Passing Arguments to Web Forms (Revisited)

[Jonathan Wood]

I'm still having issues with this and would love to hear from more people
about how they are approaching this issue.

After thinking about all the ways to pass arguments to a Web form (query
strings, context items, application objects, view state), I started favoring
using the Session object. I created a generic method that retrieved a
variable from the Session object and then deleted it so that I didn't end up
with a ton of unused variables for each user.

The problem with this approach is that, if the user hits refresh, all is
lost. My view state is gone and, since I deleted the session object
variables, they are gone also.

I looked into PreviousPage.ViewState but this does not seem to be available.
Also, I suspect a refresh would trash that as well.

Everything seems to be pointing to query strings. But I hate the fact that
even the most casual of users could modify the query arguments (or just type
them wrong) and end up changing someone else's data. I know I could perform
verification of the user, but for some tasks, this require additional trips
to the database, which I would like to minimize.

How is everyone else doing this on sites that require the user to be logged
in?

Thanks.

 

[Scott Roberts]

Everything seems to be pointing to query strings. But I hate the fact that

even the most casual of users could modify the query arguments (or just
type them wrong) and end up changing someone else's data. I know I could
perform verification of the user, but for some tasks, this require
additional trips to the database, which I would like to minimize.

How is everyone else doing this on sites that require the user to be
logged in?

Query strings. Most of our urls end with "?id={GUID}". We retrieve the user
from the Membership provider and the page data database. We then ensure that
the page data belongs to the authenticated user.

If you want to minimize trips to the DB you could construct a SQL Join when
retrieving the page data:

select * from MyTable t inner join Users u on t.UserId = u.UserId where t.id
= @id and u.username = @username

If you get no rows back then the querystring parameter isn't valid for that
user.

 

[Jonathan Wood]

Scott,

Query strings. Most of our urls end with "?id={GUID}". We retrieve the
user from the Membership provider and the page data database. We then
ensure that the page data belongs to the authenticated user.

If you want to minimize trips to the DB you could construct a SQL Join
when retrieving the page data:

select * from MyTable t inner join Users u on t.UserId = u.UserId where
t.id = @id and u.username = @username

If you get no rows back then the querystring parameter isn't valid for
that user.

My SQL isn't up to where it should be. I was thinking about just doing a
WHERE clause. I guess it doesn't matter how, your point seems to be to use
query strings and then provide some sort of verification when going to the
database.

I have a site where users can perform certain tasks, but then the same tasks
can also be done by a trainer, who signs up users. So when the end user it
performing the tasks, I can compare to the current user. But when the
trainer is doing the tasks, then he won't match the user associated with the
data.

Anyway, I appreciate your input. I may need to go that way. But it doesn't
seem ideal.