Is there a way to ensure that a url successfully loads page only on clicking the link provided on a page and preventing url to open if the url is copy pasted in the browser address bar and Enter key is pressed ?
Edit
Session variables is the answer .. very silly question
You can't. Its a browser function and you don't have any control over it.
Users can't be outright prevented from this.
You can try to make it tough though, for example through hidden POST data or through a "proxy" link which acts as a gateway to your page. Session variables come to mind in this case, since you have effectively moved the locking logic server-side.
Related
In Rails, Is it possible to prevent HTTP requests that come from the Browser's address bar ? And only allow navigation through links made within the app ?
I really looking for preventing a user to simply type his destination in the browser and only uses the links provided.
I know It maybe sounds silly. But I'm kind of trying to give a different UX than any regular website.
Is this approach possible? And If yes, How?
And what is the possible disadvantages or deficits that may cause?
For completeness, Yes.
The previous responder is right, this sounds like a bad idea, but it is possible. I imagine it similar to how authentication work. Set a secret value in the session on the first page, ask for it it on the second page the user reaches, if they don't match user didn't use your navigation. Refresh as quickly as needed (every page, for example).
Drawbacks? It's weird, that's not how webpages work. A clicked link (or GET request) is not different than a URL typed in the browser. What do you mean by "different UX than any regular website", the more details we have the easier we can help.
No*.
You can make it harder for a user to guess the correct URL by using obfuscation or use sessions to make the application stateful. But technically a GET request sent by clicking a link or by typing the url in the browser are identical to the server. The former is a form of security by obscurity.
The whole basically violates the core tenants of what a RESTful application does. In REST a resource should be omnipotent - requesting the same resource should provide the same response no matter how the user got there.
If you find that an action should not be able to be performed by typing the address into the browser you are most likely using the HTTP verbs wrong (using GET where you should be using POST, PUT or DELETE) or have a poor authorization system.
We have some sharing elements of our application where we embed logging IDs into the URL's that we share out. When a user clicks that URL, we add a record to our database so we can hopefully follow them throughout the registration process. We've found that if you reset your browser and go to the link the first time, there is no session info from the controller. However, all subsequent requests then have the session. It's almost like it's getting created after the first request.
We attempted to log it via ajax on the view, but this is cumbersome in all the places we want.
Anyone know what sessions wouldn't be available in the controller on first access for a new uesr?
I think you might have code in the wrong order. You must have the session creation before any logic can my applied to it.
Hope this helps.
To my understanding the session variable gets cleared when a users closes their browser. Is there anyway to clear the session variable when a users closes a tab in a browser?
The reason I ask is that I need to differentiate two visits if a user is on the site and closes the tab but not the browser, and the user goes back to the site on a separate tab in the same browser session.
Session variables are server-side, and tab closing is a client-side action, so you'd have to somehow send a signal to the server to clear those session variables.
The most obvious method to me would be to use the browser's onbeforeunload method and ajaxically send something to the server to clear the session.
This is dangerous territory, though. Are you sure you don't want to allow the user to open and use more than one tab of your site at the same time? Because, if I have your site open in two tabs, this technique will clear the session on the close of the one tab, rendering the other tab useless (not usesless, just the rug might have been pulled from under this page, now that session is gone).
Check the following link for best answer:
Why Doesn't Closing A Tab Delete A Session Cookie? .
What you can do is append some random text in end of url's and store it for reference and if the users comes from new tab and doesn't has the random text appended, you can determine the user coming from different tab.
The website viewer would be at page A, click a link that sends then to page B, but I want them to return to page A without them noticing.
When they click the link it changes the layout the viewer is browsing the site with, so the redirection code shouldn't erase or undo the cookies or whatever are stored with the link click. Thanks!
Edit:
Here's what I'm doing. I have a page called setskin.php that has php code that takes header and footer codes for different layouts and applies them. I don't know how to show code without it going crazy, so there's a screenshot of it here:
http://figmint.uuuq.com/Picture%202.png
I want to change my website so that in a sidebar there will be the same setskin options (so it will be on every page). I was fiddling and managed to make it so when you click the link for the skin you want it changes the skin, but then you end up at the setskin.php page, which I don't want. I was looking for a way to make it so it sends you to the setskin.php page (since I couldn't see how to change that) and then back to where you came from.
You should use AJAX. That way you can do whatever processing is needed behind the scenes with zero impact on the user.
You can check the referer header and return to that. But if that isn't set go to a default page?
Other options include putting the previous url as a parameter, like a 'next' parameter. Then redirect to that after you're done. Quite common pattern used for login.
My website is an asp.net-mvc(beta1) website, fully validates and works in all browsers (except obviously in IE6 for this matter).
I can reproduce the error by doing the following:
Make a POST request with some parameters
From the results click one of the generated GET links
Pressing the "BACK" button from the resulted page.
Sometimes the back button does nothing (last request's page keeps on screen, status says "Done")
Sometimes a completely empty page is shown with the correct URL and the "Done" status
Sometimes the res://ieframe.dll/repost.htm page is shown with "Cannot find server" title.
I have yet to find the triggering factor..
I'm guessing IE is not caching anything there so it will re-post the url. Nothing seems to be hitting my controller though.
What is happening? How can I start to debug this or even better: fix this?
Implement POST+REDIRECT+GET?
IE won't re-post without prompting the user. If IE isn't caching the results page (check what cache headers you are sending it), you should get the repost prompt. I don't know why you'd get 'Server not found' instead - sounds like a confused IE installation. (Is it a multiple-IE setup?)
As cletus mentioned, post-redirect-get is generally desirable for successful post forms.
To analyze the traffic between browser and server you should put Fiddler in bewteen.
This way you'll find out if IE6 sends any request at all back to the server upon hitting the back button.