bypass variables between pages

michael_jhons

hello, i'm developping a website under asp.net(c#), i have a clickable table row, so when the user click the row , i pass the values inside that row column to another page, ("i used javascript to make the click event for the row"),so i used : window.location="anotherpage.aspx?accountNbr="+SomeValue; but by this way it'sot secure, any user could change the value of an account number and could enter his settings. in asp.net i used Session[] to bypass variables, is there a similr way to do that in javascript.Or could hide the address bar ? Thank you in advance for your help and best regards

Manas Bhardwaj

Hidden Variable can solve your problem.:rose:

michael_jhons

hi, thank you for your reply, how do i send the variables in a hidden way, i have to retreive it by asp.net not ny javascript please could you give me a small example or a document address to read about it thank you again

Johnny

You should do the security checking on the server, not on the client. That is, when someone does click a row then you check if that user is allowed to set that account number. Hidden variables are not secure.

michael_jhons

hi jhonny i just don't want the variables to be visible in the location or Address bar, is there any way to do that or to let the location Bar invisible ?

Perspx

If you dont want them to be visible in the URL, you can send them using the POST method :) But as Johnny 2 said, you should do validation on the server side too. Hope this helps, --Perspx

"The Blue Screen of Death, also known as The Blue Screen of Doom, the "Blue Screen of Fun", "Phatul Exception: The WRECKening" and "Windows Vista", is a multi award-winning game first developed in 1995 by Microsoft" - Uncyclopedia Introduction to Object-Oriented JavaScript

michael_jhons

thank you for the help

Perspx

No probs :) Regards, --Perspx

"The Blue Screen of Death, also known as The Blue Screen of Doom, the "Blue Screen of Fun", "Phatul Exception: The WRECKening" and "Windows Vista", is a multi award-winning game first developed in 1995 by Microsoft" - Uncyclopedia Introduction to Object-Oriented JavaScript

Shog9 0

A few things:

You don't control the client. Obvious, right? But i'll repeat it, because too many web devs forget this and we all suffer for it: you don't control the client. So no, you can't hide the address bar, and even if you could there's no guarantee the user couldn't un-hide it, or that the "hide" function would work on all browsers, etc. But more importantly,
A determined user can change anything that gets sent from the client to the server. The address bar is a bit easier to change than, say, POST data... but a savvy user can throw a custom POST together in seconds. Same with cookies. How do you prevent this? You can't - see #1.
Javascript isn't secure. Again, it's maybe a bit less obvious than the URL in the address bar, but just as most browsers let you "View Source" to see how the page itself is built, most also allow debuggers to be attached or custom Javascript (bookmarklets, etc) to be inserted into the page such that variables can be read, edited, etc. I've used this many times on commercial sites to work around breakage, and less kind users may well use it for more nefarious means. Same goes, more or less, for Java applets, Flash, Silverlight, etc... See #1.

Summary: Don't pass anything to the client you don't want the user to see or change. Ever.

Citizen 20.1.01

'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'

michael_jhons · Citizen 20.1.01

Dear jushoa, i don't want to control the client, i just want to send the variables without be visible in the QueryString, these variables will be displayed inside a forme which the user can manipulate them.

Shog9 0

michael_jhons wrote:

i just want to send the variables without be visible in the QueryString, these variables will be displayed inside a forme which the user can manipulate them.

Then it really doesn't matter, does it? Whether they're manipulating the variables with your form or by editing the URL directly, that is. A good rule of thumb: use GET (querystring) requests for information (no changes made server-side). Use POST (form) requests to perform actions (store / update data server-side). Keep in mind, if you're storing data in a session server-side, you can just write that into the page itself to make it available to scripts.

Citizen 20.1.01

'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'