cancel
Showing results for 
Search instead for 
Did you mean: 

one for the web developers - query strings (or not!)

FIXED
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

one for the web developers - query strings (or not!)

right, so i have a login page that checks the persons username (and privelidges) and then directs them to the appropriate "home" page, which uses query strings.

so essentially the home page url is blah.asp?id=dfnsdf&id2=dsfkd&id3=dfdsf  etc etc

now, for whatever reason the decision is that the home page url should be presented to the end user without those query strings visible.
so i though, use a dummy "home" page with an iframe tag that contains what the real URL. however using query strings would present a problem with that method.

so is there a way of pulling those variables into the dummy home page without using query strings?
as long as i can get the variables into the dummy page i can then use those to populate the required query strings within the iframe tag.

example of script that determines where to direct the user to after login

If strType = "usertype1" Then
	Response.Redirect"/home1.asp?name=" & strUserName & "&contract=" & strContract & "&displayname=" & strDisplayName
ElseIf strType = "usertype2" Then
	Response.Redirect"/home2.asp?name=" & strUserName & "&displayname=" & strDisplayName
ElseIf strType = "usertype3" Then
	Response.Redirect"/home3.asp?name=" & strUserName & "&display=TODAY" & "&jobtype=ALL"
End If


and the iframe tag in the "dummy" home page (this part can't change as the query strings must remain at this point

<iframe width="100%" src="realhome3.asp?name=gipaq&display=display&jobtype=jobtype" style="position: absolute; height: 100%; border: none"></iframe>
22 REPLIES
Community Veteran
Posts: 5,237
Thanks: 1,321
Fixes: 31
Registered: 16-10-2014

Re: one for the web developers - query strings (or not!)

Change your form to use the post method.

Highlighted
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: one for the web developers - query strings (or not!)

the intial form is already using the post method.
only strUserName comes from the form

Community Veteran
Posts: 5,237
Thanks: 1,321
Fixes: 31
Registered: 16-10-2014

Re: one for the web developers - query strings (or not!)

OK, I'd be inclined to use server side session variables or client side cookies. Using sessions variables can be tricky and need to be properly tracked and scoped. However by using cookies these values are sent to the server on every subsequent request and are IMO easier to manage and maintain, just remember to expire them when the user leaves the site.

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: one for the web developers - query strings (or not!)

ok well client side cookies would make more sense.
the asp script that checks for user/pass etc etc uses session cookies, so if they close the browser session or click logout then it clears the session cookie (it was pre-made script, nothing to do with me that one).

would a client side cookie still permit everything else to use query strings though?
it's just this iframe page that can't use them.
Community Veteran
Posts: 5,237
Thanks: 1,321
Fixes: 31
Registered: 16-10-2014

Re: one for the web developers - query strings (or not!)

If you're already using sessions cookies on the server then add your data to the cookie jar. With the cookies in the session you only need a single home page with the appropriate logic to code it for the permissions you have. In your sample output above you redirect a successfully logged in user to the home.asp and inside that it has access to the sessions cookies you've set to create the page with the appropriate content.

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: one for the web developers - query strings (or not!)

at the moment though the page with the appropriate content is driven by query strings, and that cannot change.
you'll see the redirect url contains those query strings - that is the "real" home page.

i need the script that does the redirect pass the required data to the new iframe page, so that the iframe page can then load the real home page using query strings.
Community Veteran
Posts: 5,237
Thanks: 1,321
Fixes: 31
Registered: 16-10-2014

Re: one for the web developers - query strings (or not!)

You've lost me now, after login what exactly is it you want to happen?

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: one for the web developers - query strings (or not!)

right... at the moment
user logs in. login scripts checks who they are and redirects them to whatever page they should go to.
that redirect at the moment is a URL with query strings.

what is envisaged is that the redirect actually goes to a "dummy" page that contains an iframe tag.
the url within the iframe tag would load the "real" home page using query strings.

the "dummy" page URL can't use query strings, but still needs to have that data to use in the iframe tag.
Community Veteran
Posts: 5,237
Thanks: 1,321
Fixes: 31
Registered: 16-10-2014

Re: one for the web developers - query strings (or not!)

OK, it’s just got brighter in here. During the login validation process add the variables you need to the session, then redirect the user to the dummy page (dummy.asp), this page then creates the iframe with the correct parameters read from the session vars.

 

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: one for the web developers - query strings (or not!)

ok that's where it becomes a bit of a dark art there, as the session cookie stuff was pre-made and we just bolt it in where required.

if you could point me in the direction as to where stuff gets added to the session?

<%
'Dimension variables
Dim adoCon 		'Database Connection Variable
Dim strCon		'Holds the Database driver and the path and name of the database
Dim rsCheckUser 	'Database Recordset Variable
Dim strAccessDB 	'Holds the Access Database Name
Dim strSQL 		'Database query sring
Dim strUserName 	'Holds the user name

'Initalise the strUserName variable
strUserName = Request.Form("txtUserName")

'Check the database to see if user exsits and read in there password
'Initialise the strAccessDB variable with the name of the Access Database
strAccessDB = "users"

'Create a connection odject
Set adoCon = Server.CreateObject("ADODB.Connection")
			 
'Database connection info and driver
strCon = "Driver={SQL Server}; Server=serveranme; Database=dbname; UID=user; PWD=pass; Option=4"

'Set an active connection to the Connection object
adoCon.Open strCon

'Create a recordset object
Set rsCheckUser = Server.CreateObject("ADODB.Recordset")

'Initalise the strSQL variable with an SQL statement to query the database
strSQL = "select * from table where (field='" & strUserName & "' or field='" & strUserName & "')"

'Query the database
rsCheckUser.Open strSQL, strCon

'If the recordset finds a record for the username entered then read in the password for the user
If NOT rsCheckUser.EOF Then
	
	'Read in the password for the user from the database
	If (Request.Form("txtUserPass")) = rsCheckUser("per_Data8") Then
		
		'If the password is correct then set the session variable to True
		Session("blnIsUserGood") = True
		strContract = rsCheckUser("per_Data9")
		strDisplayName = rsCheckUser("pers_name")
		strType = rsCheckUser("per_Data11")
		
		'Close Objects before redirecting
		Set adoCon = Nothing
		Set strCon = Nothing
		Set rsCheckUser = Nothing
		
		'Redirect to the authorised user page and send the users name
		If strType = "Client" Then
			Response.Redirect"client.asp?name=" & strUserName & "&contract=" & strContract & "&displayname=" & strDisplayName
		ElseIf strType = "Engineer" Then
			Response.Redirect"engineer.asp?name=" & strUserName & "&displayname=" & strDisplayName
		ElseIf strType = "SubContractor" Then
			Response.Redirect"/clientportal/sub/sub.asp?name=" & strUserName & "&display=TODAY" & "&jobtype=ALL"
		End If
	End If
End If
		
'Close Objects
Set adoCon = Nothing
Set strCon = Nothing
Set rsCheckUser = Nothing
	
'If the script is still running then the user must not be authorised
Session("blnIsUserGood") = False

'Redirect to the unautorised user page
Response.Redirect"unauthorised.asp"
%>



 

Community Veteran
Posts: 5,237
Thanks: 1,321
Fixes: 31
Registered: 16-10-2014

Re: one for the web developers - query strings (or not!)

Fix

That would be on this line:

Session("blnIsUserGood") = True

I see no reason as to why you can’t also add :

Session("userName") = strUserName
Session("moreStuf") = myStuff
...

Then later in another page :

Dim sessUser As String 
sessUser = Session(“userName”)

to extract and values assign the variables. Of course you don't need to assign them to variables you could simply use the values as is e.g.

If (StrComp(Session("userType"), "Admin", vbTextCompare) == 0) THEN
    Do Admin Stuff
End If
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: one for the web developers - query strings (or not!)

i'll give that a go.
i actually just thought of why don't i just put the login page inside the iframe and that would mean no changes needed at all ! but that seems just too easy !
kjpetrie
Rising Star
Posts: 125
Thanks: 14
Fixes: 1
Registered: 19-12-2010

Re: one for the web developers - query strings (or not!)

I have to say this strikes me as terribly insecure. Surely, the correct page should be selected server-side according to the user's identity and not simply passed as a redirection to the browser. Does the redirected page check the identity of the person accessing it? Otherwise, what's to stop someone trying different query strings to see other people's pages?

 

Community Veteran
Posts: 14,355
Thanks: 701
Fixes: 10
Registered: 01-08-2007

Re: one for the web developers - query strings (or not!)

 

This.

You say after logging in the script checks the users permissions and redirects accordingly.. why not just run the appropriate code directly after the user has logged in? - You're over complicating things using an iframe.

But.. if you've really got to continue down that road.. does the server you're using (presumably IIS) support anything like apaches rewrite module? - You could always just rewrite the url and have the script parse details from the url. I'm working on a site that has around 800 static html pages and putting them all into the database with unique addresses that all go via a rewrite rule to one php file but thats on a linux / apache setup.

Moderator's note by Mike (Mav): Full quote of preceding post removed as per Forum rules.

I need a new signature... i'm bored of the old one!