how to control the redirection

[psual]

hi

newbie in web design I got some issue concerning a secure redirection
between 2 pages

let say I have a page with a grid (the 'master' page)
in this grid I can select a record, get its pk
then I redirect to another page (the 'detail' page) with the pk as
parameter

like : Response.Redirect("~/details.aspx?idKit=mypk")

during the detail page loading, the idKit is precessed to load or create the
detail records acccording to the idKit value
(in fact there can be other optional parameters)

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
Handles Me.Load

If Not Page.IsPostBack Then

If IsNothing(Request.Params("idKit")) Then
Response.Redirect("~/erreur/NoAccess.htm")
End If

hfURL.Value = Request.ServerVariables("HTTP_REFERER")

hfKit.Value = Request.Params("idKit")

...... some processing

End If

End Sub


So nothing special, except that one can access manually and directly to the
'detail' page with "../details.aspx?idKit=x"

if "x" exists as a pk in the master table, he will be able to modifie/create
details records without any control

I would like to know if there is a simple way to control this redirection
problem

one more problem : this "detail" page is a generic page that is called by
many "master" pages so we can't test the calling page url
the master page url is simply saved and used to know where to redirect back
after the details processing

I would like to know if there is a simple to control the redirection to kown
if the access to the detail page (and the parameter) is legal

thanks a lot

 

[Siberwulf]

Try using Server.Transfer(URL);

if you want to pass varaibles to that page, use the context object.

Context.Items.Add("IdKit", "x");

Then on the destination page, use Context.Items("IdKit") to retreive
the value.

 

[psual]

thanks

Try using Server.Transfer(URL);

if you want to pass varaibles to that page, use the context object.

Context.Items.Add("IdKit", "x");

Then on the destination page, use Context.Items("IdKit") to retreive
the value.

 

[psual]

wow that's very nice

with server.transfer(url) it seems easy to disallow direct access for some
pages or I'm doing wrong ?


Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs)
Handles Me.Load

If Not Page.IsPostBack Then
if Request.ServerVariables("HTTP_REFERER").ToString <>
Request.Url.ToString Then
Response.Redirect("~/erreur/NoAccess.htm")
endif
endif
.....

End Sub

 

[Mark Fitzpatrick]

Something I always do for anything that could be edited on a server, I
implement a membership system. That way I can associate a record with a
particular user(s) and I pass the user's id to my stored procedure along
with the primary key. If there's a match, in other word if the user account
has permission to access it, then I'll return results and can populate edit
forms. I do the same for updates as well, ensure that the user has the
ability to make the updates before actually updating. At least ASP.Net has
most of the membership functionality you could want easily available now.