Detecting when the user moves away from two particular pages

[Simon Harvey]

Hi everyone,

I'm having a frustrating problem and I don't know how to fix it without
totally redoing a very complicated couple of pages on my site. I really hope
some kind soul can help me

Its a very simple situation:

I have 1 page that serves to create and update users and another page to add
roles to the user.

In order to keep the state as the user moves back and forward between these
two pages, I've made a session entity class that I add to the Session when
moving between these two particular pages.

Thats all fine.

When the user arrives at the Create/Update page, it checks to see if the
session entity exists. If it does, then it loads the user interface with the
info in the entity object.

Also fine.

The problem occurs when the user comes to the page, half creates a user then
goes away from the page using one of the several links on the page and then
returns to the page.

Because the Session Entity still exists from the last occasion the user was
at the Create/Edit page, the page loads the data from it even when it
shouldnt.

The end result is that the UI gets populated with values that it definately
shouldnt!

My question is generic - how can i stop this from happening? I know people
use Process State objects for managing a multestage process all the time, so
this situation must arise all the time. I'm hoping theres some sort of
design pattern for it.

The only way I can think to prevent the problem is to detect when the user
moves away from the page by using the links on the page and delete the
session object when moving away from the 2 create/update pages.

Does anyone know how I can detect when the user moves away from two
particular pages?

Sorry thats quite a complicated explanation. I really hope someone can help

Thank you

Simon

 

[Guest]

Smart navigation - have you tried using it?

-Demetri

 

[Matt Berther]

Hello Simon,

You could do an OnUnload handler on each of your pages body tags. This handler would be responsible for creating an HTML-RPC call to null out the Session Entity.

<html>
<head>
<script language='javascript'>
function destroySessionEntity() {
// create your web request here...
}
</script>
</head>
<body onUnload="destroySessionEntity()">
</body>
</html>

 

[Guest]

Don't use smartnav or rely javascript firing on the unload. Both of these
are very unreliable. What if you did not use links between the two pages but
used server.transfer or some other way to transfer the data back. Maybe take
the information out of the session once it has been sent down to the client.

 

[Eric Gibson]

Hi everyone,

[snip]

The problem occurs when the user comes to the page, half creates a
user then goes away from the page using one of the several links on
the page and then returns to the page.

Because the Session Entity still exists from the last occasion the
user was at the Create/Edit page, the page loads the data from it
even when it shouldnt.

The end result is that the UI gets populated with values that it
definately shouldnt!

So basically what you are saying is that you have a script that represents a
process with multiple stages that all accept similar values. So the program
is confused as to how to load these values under certain situations.

I think you should remedy this problem by clearly dilineating your program
into steps represented by one subroutine or function (I'm imagining your
program as one big chunk of logic that displays different things based on
the session, am I right?). Maybe session's aren't the answer in this case,
maybe instead you should pass form post or querystring get values back and
forth from each step that tell your program what's it's supposed to be
doing.

When I have a script with multiple steps I usually key off each step in the
querystring. The first thing my program does is a switch on an "op"
querystring variable, and executes a routine that implements that step. Then
each step passes a new op variable which tells program to implement the next
step. For instance:

Step 1) Show Create User Form: users.aspx?op=viewcreate&f1=1&f2=2 (shows a
form which posts to...)
Step 2) Create User: users.aspx?op=create&f1&f2 (does database calls,
inserts, and redirects to...)
Step 2) Modify User: users.aspx?op=modperms&f1=1&f2=2

So, if someone clicks on another link in the page, and they eventually come
back to your script, all they have is the first op=new link, so the program
knows it's creating a new user, regardless of what's in the person's session
(but it can fill that information in too as it sees fit).

Something of that nature, catch my drift?

Keep in mind I'm also hearing security issues in your problem. I don't think
it's a good idea for users to be in control of the control-flow of your
program by modifying session information when creating and modifying users.
Sounds bad! ;-)

Eric

 

[Simon]

Hi Everyone,

First a big thanks to all wheo answered my problem. All interesting ideas.
The one that I connect with the most is Eric's.

The one problem I have is the fact that it uses the query string. The reason
that I used the session was because I actually thought it would be more
secure than passing userID's and what not over the wire in a url thats
clearly tamperable.

Is there another way I could maintain the state between pages without using
the query string? Perhaps in a form variable?
Or maybe i could encrypt the querystring as it goes out and unencrypt it on
its way in?

As always, any help very much appreciated

Thanks all

Kindest Regards

Simon

 

[Eric Gibson]

Hi Everyone,

First a big thanks to all wheo answered my problem. All interesting
ideas. The one that I connect with the most is Eric's.

The one problem I have is the fact that it uses the query string. The
reason that I used the session was because I actually thought it
would be more secure than passing userID's and what not over the wire
in a url thats clearly tamperable.

That's cool. Yes, querystring is tamperable, and so are hidden form fields,
but the data has to come from somewhere to get into your session, so in a
way your session is tamperable as well! Anything data that comes from user
input is tainted... ;-<

Really you could probably fix it solely with any of the above, hidden form
fields, sessions or querystring with a little craftiness. If I was going to
make a program similar to what you are doing I'd prolly use a combination of
them all.

I might: string the steps together and let the program know what's going on
using a series of querystring variables (I think of the querystring as a
command line argument), pass stateless data between each step using hidden
form variables. And keep any secured user related info in the session (such
as the users login id and password).

The security issues for each field would be highly dependent on what you are
trying to do though, so any of those rules I use for myself might be bent
for the occassion.

What I'm saying is; Your program is basically calling itself right? View
create user, create user, and modify. So wherever in the code it says "If
Session("Username") Then CompleteStep1()" change it to "If
QueryString("step1") Then CompleteStep1()"

Then in the appropriate places where the script passes data from itself to
itself (such as from a form), give it that querystring value or a hidden
form id, so it knows what to do next. It might only require a couple small
changes to accomplish this. If you clearly define all the steps like this,
you might find it easier to validate the users input as well, because you
have more power to send them where you want them since you can change what
step is next concisely in your code.

Eric

 

[The Guru]

Hi Simon,

If I have understood you correctly, you have multiple pages in your
ASP.Net project. When user jumps between two pages (Create/Edit User &
User Roles), you want to maintain certain data which the user might
have entered in create/edit page.

One easy soln. is to use "HTTP_REFERER" in the Page_load event to find
out from which page the user is comming from. If the value of
"HTTP_REFERER" is not the create or role page, then you have achieved
what u reqd.
-Guru