How to prohibit bypassing a required page?

[antonyliu2002]

Let me try to make clear what my concern is. I think it is a pretty
interesting one, which I think of while I am developing my web
application.

I have an authenticated/authorized web application. People have to
login from http://mydomain.com/ to access the information on my site.

For now, this is working fine. People cannot bypass the login form,
any attempt to check out a page (if they happen to know the file name)
will be redirected to the login page.

Now, after a user successfully logs in, he needs to complete some forms
in a sequence of a few pages. Suppose that form1.aspx is required, the
RequiredField validation check on this page prohibits a user from
proceeding if the required fileds are not filled.

However, a smart user can bypass this page if s/he simply changes the
URL in the address bar, say, from http://mydomain.com/form1.aspx to
http://mydomain.com/form2.aspx. Let's assume that they happen to know
some of the file names over there.

So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aas945kdfa-sldfkj-sdlfas0jdfla2e2er8237pq52e0i9.aspx", but
this is silly and isn't really safe.

Thanks.

 

[sloan]

The best way is IIdentity and IPrincipal, but that may be overkill.


Create on object.

class RegisterPagesCheck
bool Page1Verfied
bool Page2Verified
bool Page3 Verified


When the user sucessfully fills in page1 correctly, then

RegisterPagesCheck newUser = new RegisterPagesCheck ();
newUser.Page1Verified = true;

now put newUser in the SESSION variable.


Session["mykeyname"] = newUser;

...

on page2 load... pull the cached version.

if (null!=Session["mykeyname"])
{
RegisterPagesCheck checkFromSession =
(RegisterPagesCheck )Session["mykeyname"];
}
if (null!= checkFromSession)
{
if (checkFromSession.Form1Verified == false
{
Response.Redirect("./login.aspx");
}
}


somehting like that.

when you get to the Page2 verifiy, you'll still have to get the session
cached object.. and then update
..Page2Verified = true

on page 3, pull the object from session, and check for trues on Page1Verify
and Page2Verify.


...

Check my blog
http://spaces.msn.com/sholliday/ 10/24/2005
for a fancier session object.

 

[antonyliu2002]

Hi, Sloan,

Thanks. IIdentity and IPrincipal are very new to me. I have only a
very small web application with only 4 to 5 pages.

I think an easier solution would be to create the page on-the-fly that
follows the required form1.aspx. This way, a user has nothing to check
out if he does not go through form1.aspx.

You think this would be doable?

The best way is IIdentity and IPrincipal, but that may be overkill.


Create on object.

class RegisterPagesCheck
bool Page1Verfied
bool Page2Verified
bool Page3 Verified


When the user sucessfully fills in page1 correctly, then

RegisterPagesCheck newUser = new RegisterPagesCheck ();
newUser.Page1Verified = true;

now put newUser in the SESSION variable.


Session["mykeyname"] = newUser;

..

on page2 load... pull the cached version.

if (null!=Session["mykeyname"])
{
RegisterPagesCheck checkFromSession =
(RegisterPagesCheck )Session["mykeyname"];
}
if (null!= checkFromSession)
{
if (checkFromSession.Form1Verified == false
{
Response.Redirect("./login.aspx");
}
}


somehting like that.

when you get to the Page2 verifiy, you'll still have to get the session
cached object.. and then update
.Page2Verified = true

on page 3, pull the object from session, and check for trues on Page1Verify
and Page2Verify.


..

Check my blog
http://spaces.msn.com/sholliday/ 10/24/2005
for a fancier session object.

Let me try to make clear what my concern is. I think it is a pretty
interesting one, which I think of while I am developing my web
application.

I have an authenticated/authorized web application. People have to
login from http://mydomain.com/ to access the information on my site.

For now, this is working fine. People cannot bypass the login form,
any attempt to check out a page (if they happen to know the file name)
will be redirected to the login page.

Now, after a user successfully logs in, he needs to complete some forms
in a sequence of a few pages. Suppose that form1.aspx is required, the
RequiredField validation check on this page prohibits a user from
proceeding if the required fileds are not filled.

However, a smart user can bypass this page if s/he simply changes the
URL in the address bar, say, from http://mydomain.com/form1.aspx to
http://mydomain.com/form2.aspx. Let's assume that they happen to know
some of the file names over there.

So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aas945kdfa-sldfkj-sdlfas0jdfla2e2er8237pq52e0i9.aspx", but
this is silly and isn't really safe.

Thanks.

 

[Erik Funkenbusch]

So, here is my question: How to prevent them from bypassing the
required page? I know that I can probably use weird, hard-to-guess or
hard-to-remember file names like
"weoi23lad345aas945kdfa-sldfkj-sdlfas0jdfla2e2er8237pq52e0i9.aspx", but
this is silly and isn't really safe.

Lots of solutions to this problem.

1) if you're using ASP.NET 2.0 you can use the new "Wizard" control that
will provide a sequenced page set of functionality. They can't jump into
the middle of it because it's all happening on one page, fed by postback
values.

2) You can pass postback values yourself to each page. This is relatively
easy to do using ASP.NET 2.0, and a bit more difficult to do with 1.x but
can be done. Then, in each successive page, you test for the presence of a
particular value in the posted data.

3) You can use session variables to indicate the successful completion of a
given page. Then in the next page you check to see if all the requirements
have been met to view that page, otherwise redirect back to the page they
need to coplete. Though this won't work if they close the browser
mid-session and come back to it later.

4) You can store workflow information in a database. For example, maybe
you want to make sure they've agreed to the terms of service before you let
them use the site. You can store the terms of service acknowledgement in
the database.

5) You can generate unique sequence id's and pass them on the URL. When
the user finishes a page, you add a sequence ID to a table and associate it
with a certain page. When that sequence id is requested, you retrieve that
page via a User Control or Server Side Include.

There are really a lot of potential ways to handle this, how you do it is
up to you.

 

[antonyliu2002]

The options you offer are really great, although probably only option 3
sounds easier for me to handle (I am very new to the .Net platform) for
my small web application.

I guess I am gonna use option 3. Then when the "Continue" button on
form1.aspx is clicked, I create a session object "form1_done" and let
it equal "true".

Then in Sub Page_Load of form2.aspx, I check this session object, and
if it is there and has the value "true", I do nothing, otherwise, I
Response.Redirect("form1.aspx").

Will this work? Or is there a better solution? I don't have access to
my web server at this moment, so I cannot test it.