|
Can you answer my previous post first, that what was there which you could not understand ??
I've deleted as my concern is solved and i don't want to continue over such nonsence reply. Richard, I saw that you are here for more than 5 yrs but you could not understand a very very simple question and stated showing wits.
Being so senior you should show some manner rather than asking some body to pull rickshaw. Instead of opplogy you are continue asking silly questions.
Its not at all appreciating !!
|
|
|
|
|
Hi,
I have a question about security and user access:
If I protected a GET action with access only for logged users or for some type of user, should I also protect the POST action?
In ASP 3.0 I used to do that because one could clon the form and set the "action=myformpost.asp",
Thanks
|
|
|
|
|
I think you must authenticate each request.
When user logs in to your system generate a sessionid and put a session value for the current user.
Now for every request check for the session value is created or not. Dont send this session id to the client, store it in the server session variable. If the user is creating a clone, he can create the request object just like your one but the session id which he would have been connecting would not match with any valid session, so request would be rejected.
Hope you got the point.
|
|
|
|
|
What if I'm just using cookies?
For example:
Action /SomeForm/ (GET)
1. I check if the user has some cookie. If he does,
2. I show the form to him.
Action /SomeForm/ (POST)
1. Should I check if the user has that cookie or not?
2. Process inputs, etc.
|
|
|
|
|
No. I dont recommend cookies.. because it is not safe and stored in the client side.
Also anyone can delete cookies at any time.
Use session.. Its a better approach.. No one can tamper data in session
|
|
|
|
|
Uhm..
1. Ok lets assume i'm not going to stop using cookies..
Should I check for the cookie in the POST? Yes or no?
2. In asp 3.0 I used to use Sessions, but in ASP.NET (MVC) I don't know how, the usage is similar to cookies? Do you have some link with Session's usage? Also, arent sessions based on cookies though?
(Also, I definetly dont wanna use the filters that come with MVC.. like [Auth] and others)
|
|
|
|
|
Quake2Player wrote: Also, arent sessions based on cookies though?
No, they are not. They are stored on the server. The session id MAY be based on cookies, I am not sure, but all a user could do, if that were true, is delete a cookie and abandon their session. A cookie contains data on the client, which means the client can edit it, if they wanted to.
Christian Graus
Driven to the arms of OSX by Vista.
Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
|
|
|
|
|
Ok so I'm using sessions now instead of cookies,
Can you answer my question now, which is analogue to the previous question:
Should I check for the session at the beggining of the POST?
Or I dont have to care about someone cloning the form with action=myformpost
|
|
|
|
|
I am not aware of any way of hijacking a session id. They would need to know what it was first, and I don't see any way to find out what someone else's random session id is. I suspect if someone had a way of doing that, they'd be hitting internet banking sites, and not yours.
Christian Graus
Driven to the arms of OSX by Vista.
Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
|
|
|
|
|
yes you are right chris, one dont have to bother about hacking stuffs. Session id will be generated only for a small amount of time based on timeout value. So its hard to guess...
No one can use it, if the site doesnt allow to manipulate this easily. .
|
|
|
|
|
Of course you have to check the value in session. As Christian suggested, Session is accessible only from the server. Client can only send request and after than server have to do the rest.
When user logs in to the server, the server needs to create a session object and which will remain until session timeout occurs. Until this timespan, if any request from the same client is made, the session id will exist in the server and you can easily check the session value if he is logged in or not like during login :
if(login== success)
Session["Auth"] = true;
For every request check :
if(Convert.ToBoolean(Session["Auth"]) != true)
{
Response.Clear()
Response.Write("Invalid");
Response.Close();
return;
}
Means you are removing the response sent to the client.
Quake2Player wrote: Should I check for the session at the beggining of the POST?
yes . of course .. It should be checked as soon as the control comes to the server. You might use Page_Load or even if the action is posted to the HttpHandler you can do it in its processrequest section.
Hope its clear now.
|
|
|
|
|
Design Page Error T____T~!!
[URL=http://www.bcoms.net][IMG]http://www.bcoms.net/upload/images/bcoms2009103215149.JPG[/IMG][/URL]
fujiwara
|
|
|
|
|
Does your mobile:form actually renders a form tag in the client end. If so then dont bother about the Designer as it will not parse the html properly if form element is not present.
Check during runtime if it is working fine or not.
|
|
|
|
|
thank for your kindness. i can run Page on IE and Emuator but it's not show on Design Page T_____T~!!
fujiwara
|
|
|
|
|
Hi All,
I am working on a AJAX Enabled asp.net web application. Which was previously developed in VS 2005.
Now this application is converted into VS 2008 with Framework 3.5
Now the problem occurs is that,
Some pages in application working fine with update panels. And some are not working properly.
Those pages are not working with update panel, also don't get the CSS files as Stylesheets.
The AsyncPostBack Trigger Not Fired, with Update Panel's UpdateMode = "Conditional" and RenderMode="Inline". But PostBack Trigger works.
In Web.Config file-
<xhtmlConformance mode="Transitional" />
Any help will be appriciated.
Thanks.
|
|
|
|
|
Hello,
I need to print html pages contained inside a folder on server, when user clicks on a button in .aspx page all the pages contained in that folder gets printed on client side.
thanks
|
|
|
|
|
i think you need to use some DHTML for this... window.open and print for this purpose...
Http://www.gen-sys.com
Government Dyal Singh College Lahore.
|
|
|
|
|
window.open works for only printing that page on which client is....
i want to print those pages which are contained in some folder.
|
|
|
|
|
|
There's no way to print anything on the client side without rendering it on the client side. How could you think there might be a way ?
Christian Graus
Driven to the arms of OSX by Vista.
Read my blog to find out how I've worked around bugs in Microsoft tools and frameworks.
|
|
|
|
|
hi to all pls help me
i used this code to send a mail from webpage i didn't used any web server
i just run the program in my localhost this script not working it show sending mail failed any one can you pls explain this
my ultimate aim is to send a feedback form to my mail id
using System;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using System.Net.Mail;
public partial class _Default : System.Web.UI.Page
{
#region "Send email"
protected void btnSendmail_Click(object sender, EventArgs e)
{
SmtpClient smtpClient = new SmtpClient();
MailMessage message = new MailMessage();
try
{
MailAddress fromAddress = new MailAddress(txtEmail.Text, txtName.Text);
smtpClient.Host = "localhost";
smtpClient.Port = 25;
message.From = fromAddress;
message.To.Add("kn.nageshwaran@gmail.com");
message.Subject = "Feedback";
message.CC.Add("admin1@yoursite.com");
message.CC.Add("admin2@yoursite.com");
message.Bcc.Add(new MailAddress("admin3@yoursite.com"));
message.Bcc.Add(new MailAddress("admin4@yoursite.com"));
message.IsBodyHtml = false;
message.Body = txtMessage.Text;
smtpClient.Send(message);
lblStatus.Text = "Email successfully sent.";
}
catch (Exception ex)
{
lblStatus.Text = "Send Email Failed.<br>" + ex.Message;
}
}
#endregion
#region "Reset"
protected void btnReset_Click(object sender, EventArgs e)
{
txtName.Text = "";
txtMessage.Text = "";
txtEmail.Text = "";
}
#endregion
}
|
|
|
|
|
kn.nageshwaran wrote: smtpClient.Host = "localhost";
It Should Be Your host name
Try this link
[^]
First Get Your Host Name
|
|
|
|
|
kn.nageshwaran wrote: i just run the program in my localhost this script
Did you configure SMTP server on the local machine(localhost)?
Manas Bhardwaj
Please remember to rate helpful or unhelpful answers, it lets us and people reading the forums know if our answers are any good.
|
|
|
|
|
Hi everybody,
I have developed a page in asp.net (using vb) which is accessible over internet (public domain .com) working fine. This page facilitate end users to save, retrieve, and update existing information, and all information is saved over server database. Now my boss wants to access these information on Intranet (local site) but there is a "FIRE WALL" between Intranet and Internet. In the beginning I assumed that I could solve this issue through replication but later I have been told due to "FIRE WALL" I can't replicate data from Internet to Intranet.
MY question is how can I save and retrieve data in local and global database at the same time. Or replication is possible in this situation if it is possible, Or there are any other ways like serialization etc.. Please could you tell me how I can solve this issue, any link or any suggestion would be much appreciated.
I'm really sorry if this is not the right forum to ask this question.
regards
learner
|
|
|
|
|
i want that, when i am clicking any link then some menu items will be Enable False. How it Possible ?
|
|
|
|