Not sure if this is a good approach or not, but I'd like to hear some
informed opinions. I've designed an ECommerce site that interfaces with my
company's POS system. I'm trying to make it as flexible as possible because
we resell it to our clients and they all have different needs and
preferences.
So the items for sale are displayed in a datagrid, and in the
ItemDataBound event, I construct a URL with query strings so that when an
item is selected, the next page knows what item was chosen. The query string
seemed like a good way to go because it works well from the datagrid, and it
makes the system more open, so that a client can send out something like an
"email special" with the URL of an item with a special price that wouldn't
show up in the normal item list. This openness also creates a security risk,
because a hacker could look at the query strings being passed and start
guessing at other items they don't see in the item list and maybe buy
something the client didn't want to sell (like free stuff).
So I want to lock this down by having a list of items the client needs
to generate that they would sell that don't appear in the regular item list,
and have any other non-regular items be denied.
I was thinking that I'd set a session variable as the user leaves the
item list page that says what item was selected. Then, on the next page
(item details) if the query string matches the session variable, then they
can proceed. If it doesn't, the list of allowed hidden items is checked, and
the user can proceed only if their item is on that list. I'm not sure how to
set this session variable since I leave my item list with a link instead of
an event. Is there an even that fires as I leave that page that would allow
me to capture the URL being used and set a session variable? Is there a
different approach I should be looking into? I appreciate anyone with the
patience to have read this far and look forward to your suggestions. Thanks!
Matt
3  1167 
Instead of constructing a URL you could use a TemplateColumn with a
LinkButton that has the CommandName attribute set to "ViewItemDetails", for
instance. Then wire up the ItemCommand event for the DataGrid. You can then
construct the URL in the event handler, set a session variable, and do a
Response.Redirect.
However this isn't really going to solve your problem.
If you want to be able to mail out a link to the item details page, you have
a problem in that there isn't an easy way to authenticate the user.
Without authenticating the user the only thing I can think of is possibly
signing or encrypting the query string.
"MattB" wrote: Not sure if this is a good approach or not, but I'd like to hear some
informed opinions. I've designed an ECommerce site that interfaces with my
company's POS system. I'm trying to make it as flexible as possible because
we resell it to our clients and they all have different needs and
preferences.
So the items for sale are displayed in a datagrid, and in the
ItemDataBound event, I construct a URL with query strings so that when an
item is selected, the next page knows what item was chosen. The query string
seemed like a good way to go because it works well from the datagrid, and it
makes the system more open, so that a client can send out something like an
"email special" with the URL of an item with a special price that wouldn't
show up in the normal item list. This openness also creates a security risk,
because a hacker could look at the query strings being passed and start
guessing at other items they don't see in the item list and maybe buy
something the client didn't want to sell (like free stuff).
So I want to lock this down by having a list of items the client needs
to generate that they would sell that don't appear in the regular item list,
and have any other non-regular items be denied.
I was thinking that I'd set a session variable as the user leaves the
item list page that says what item was selected. Then, on the next page
(item details) if the query string matches the session variable, then they
can proceed. If it doesn't, the list of allowed hidden items is checked, and
the user can proceed only if their item is on that list. I'm not sure how to
set this session variable since I leave my item list with a link instead of
an event. Is there an even that fires as I leave that page that would allow
me to capture the URL being used and set a session variable? Is there a
different approach I should be looking into? I appreciate anyone with the
patience to have read this far and look forward to your suggestions. Thanks!
Matt
Thanks for the ideas. I also forgot to mention these pages are in use and
I'd like to be able to make changes in the codebehind only.
I think the encryption of query strings is probably my best bet because I
could do all of that in the codebehind and not have to merge client's page
modifications to distribute this.
Do you know of a way to encrypt the entire query string (I have a good
encryption algorythm already)? I have three variables to pass, and it would
be nice to encrypt them all as one string that I could decrypt and parse out
afterwards.
Brad Quinn wrote: Instead of constructing a URL you could use a TemplateColumn with a
LinkButton that has the CommandName attribute set to
"ViewItemDetails", for instance. Then wire up the ItemCommand event
for the DataGrid. You can then construct the URL in the event
handler, set a session variable, and do a Response.Redirect.
However this isn't really going to solve your problem.
If you want to be able to mail out a link to the item details page,
you have a problem in that there isn't an easy way to authenticate
the user.
Without authenticating the user the only thing I can think of is
possibly signing or encrypting the query string.
"MattB" wrote:
Not sure if this is a good approach or not, but I'd like to hear
some informed opinions. I've designed an ECommerce site that
interfaces with my company's POS system. I'm trying to make it as
flexible as possible because we resell it to our clients and they
all have different needs and preferences.
So the items for sale are displayed in a datagrid, and in the
ItemDataBound event, I construct a URL with query strings so that
when an item is selected, the next page knows what item was chosen.
The query string seemed like a good way to go because it works well
from the datagrid, and it makes the system more open, so that a
client can send out something like an "email special" with the URL
of an item with a special price that wouldn't show up in the normal
item list. This openness also creates a security risk, because a
hacker could look at the query strings being passed and start
guessing at other items they don't see in the item list and maybe
buy something the client didn't want to sell (like free stuff).
So I want to lock this down by having a list of items the client
needs
to generate that they would sell that don't appear in the regular
item list, and have any other non-regular items be denied.
I was thinking that I'd set a session variable as the user
leaves the item list page that says what item was selected. Then, on
the next page (item details) if the query string matches the session
variable, then they can proceed. If it doesn't, the list of allowed
hidden items is checked, and the user can proceed only if their item
is on that list. I'm not sure how to set this session variable since
I leave my item list with a link instead of an event. Is there an
even that fires as I leave that page that would allow me to capture
the URL being used and set a session variable? Is there a different
approach I should be looking into? I appreciate anyone with the
patience to have read this far and look forward to your suggestions.
Thanks!
Matt
This is really a good Idea and I have done this in the past. I replaced my
entire project's Redirects with my utility function GetEncodedURL, and the
Request("") with GetRequestObj("", Request.Querystring).
The change was much simple.
Sekhar.
"MattB" <so********@yahoo.com> wrote in message
news:2n************@uni-berlin.de... Thanks for the ideas. I also forgot to mention these pages are in use and
I'd like to be able to make changes in the codebehind only.
I think the encryption of query strings is probably my best bet because I
could do all of that in the codebehind and not have to merge client's page
modifications to distribute this.
Do you know of a way to encrypt the entire query string (I have a good
encryption algorythm already)? I have three variables to pass, and it
would be nice to encrypt them all as one string that I could decrypt and parse
out afterwards.
Brad Quinn wrote: Instead of constructing a URL you could use a TemplateColumn with a
LinkButton that has the CommandName attribute set to
"ViewItemDetails", for instance. Then wire up the ItemCommand event
for the DataGrid. You can then construct the URL in the event
handler, set a session variable, and do a Response.Redirect.
However this isn't really going to solve your problem.
If you want to be able to mail out a link to the item details page,
you have a problem in that there isn't an easy way to authenticate
the user.
Without authenticating the user the only thing I can think of is
possibly signing or encrypting the query string.
"MattB" wrote:
Not sure if this is a good approach or not, but I'd like to hear
some informed opinions. I've designed an ECommerce site that
interfaces with my company's POS system. I'm trying to make it as
flexible as possible because we resell it to our clients and they
all have different needs and preferences.
So the items for sale are displayed in a datagrid, and in the
ItemDataBound event, I construct a URL with query strings so that
when an item is selected, the next page knows what item was chosen.
The query string seemed like a good way to go because it works well
from the datagrid, and it makes the system more open, so that a
client can send out something like an "email special" with the URL
of an item with a special price that wouldn't show up in the normal
item list. This openness also creates a security risk, because a
hacker could look at the query strings being passed and start
guessing at other items they don't see in the item list and maybe
buy something the client didn't want to sell (like free stuff).
So I want to lock this down by having a list of items the client
needs
to generate that they would sell that don't appear in the regular
item list, and have any other non-regular items be denied.
I was thinking that I'd set a session variable as the user
leaves the item list page that says what item was selected. Then, on
the next page (item details) if the query string matches the session
variable, then they can proceed. If it doesn't, the list of allowed
hidden items is checked, and the user can proceed only if their item
is on that list. I'm not sure how to set this session variable since
I leave my item list with a link instead of an event. Is there an
even that fires as I leave that page that would allow me to capture
the URL being used and set a session variable? Is there a different
approach I should be looking into? I appreciate anyone with the
patience to have read this far and look forward to your suggestions.
Thanks!
Matt
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Harold Crump |
last post by:
Greetings,
I am building a database-driven PHP application.
Part of that app needs to run over SSL for gathering private data.
Now, when someone purchases a certificate, the domain name is...
|
by: |
last post by:
Please help.
After a number of wrong turns and experiments I need advice on login
management system to secure our web pages without inconveniencing our
visitors or our internal staff.
What I...
|
by: new_GUY |
last post by:
I have a HUGE project (at least for me) and need some guidance.
I am trying to create a database for a local university movie club
that allows users to input there basic personal information...
|
by: Jason |
last post by:
Hi,
I was wondering if any could point me to an example or give me ideas on how
to dynamically create a form based on a database table? So, I would have a
table designed to tell my application...
|
by: Seth |
last post by:
I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of...
|
by: Just D. |
last post by:
All,
I'm having a WebApp working through a secure connection (https). One of my
pages is calling an external site to show the geographical map, this site is
not secure and it should be calling...
|
by: vandenberc |
last post by:
I am trying to setup an html page. I have a button and when you click
on it I want it to go to either http:///.../demo.htm or
https://..../demo.htm based on whether or not you went through the...
|
by: Robert Seacord |
last post by:
The CERT/CC has released a beta version of a secure integer library for
the C Programming Language. The library is available for download from
the CERT/CC Secure Coding Initiative web page at:...
|
by: Robert Seacord |
last post by:
The CERT/CC has just deployed a new web site dedicated to developing
secure coding standards for the C programming language, C++, and
eventually other programming language.
We have already...
|
by: david220 |
last post by:
hi
once members sign up to my site they get sent an email which contains there username/password which they enter on a sign up form. Once they've signed up the email is automatically sent using...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
