Help me secure this site (please?)

Discussion in 'ASP .Net' started by MattB, Aug 6, 2004.

  1. MattB

    MattB Guest

    Not sure if this is a good approach or not, but I'd like to hear some
    informed opinions. I've designed an ECommerce site that interfaces with my
    company's POS system. I'm trying to make it as flexible as possible because
    we resell it to our clients and they all have different needs and
    preferences.
    So the items for sale are displayed in a datagrid, and in the
    ItemDataBound event, I construct a URL with query strings so that when an
    item is selected, the next page knows what item was chosen. The query string
    seemed like a good way to go because it works well from the datagrid, and it
    makes the system more open, so that a client can send out something like an
    "email special" with the URL of an item with a special price that wouldn't
    show up in the normal item list. This openness also creates a security risk,
    because a hacker could look at the query strings being passed and start
    guessing at other items they don't see in the item list and maybe buy
    something the client didn't want to sell (like free stuff).
    So I want to lock this down by having a list of items the client needs
    to generate that they would sell that don't appear in the regular item list,
    and have any other non-regular items be denied.
    I was thinking that I'd set a session variable as the user leaves the
    item list page that says what item was selected. Then, on the next page
    (item details) if the query string matches the session variable, then they
    can proceed. If it doesn't, the list of allowed hidden items is checked, and
    the user can proceed only if their item is on that list. I'm not sure how to
    set this session variable since I leave my item list with a link instead of
    an event. Is there an even that fires as I leave that page that would allow
    me to capture the URL being used and set a session variable? Is there a
    different approach I should be looking into? I appreciate anyone with the
    patience to have read this far and look forward to your suggestions. Thanks!

    Matt
     
    MattB, Aug 6, 2004
    #1
    1. Advertising

  2. Instead of constructing a URL you could use a TemplateColumn with a
    LinkButton that has the CommandName attribute set to "ViewItemDetails", for
    instance. Then wire up the ItemCommand event for the DataGrid. You can then
    construct the URL in the event handler, set a session variable, and do a
    Response.Redirect.

    However this isn't really going to solve your problem.

    If you want to be able to mail out a link to the item details page, you have
    a problem in that there isn't an easy way to authenticate the user.

    Without authenticating the user the only thing I can think of is possibly
    signing or encrypting the query string.


    "MattB" wrote:

    > Not sure if this is a good approach or not, but I'd like to hear some
    > informed opinions. I've designed an ECommerce site that interfaces with my
    > company's POS system. I'm trying to make it as flexible as possible because
    > we resell it to our clients and they all have different needs and
    > preferences.
    > So the items for sale are displayed in a datagrid, and in the
    > ItemDataBound event, I construct a URL with query strings so that when an
    > item is selected, the next page knows what item was chosen. The query string
    > seemed like a good way to go because it works well from the datagrid, and it
    > makes the system more open, so that a client can send out something like an
    > "email special" with the URL of an item with a special price that wouldn't
    > show up in the normal item list. This openness also creates a security risk,
    > because a hacker could look at the query strings being passed and start
    > guessing at other items they don't see in the item list and maybe buy
    > something the client didn't want to sell (like free stuff).
    > So I want to lock this down by having a list of items the client needs
    > to generate that they would sell that don't appear in the regular item list,
    > and have any other non-regular items be denied.
    > I was thinking that I'd set a session variable as the user leaves the
    > item list page that says what item was selected. Then, on the next page
    > (item details) if the query string matches the session variable, then they
    > can proceed. If it doesn't, the list of allowed hidden items is checked, and
    > the user can proceed only if their item is on that list. I'm not sure how to
    > set this session variable since I leave my item list with a link instead of
    > an event. Is there an even that fires as I leave that page that would allow
    > me to capture the URL being used and set a session variable? Is there a
    > different approach I should be looking into? I appreciate anyone with the
    > patience to have read this far and look forward to your suggestions. Thanks!
    >
    > Matt
    >
    >
    >
     
    =?Utf-8?B?QnJhZCBRdWlubg==?=, Aug 6, 2004
    #2
    1. Advertising

  3. MattB

    MattB Guest

    Thanks for the ideas. I also forgot to mention these pages are in use and
    I'd like to be able to make changes in the codebehind only.
    I think the encryption of query strings is probably my best bet because I
    could do all of that in the codebehind and not have to merge client's page
    modifications to distribute this.

    Do you know of a way to encrypt the entire query string (I have a good
    encryption algorythm already)? I have three variables to pass, and it would
    be nice to encrypt them all as one string that I could decrypt and parse out
    afterwards.

    Brad Quinn wrote:
    > Instead of constructing a URL you could use a TemplateColumn with a
    > LinkButton that has the CommandName attribute set to
    > "ViewItemDetails", for instance. Then wire up the ItemCommand event
    > for the DataGrid. You can then construct the URL in the event
    > handler, set a session variable, and do a Response.Redirect.
    >
    > However this isn't really going to solve your problem.
    >
    > If you want to be able to mail out a link to the item details page,
    > you have a problem in that there isn't an easy way to authenticate
    > the user.
    >
    > Without authenticating the user the only thing I can think of is
    > possibly signing or encrypting the query string.
    >
    >
    > "MattB" wrote:
    >
    >> Not sure if this is a good approach or not, but I'd like to hear
    >> some informed opinions. I've designed an ECommerce site that
    >> interfaces with my company's POS system. I'm trying to make it as
    >> flexible as possible because we resell it to our clients and they
    >> all have different needs and preferences.
    >> So the items for sale are displayed in a datagrid, and in the
    >> ItemDataBound event, I construct a URL with query strings so that
    >> when an item is selected, the next page knows what item was chosen.
    >> The query string seemed like a good way to go because it works well
    >> from the datagrid, and it makes the system more open, so that a
    >> client can send out something like an "email special" with the URL
    >> of an item with a special price that wouldn't show up in the normal
    >> item list. This openness also creates a security risk, because a
    >> hacker could look at the query strings being passed and start
    >> guessing at other items they don't see in the item list and maybe
    >> buy something the client didn't want to sell (like free stuff).
    >> So I want to lock this down by having a list of items the client
    >> needs
    >> to generate that they would sell that don't appear in the regular
    >> item list, and have any other non-regular items be denied.
    >> I was thinking that I'd set a session variable as the user
    >> leaves the item list page that says what item was selected. Then, on
    >> the next page (item details) if the query string matches the session
    >> variable, then they can proceed. If it doesn't, the list of allowed
    >> hidden items is checked, and the user can proceed only if their item
    >> is on that list. I'm not sure how to set this session variable since
    >> I leave my item list with a link instead of an event. Is there an
    >> even that fires as I leave that page that would allow me to capture
    >> the URL being used and set a session variable? Is there a different
    >> approach I should be looking into? I appreciate anyone with the
    >> patience to have read this far and look forward to your suggestions.
    >> Thanks!
    >>
    >> Matt
     
    MattB, Aug 6, 2004
    #3
  4. This is really a good Idea and I have done this in the past. I replaced my
    entire project's Redirects with my utility function GetEncodedURL, and the
    Request("") with GetRequestObj("", Request.Querystring).

    The change was much simple.

    Sekhar.


    "MattB" <> wrote in message
    news:...
    > Thanks for the ideas. I also forgot to mention these pages are in use and
    > I'd like to be able to make changes in the codebehind only.
    > I think the encryption of query strings is probably my best bet because I
    > could do all of that in the codebehind and not have to merge client's page
    > modifications to distribute this.
    >
    > Do you know of a way to encrypt the entire query string (I have a good
    > encryption algorythm already)? I have three variables to pass, and it

    would
    > be nice to encrypt them all as one string that I could decrypt and parse

    out
    > afterwards.
    >
    > Brad Quinn wrote:
    > > Instead of constructing a URL you could use a TemplateColumn with a
    > > LinkButton that has the CommandName attribute set to
    > > "ViewItemDetails", for instance. Then wire up the ItemCommand event
    > > for the DataGrid. You can then construct the URL in the event
    > > handler, set a session variable, and do a Response.Redirect.
    > >
    > > However this isn't really going to solve your problem.
    > >
    > > If you want to be able to mail out a link to the item details page,
    > > you have a problem in that there isn't an easy way to authenticate
    > > the user.
    > >
    > > Without authenticating the user the only thing I can think of is
    > > possibly signing or encrypting the query string.
    > >
    > >
    > > "MattB" wrote:
    > >
    > >> Not sure if this is a good approach or not, but I'd like to hear
    > >> some informed opinions. I've designed an ECommerce site that
    > >> interfaces with my company's POS system. I'm trying to make it as
    > >> flexible as possible because we resell it to our clients and they
    > >> all have different needs and preferences.
    > >> So the items for sale are displayed in a datagrid, and in the
    > >> ItemDataBound event, I construct a URL with query strings so that
    > >> when an item is selected, the next page knows what item was chosen.
    > >> The query string seemed like a good way to go because it works well
    > >> from the datagrid, and it makes the system more open, so that a
    > >> client can send out something like an "email special" with the URL
    > >> of an item with a special price that wouldn't show up in the normal
    > >> item list. This openness also creates a security risk, because a
    > >> hacker could look at the query strings being passed and start
    > >> guessing at other items they don't see in the item list and maybe
    > >> buy something the client didn't want to sell (like free stuff).
    > >> So I want to lock this down by having a list of items the client
    > >> needs
    > >> to generate that they would sell that don't appear in the regular
    > >> item list, and have any other non-regular items be denied.
    > >> I was thinking that I'd set a session variable as the user
    > >> leaves the item list page that says what item was selected. Then, on
    > >> the next page (item details) if the query string matches the session
    > >> variable, then they can proceed. If it doesn't, the list of allowed
    > >> hidden items is checked, and the user can proceed only if their item
    > >> is on that list. I'm not sure how to set this session variable since
    > >> I leave my item list with a link instead of an event. Is there an
    > >> even that fires as I leave that page that would allow me to capture
    > >> the URL being used and set a session variable? Is there a different
    > >> approach I should be looking into? I appreciate anyone with the
    > >> patience to have read this far and look forward to your suggestions.
    > >> Thanks!
    > >>
    > >> Matt

    >
    >
    >
     
    Chandra Sekhar, Aug 7, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A.M
    Replies:
    5
    Views:
    5,502
    Teemu Keiski
    Jun 8, 2004
  2. Daniel Malcolm
    Replies:
    0
    Views:
    578
    Daniel Malcolm
    Jan 24, 2005
  3. zdrakec
    Replies:
    1
    Views:
    455
    zdrakec
    Jul 25, 2005
  4. Joe
    Replies:
    5
    Views:
    982
    Steven Cheng[MSFT]
    Dec 13, 2005
  5. KK
    Replies:
    2
    Views:
    711
    Big Brian
    Oct 14, 2003
Loading...

Share This Page