M
MattB
Not sure if this is a good approach or not, but I'd like to hear some
informed opinions. I've designed an ECommerce site that interfaces with my
company's POS system. I'm trying to make it as flexible as possible because
we resell it to our clients and they all have different needs and
preferences.
So the items for sale are displayed in a datagrid, and in the
ItemDataBound event, I construct a URL with query strings so that when an
item is selected, the next page knows what item was chosen. The query string
seemed like a good way to go because it works well from the datagrid, and it
makes the system more open, so that a client can send out something like an
"email special" with the URL of an item with a special price that wouldn't
show up in the normal item list. This openness also creates a security risk,
because a hacker could look at the query strings being passed and start
guessing at other items they don't see in the item list and maybe buy
something the client didn't want to sell (like free stuff).
So I want to lock this down by having a list of items the client needs
to generate that they would sell that don't appear in the regular item list,
and have any other non-regular items be denied.
I was thinking that I'd set a session variable as the user leaves the
item list page that says what item was selected. Then, on the next page
(item details) if the query string matches the session variable, then they
can proceed. If it doesn't, the list of allowed hidden items is checked, and
the user can proceed only if their item is on that list. I'm not sure how to
set this session variable since I leave my item list with a link instead of
an event. Is there an even that fires as I leave that page that would allow
me to capture the URL being used and set a session variable? Is there a
different approach I should be looking into? I appreciate anyone with the
patience to have read this far and look forward to your suggestions. Thanks!
Matt
informed opinions. I've designed an ECommerce site that interfaces with my
company's POS system. I'm trying to make it as flexible as possible because
we resell it to our clients and they all have different needs and
preferences.
So the items for sale are displayed in a datagrid, and in the
ItemDataBound event, I construct a URL with query strings so that when an
item is selected, the next page knows what item was chosen. The query string
seemed like a good way to go because it works well from the datagrid, and it
makes the system more open, so that a client can send out something like an
"email special" with the URL of an item with a special price that wouldn't
show up in the normal item list. This openness also creates a security risk,
because a hacker could look at the query strings being passed and start
guessing at other items they don't see in the item list and maybe buy
something the client didn't want to sell (like free stuff).
So I want to lock this down by having a list of items the client needs
to generate that they would sell that don't appear in the regular item list,
and have any other non-regular items be denied.
I was thinking that I'd set a session variable as the user leaves the
item list page that says what item was selected. Then, on the next page
(item details) if the query string matches the session variable, then they
can proceed. If it doesn't, the list of allowed hidden items is checked, and
the user can proceed only if their item is on that list. I'm not sure how to
set this session variable since I leave my item list with a link instead of
an event. Is there an even that fires as I leave that page that would allow
me to capture the URL being used and set a session variable? Is there a
different approach I should be looking into? I appreciate anyone with the
patience to have read this far and look forward to your suggestions. Thanks!
Matt