Passing Arguments to Web Forms (Revisited)

Discussion in 'ASP .Net' started by Jonathan Wood, Feb 11, 2008.

  1. I'm still having issues with this and would love to hear from more people
    about how they are approaching this issue.

    After thinking about all the ways to pass arguments to a Web form (query
    strings, context items, application objects, view state), I started favoring
    using the Session object. I created a generic method that retrieved a
    variable from the Session object and then deleted it so that I didn't end up
    with a ton of unused variables for each user.

    The problem with this approach is that, if the user hits refresh, all is
    lost. My view state is gone and, since I deleted the session object
    variables, they are gone also.

    I looked into PreviousPage.ViewState but this does not seem to be available.
    Also, I suspect a refresh would trash that as well.

    Everything seems to be pointing to query strings. But I hate the fact that
    even the most casual of users could modify the query arguments (or just type
    them wrong) and end up changing someone else's data. I know I could perform
    verification of the user, but for some tasks, this require additional trips
    to the database, which I would like to minimize.

    How is everyone else doing this on sites that require the user to be logged
    in?

    Thanks.
     
    Jonathan Wood, Feb 11, 2008
    #1
    1. Advertisements

  2. Everything seems to be pointing to query strings. But I hate the fact that
    Query strings. Most of our urls end with "?id={GUID}". We retrieve the user
    from the Membership provider and the page data database. We then ensure that
    the page data belongs to the authenticated user.

    If you want to minimize trips to the DB you could construct a SQL Join when
    retrieving the page data:

    select * from MyTable t inner join Users u on t.UserId = u.UserId where t.id
    = @id and u.username = @username

    If you get no rows back then the querystring parameter isn't valid for that
    user.
     
    Scott Roberts, Feb 11, 2008
    #2
    1. Advertisements

  3. Scott,
    My SQL isn't up to where it should be. I was thinking about just doing a
    WHERE clause. I guess it doesn't matter how, your point seems to be to use
    query strings and then provide some sort of verification when going to the
    database.

    I have a site where users can perform certain tasks, but then the same tasks
    can also be done by a trainer, who signs up users. So when the end user it
    performing the tasks, I can compare to the current user. But when the
    trainer is doing the tasks, then he won't match the user associated with the
    data.

    Anyway, I appreciate your input. I may need to go that way. But it doesn't
    seem ideal.
     
    Jonathan Wood, Feb 11, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.