then clicking the back button would prompt the user to resubmit their post data again. If OK was clicked, the browser would submit it but the server would recognise that the token was now invalid (as it has already been used, and discarded by the server) and then log out the user.
This method also protects against CSRF as you are validating a token in the payload of each request rather than just checking cookie values.
I know this won't help you unless you can reengineer your site, but I thought I'd add this solution in case anyone lands here with the requirement from the beginning.
You can have a landing page of your site to contain nothing by a JS redirect to reals homepage this way when person hits back button he will go back first to the damy redirecting page that move him back to home page.
But it will be possible to override this if user chooses to skip number of pages at once or just opens another window.
Could you provide further information about why exactly is its needed ? I think in your case, there is a possible solution of may be having a separate Database table or field for marking or flagging such users who have been redirected to another site just treat them as signed off and then once they hit your sites URL you can probably check for the flag and sign them back in, automatically.
JQuery unload() function will solve your problems as wel as the javascript window.onbeforeunload...
I need to send "instant" messages (like forum PMs) between users with my asp.net application. As many others I use a webhotel to host my site. I have searched around for awhile and I can't find any solutions that would be a good fit with my system. I was thinking about writing a javascript that would call for each 30 seconds or so a .ashx handler to check the users message status (return true or false) if the correct credentials are supplied. However I dont know if this is a good solution, because of all the calls to the handler it might get picked up as spam or it might generate really bad performance? The thing is, I want to avoid the need to refresh the page just to see your latest messages.
Take a look at the C# SignalR library, it allows you send grouped or broadcast messages to clients using longpolling or websockets with minimal bandwidth and simple code
http://signalr.net/
You can use an updatepanel for this. Put a textbox in an updatepanel in your page. When a user sends a message just append it to that textbox.You can put a refresh timer to refresh the contents in every second .
In a Website environment how do you make an ajax post to Handler.ashx secure and how do you stop people calling that handler.ashx directly and putting rubbish in and possibly breaking things server side?
With firefox and firebug you can pretty much hack the post quickly and easily.
I was thinking of these ideas.
In the handler check if you are logged in.
List item on the load of the site create a unique ID is saved as a cookie and
when the handler is called then that ID must exist in the Ajax and
the handler
List item the ajax call must come from a certain page
Do you have any other ideas?
Thanks
Short answer
Use authentication (Windows, Forms, etc) and validate your input.
Slightly longer answer
If your site is configured with an authentication provider, your handler will follow the same rules.
You should always validate any user input or web service input. Don't assume that your client is giving you pristine input. As you have mentioned, anyone with basic web development skills can spoof a POST. Keep that in mind when validating.
I'm using PayPal's Website Payment Standard in my ASP.NET website.
What I do is when the user clicks on the "Pay Now" button, I do the following in the codebhind:
DB status changes
Generation of the PayPal form, hidden fields for the items
Call ScriptManager.RegisterClientScriptBlock() to call the javascript function that submits the PayPal form to PayPal.
I'm worried that the user can press stop on the web browser and then edit the values in the hidden forms and then submit the form. Is there a way to prevent this? Or a better alternative?
Thank you so much in advance!
I haven't done PP Standard. I've used Gateway and Pro/Express Checkout but its been quite a while - still, your question can be handled in a more "generic" way...
Unfortunately your plan will not do anything to protect you - just like any other HTML Form on the web, HTTP requests and responses can be inspected and tampered with using readily available tools.
The common way to prevent tampering is to do server-side validation of submitted values coming from any client/browser (the rule of thumb is "trust no one"). In your scenario, you are doing things on the server side, but that's still prior to the actual submission target of the data - which is PayPal. The step that actually sends the data to the "target" is still the browser/client - and there lies the issue so to speak. The data to be validated is meant for a system other than yours (so you can't validate for PayPal).
Unless there is an added layer of security, e.g. signature or encryption, it will always be vulnerable to tampering (viewing is a foregone matter, it can be viewed).
I don't believe (but I could be wrong) PP Standard has a server-to-server option for POSTing data. This would effectively "hide" the data altogether from the client/browser - nothing to see, nothing to tamper with. Data transfer is in the background - client/browser knows nothing of it.
However, their PayPal Payments Standard and Button Manager API seems to be the right/secure way of doing this.
In essence you will be creating what they call "encrypted buttons" on the fly. This way the data will look like gibberish to anyone inspecting it - it will only make sense to PayPal because they can decrypt the data accordingly. That's how the data is secured/protected from tampering (not viewing - but again, what can be seen is gibberish)...
Hth...
Update:
Also, you should consider PayPal IPN for storing data. You are making the assumption above (I think) that everyone who clicks the button will actually go through with the payment (or can pay successfully). With IPN, you will "listen" for data coming from PayPal only after successful payment (which is where you should store order related data and/or inventory updates, etc.) ....
Even though I'm working with PHP, using the NVP API you can get links to redirect using a token which can only be used by paypal. All the links will look like https://www.sandbox.paypal.com/webscr?cmd=_express-checkout&token=TOKEN, where TOKEN is a token retrieved previously by calling the PayPal API.
I've only developed it for ExpressCheckout. You can check the API here:
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_reference