473,836 Members | 2,114 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to prohibit bypassing a required page?

Let me try to make clear what my concern is. I think it is a pretty
interesting one, which I think of while I am developing my web
application.

I have an authenticated/authorized web application. People have to
login from http://mydomain.com/ to access the information on my site.

For now, this is working fine. People cannot bypass the login form,
any attempt to check out a page (if they happen to know the file name)
will be redirected to the login page.

Now, after a user successfully logs in, he needs to complete some forms
in a sequence of a few pages. Suppose that form1.aspx is required, the
RequiredField validation check on this page prohibits a user from
proceeding if the required fileds are not filled.

However, a smart user can bypass this page if s/he simply changes the
URL in the address bar, say, from http://mydomain.com/form1.aspx to
http://mydomain.com/form2.aspx. Let's assume that they happen to know
some of the file names over there.

So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aa s945kdfa-sldfkj-sdlfas0jdfla2e2 er8237pq52e0i9. aspx", but
this is silly and isn't really safe.

Thanks.

Mar 11 '06 #1
4 1897
The best way is IIdentity and IPrincipal, but that may be overkill.
Create on object.

class RegisterPagesCh eck
bool Page1Verfied
bool Page2Verified
bool Page3 Verified
When the user sucessfully fills in page1 correctly, then

RegisterPagesCh eck newUser = new RegisterPagesCh eck ();
newUser.Page1Ve rified = true;

now put newUser in the SESSION variable.
Session["mykeyname"] = newUser;

...

on page2 load... pull the cached version.

if (null!=Session["mykeyname"])
{
RegisterPagesCh eck checkFromSessio n =
(RegisterPagesC heck )Session["mykeyname"];
}
if (null!= checkFromSessio n)
{
if (checkFromSessi on.Form1Verifie d == false
{
Response.Redire ct("./login.aspx");
}
}
somehting like that.

when you get to the Page2 verifiy, you'll still have to get the session
cached object.. and then update
..Page2Verified = true

on page 3, pull the object from session, and check for trues on Page1Verify
and Page2Verify.
...

Check my blog
http://spaces.msn.com/sholliday/ 10/24/2005
for a fancier session object.


<an***********@ yahoo.com> wrote in message
news:11******** *************@i 40g2000cwc.goog legroups.com...
Let me try to make clear what my concern is. I think it is a pretty
interesting one, which I think of while I am developing my web
application.

I have an authenticated/authorized web application. People have to
login from http://mydomain.com/ to access the information on my site.

For now, this is working fine. People cannot bypass the login form,
any attempt to check out a page (if they happen to know the file name)
will be redirected to the login page.

Now, after a user successfully logs in, he needs to complete some forms
in a sequence of a few pages. Suppose that form1.aspx is required, the
RequiredField validation check on this page prohibits a user from
proceeding if the required fileds are not filled.

However, a smart user can bypass this page if s/he simply changes the
URL in the address bar, say, from http://mydomain.com/form1.aspx to
http://mydomain.com/form2.aspx. Let's assume that they happen to know
some of the file names over there.

So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aa s945kdfa-sldfkj-sdlfas0jdfla2e2 er8237pq52e0i9. aspx", but
this is silly and isn't really safe.

Thanks.

Mar 11 '06 #2
Hi, Sloan,

Thanks. IIdentity and IPrincipal are very new to me. I have only a
very small web application with only 4 to 5 pages.

I think an easier solution would be to create the page on-the-fly that
follows the required form1.aspx. This way, a user has nothing to check
out if he does not go through form1.aspx.

You think this would be doable?
sloan wrote:
The best way is IIdentity and IPrincipal, but that may be overkill.
Create on object.

class RegisterPagesCh eck
bool Page1Verfied
bool Page2Verified
bool Page3 Verified
When the user sucessfully fills in page1 correctly, then

RegisterPagesCh eck newUser = new RegisterPagesCh eck ();
newUser.Page1Ve rified = true;

now put newUser in the SESSION variable.
Session["mykeyname"] = newUser;

..

on page2 load... pull the cached version.

if (null!=Session["mykeyname"])
{
RegisterPagesCh eck checkFromSessio n =
(RegisterPagesC heck )Session["mykeyname"];
}
if (null!= checkFromSessio n)
{
if (checkFromSessi on.Form1Verifie d == false
{
Response.Redire ct("./login.aspx");
}
}
somehting like that.

when you get to the Page2 verifiy, you'll still have to get the session
cached object.. and then update
.Page2Verified = true

on page 3, pull the object from session, and check for trues on Page1Verify
and Page2Verify.
..

Check my blog
http://spaces.msn.com/sholliday/ 10/24/2005
for a fancier session object.


<an***********@ yahoo.com> wrote in message
news:11******** *************@i 40g2000cwc.goog legroups.com...
Let me try to make clear what my concern is. I think it is a pretty
interesting one, which I think of while I am developing my web
application.

I have an authenticated/authorized web application. People have to
login from http://mydomain.com/ to access the information on my site.

For now, this is working fine. People cannot bypass the login form,
any attempt to check out a page (if they happen to know the file name)
will be redirected to the login page.

Now, after a user successfully logs in, he needs to complete some forms
in a sequence of a few pages. Suppose that form1.aspx is required, the
RequiredField validation check on this page prohibits a user from
proceeding if the required fileds are not filled.

However, a smart user can bypass this page if s/he simply changes the
URL in the address bar, say, from http://mydomain.com/form1.aspx to
http://mydomain.com/form2.aspx. Let's assume that they happen to know
some of the file names over there.

So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aa s945kdfa-sldfkj-sdlfas0jdfla2e2 er8237pq52e0i9. aspx", but
this is silly and isn't really safe.

Thanks.


Mar 11 '06 #3
On 11 Mar 2006 10:04:35 -0800, an***********@y ahoo.com wrote:
So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aa s945kdfa-sldfkj-sdlfas0jdfla2e2 er8237pq52e0i9. aspx", but
this is silly and isn't really safe.


Lots of solutions to this problem.

1) if you're using ASP.NET 2.0 you can use the new "Wizard" control that
will provide a sequenced page set of functionality. They can't jump into
the middle of it because it's all happening on one page, fed by postback
values.

2) You can pass postback values yourself to each page. This is relatively
easy to do using ASP.NET 2.0, and a bit more difficult to do with 1.x but
can be done. Then, in each successive page, you test for the presence of a
particular value in the posted data.

3) You can use session variables to indicate the successful completion of a
given page. Then in the next page you check to see if all the requirements
have been met to view that page, otherwise redirect back to the page they
need to coplete. Though this won't work if they close the browser
mid-session and come back to it later.

4) You can store workflow information in a database. For example, maybe
you want to make sure they've agreed to the terms of service before you let
them use the site. You can store the terms of service acknowledgement in
the database.

5) You can generate unique sequence id's and pass them on the URL. When
the user finishes a page, you add a sequence ID to a table and associate it
with a certain page. When that sequence id is requested, you retrieve that
page via a User Control or Server Side Include.

There are really a lot of potential ways to handle this, how you do it is
up to you.
Mar 11 '06 #4
The options you offer are really great, although probably only option 3
sounds easier for me to handle (I am very new to the .Net platform) for
my small web application.

I guess I am gonna use option 3. Then when the "Continue" button on
form1.aspx is clicked, I create a session object "form1_done " and let
it equal "true".

Then in Sub Page_Load of form2.aspx, I check this session object, and
if it is there and has the value "true", I do nothing, otherwise, I
Response.Redire ct("form1.aspx" ).

Will this work? Or is there a better solution? I don't have access to
my web server at this moment, so I cannot test it.

Erik Funkenbusch wrote:
On 11 Mar 2006 10:04:35 -0800, an***********@y ahoo.com wrote:
So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aa s945kdfa-sldfkj-sdlfas0jdfla2e2 er8237pq52e0i9. aspx", but
this is silly and isn't really safe.


Lots of solutions to this problem.

1) if you're using ASP.NET 2.0 you can use the new "Wizard" control that
will provide a sequenced page set of functionality. They can't jump into
the middle of it because it's all happening on one page, fed by postback
values.

2) You can pass postback values yourself to each page. This is relatively
easy to do using ASP.NET 2.0, and a bit more difficult to do with 1.x but
can be done. Then, in each successive page, you test for the presence of a
particular value in the posted data.

3) You can use session variables to indicate the successful completion of a
given page. Then in the next page you check to see if all the requirements
have been met to view that page, otherwise redirect back to the page they
need to coplete. Though this won't work if they close the browser
mid-session and come back to it later.

4) You can store workflow information in a database. For example, maybe
you want to make sure they've agreed to the terms of service before you let
them use the site. You can store the terms of service acknowledgement in
the database.

5) You can generate unique sequence id's and pass them on the URL. When
the user finishes a page, you add a sequence ID to a table and associate it
with a certain page. When that sequence id is requested, you retrieve that
page via a User Control or Server Side Include.

There are really a lot of potential ways to handle this, how you do it is
up to you.


Mar 11 '06 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
2416
by: MB | last post by:
Hi, I am doing a project which uses asp.net to develop its forms. The form uses validation web controls to validate the data entered in text boxes. When Cancel Button is pressed which is to exit from the current page and go to the previous page, the validation controls activate because data has not been entered, and the user cannot cancel. I have used Response.Redirect(webpage) but the validations activates and unless I enter some data...
1
1065
by: tim almond | last post by:
I currently have a system where the client has a login page which has a SQL server database behind it and does authentication. The client wants to have a page which can be logged into by passing a user ID/password into the URL. I also need the system to say that if there is no user ID/password, it needs to check the session status. The best approach I can think of is to drop any role requirements off this page but when the page load,...
0
12092
by: sonu | last post by:
I have following client side code which i have used in my asp.net project SummaryFeatured Resources from the IBM Business Values Solution Center WHITEPAPER : CRM Done Right Improve the likelihood of CRM success from less than 20 percent to 60 percent. WHITEPAPER :
4
1209
by: Boni | last post by:
Dear all, can I prohibit that my class will be passed by value (i.e created a copy on stack when function is called)? I want to prohibit passing my class by value. I thougth that declare a default constructor to private would do the job, but no. When myfunc is called some construcor goes called, but not the explicit one.I have noidea which one is it. I am running out of ideas. With best wishes, Boni Any ideas?
5
4208
by: John | last post by:
Hi I have established form authentication so every page on the site send the access to a specific login page. I need however to bypass the authentication for my web service page to allow it to be accessed without login. How can I selectively exclude a page from form authentication? Thanks Regards
6
5494
by: John | last post by:
Hi I need to block user from moving away from a record using any of First/Last/Prev/Next/New Record or any other way IF the record has not been saved, and displaying a message to the effect "Please finish editing". If however the user has explicitly saved the record using save from the access menu then allow to move from record. How do I achieve this via code? Thanks
9
1724
by: bonk | last post by:
Does anyone have a simple example on how to prohibit that any thread other than the current thread modifies a certain object (a collection) while we are in a certain section of the code? In other words: while we are inside this codeblock whoever might think of modified that particular collection has to wait until we have left that codeblock. As far as I understand it lock() {} only prohibits that other threads enter a certain block of...
1
1904
by: =?Utf-8?B?QXVzdGluIFN0ZXBoZW5z?= | last post by:
In my commercial financial application I run a deposit report. I use an option to copy the report to the Clipboard. I then run a .NET consol app to “grab” the Clipboard and format the data and print laser deposit tickets. I use the following to set my printer: PrintDocument doc = new PrintDocument(); if (printer != "default") doc.PrinterSettings.PrinterName = printer; I then raise an event: doc.PrintPage += new...
10
5540
by: Tim Streater | last post by:
I have a form and a button to submit it. The button is made from: <input type=button onclick='myHandler(this.form);'> This all works fine except that in Safari 2.0.4, the enter/return keys, if pressed, submit the form - bypassing my onclick handler. I can partially fix this with: <form onsubmit='return false;'>
0
9812
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look ! Part I. Meaning of...
0
9657
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10823
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
10577
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10243
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9359
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing, and deploymentwithout human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
5812
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4443
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4003
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.