By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,705 Members | 2,017 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,705 IT Pros & Developers. It's quick & easy.

how to control the redirection

P: n/a
hi

newbie in web design I got some issue concerning a secure redirection
between 2 pages

let say I have a page with a grid (the 'master' page)
in this grid I can select a record, get its pk
then I redirect to another page (the 'detail' page) with the pk as
parameter

like : Response.Redirect("~/details.aspx?idKit=mypk")

during the detail page loading, the idKit is precessed to load or create the
detail records acccording to the idKit value
(in fact there can be other optional parameters)

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
Handles Me.Load

If Not Page.IsPostBack Then

If IsNothing(Request.Params("idKit")) Then
Response.Redirect("~/erreur/NoAccess.htm")
End If

hfURL.Value = Request.ServerVariables("HTTP_REFERER")

hfKit.Value = Request.Params("idKit")

...... some processing

End If

End Sub
So nothing special, except that one can access manually and directly to the
'detail' page with "../details.aspx?idKit=x"

if "x" exists as a pk in the master table, he will be able to modifie/create
details records without any control

I would like to know if there is a simple way to control this redirection
problem

one more problem : this "detail" page is a generic page that is called by
many "master" pages so we can't test the calling page url
the master page url is simply saved and used to know where to redirect back
after the details processing

I would like to know if there is a simple to control the redirection to kown
if the access to the detail page (and the parameter) is legal

thanks a lot


Nov 3 '06 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Try using Server.Transfer(URL);

if you want to pass varaibles to that page, use the context object.

Context.Items.Add("IdKit", "x");

Then on the destination page, use Context.Items("IdKit") to retreive
the value.

psual wrote:
hi

newbie in web design I got some issue concerning a secure redirection
between 2 pages

let say I have a page with a grid (the 'master' page)
in this grid I can select a record, get its pk
then I redirect to another page (the 'detail' page) with the pk as
parameter

like : Response.Redirect("~/details.aspx?idKit=mypk")

during the detail page loading, the idKit is precessed to load or create the
detail records acccording to the idKit value
(in fact there can be other optional parameters)

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
Handles Me.Load

If Not Page.IsPostBack Then

If IsNothing(Request.Params("idKit")) Then
Response.Redirect("~/erreur/NoAccess.htm")
End If

hfURL.Value = Request.ServerVariables("HTTP_REFERER")

hfKit.Value = Request.Params("idKit")

...... some processing

End If

End Sub
So nothing special, except that one can access manually and directly to the
'detail' page with "../details.aspx?idKit=x"

if "x" exists as a pk in the master table, he will be able to modifie/create
details records without any control

I would like to know if there is a simple way to control this redirection
problem

one more problem : this "detail" page is a generic page that is called by
many "master" pages so we can't test the calling page url
the master page url is simply saved and used to know where to redirect back
after the details processing

I would like to know if there is a simple to control the redirection to kown
if the access to the detail page (and the parameter) is legal

thanks a lot
Nov 3 '06 #2

P: n/a
thanks

"Siberwulf" <Si*******@gmail.coma écrit dans le message de news:
11**********************@f16g2000cwb.googlegroups. com...
Try using Server.Transfer(URL);

if you want to pass varaibles to that page, use the context object.

Context.Items.Add("IdKit", "x");

Then on the destination page, use Context.Items("IdKit") to retreive
the value.

psual wrote:
>hi

newbie in web design I got some issue concerning a secure redirection
between 2 pages

let say I have a page with a grid (the 'master' page)
in this grid I can select a record, get its pk
then I redirect to another page (the 'detail' page) with the pk as
parameter

like : Response.Redirect("~/details.aspx?idKit=mypk")

during the detail page loading, the idKit is precessed to load or create
the
detail records acccording to the idKit value
(in fact there can be other optional parameters)

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs)
Handles Me.Load

If Not Page.IsPostBack Then

If IsNothing(Request.Params("idKit")) Then
Response.Redirect("~/erreur/NoAccess.htm")
End If

hfURL.Value = Request.ServerVariables("HTTP_REFERER")

hfKit.Value = Request.Params("idKit")

...... some processing

End If

End Sub
So nothing special, except that one can access manually and directly to
the
'detail' page with "../details.aspx?idKit=x"

if "x" exists as a pk in the master table, he will be able to
modifie/create
details records without any control

I would like to know if there is a simple way to control this redirection
problem

one more problem : this "detail" page is a generic page that is called by
many "master" pages so we can't test the calling page url
the master page url is simply saved and used to know where to redirect
back
after the details processing

I would like to know if there is a simple to control the redirection to
kown
if the access to the detail page (and the parameter) is legal

thanks a lot

Nov 3 '06 #3

P: n/a
wow that's very nice

with server.transfer(url) it seems easy to disallow direct access for some
pages or I'm doing wrong ?
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
Handles Me.Load

If Not Page.IsPostBack Then
if Request.ServerVariables("HTTP_REFERER").ToString <>
Request.Url.ToString Then
Response.Redirect("~/erreur/NoAccess.htm")
endif
endif
.....

End Sub

"Siberwulf" <Si*******@gmail.coma écrit dans le message de news:
11**********************@f16g2000cwb.googlegroups. com...
Try using Server.Transfer(URL);

if you want to pass varaibles to that page, use the context object.

Context.Items.Add("IdKit", "x");

Then on the destination page, use Context.Items("IdKit") to retreive
the value.

psual wrote:
>hi

newbie in web design I got some issue concerning a secure redirection
between 2 pages

let say I have a page with a grid (the 'master' page)
in this grid I can select a record, get its pk
then I redirect to another page (the 'detail' page) with the pk as
parameter

like : Response.Redirect("~/details.aspx?idKit=mypk")

during the detail page loading, the idKit is precessed to load or create
the
detail records acccording to the idKit value
(in fact there can be other optional parameters)

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs)
Handles Me.Load

If Not Page.IsPostBack Then

If IsNothing(Request.Params("idKit")) Then
Response.Redirect("~/erreur/NoAccess.htm")
End If

hfURL.Value = Request.ServerVariables("HTTP_REFERER")

hfKit.Value = Request.Params("idKit")

...... some processing

End If

End Sub
So nothing special, except that one can access manually and directly to
the
'detail' page with "../details.aspx?idKit=x"

if "x" exists as a pk in the master table, he will be able to
modifie/create
details records without any control

I would like to know if there is a simple way to control this redirection
problem

one more problem : this "detail" page is a generic page that is called by
many "master" pages so we can't test the calling page url
the master page url is simply saved and used to know where to redirect
back
after the details processing

I would like to know if there is a simple to control the redirection to
kown
if the access to the detail page (and the parameter) is legal

thanks a lot

Nov 3 '06 #4

P: n/a
Something I always do for anything that could be edited on a server, I
implement a membership system. That way I can associate a record with a
particular user(s) and I pass the user's id to my stored procedure along
with the primary key. If there's a match, in other word if the user account
has permission to access it, then I'll return results and can populate edit
forms. I do the same for updates as well, ensure that the user has the
ability to make the updates before actually updating. At least ASP.Net has
most of the membership functionality you could want easily available now.

--
Hope this helps,
Mark Fitzpatrick
Former Microsoft FrontPage MVP 199?-2006

"psual" <ps****@wanadoo.frwrote in message
news:ua**************@TK2MSFTNGP03.phx.gbl...
hi

newbie in web design I got some issue concerning a secure redirection
between 2 pages

let say I have a page with a grid (the 'master' page)
in this grid I can select a record, get its pk
then I redirect to another page (the 'detail' page) with the pk as
parameter

like : Response.Redirect("~/details.aspx?idKit=mypk")

during the detail page loading, the idKit is precessed to load or create
the detail records acccording to the idKit value
(in fact there can be other optional parameters)

Protected Sub Page_Load(ByVal sender As Object, ByVal e As
System.EventArgs) Handles Me.Load

If Not Page.IsPostBack Then

If IsNothing(Request.Params("idKit")) Then
Response.Redirect("~/erreur/NoAccess.htm")
End If

hfURL.Value = Request.ServerVariables("HTTP_REFERER")

hfKit.Value = Request.Params("idKit")

...... some processing

End If

End Sub
So nothing special, except that one can access manually and directly to
the 'detail' page with "../details.aspx?idKit=x"

if "x" exists as a pk in the master table, he will be able to
modifie/create details records without any control

I would like to know if there is a simple way to control this redirection
problem

one more problem : this "detail" page is a generic page that is called by
many "master" pages so we can't test the calling page url
the master page url is simply saved and used to know where to redirect
back after the details processing

I would like to know if there is a simple to control the redirection to
kown if the access to the detail page (and the parameter) is legal

thanks a lot


Nov 3 '06 #5

This discussion thread is closed

Replies have been disabled for this discussion.