Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

How to Limit user from direct access using session?

(Using ASP 3 with VBScript)

I have a website that has a page I need to protect from direct accessing. What the site does is that when the user fills the order form and hits submit, he is transfered to a redirect.asp page where he is transferted to the third party website where he completes the payent process.

As of now anybody can enter www.mysite.com/redirect.asp and access the page directly. I want the user to restrict so he fills in the order and only upon clicking the submit button he is transferred to redirect.asp

I want to protect a page from accessing directly with the help of session

I am new to ASP and have never used/implemented sessions.

How can I go about making sessions to limit the user from directly typing in the address and go on the page directly. The page should only be accessed when he fills the form on form.asp and hits Submit.

Thanks in advance

«1

Comments

  • FlakesFlakes Member Posts: 642
    : (Using ASP 3 with VBScript)
    :
    : I have a website that has a page I need to protect from direct accessing. What the site does is that when the user fills the order form and hits submit, he is transfered to a redirect.asp page where he is transferted to the third party website where he completes the payent process.
    :
    : As of now anybody can enter www.mysite.com/redirect.asp and access the page directly. I want the user to restrict so he fills in the order and only upon clicking the submit button he is transferred to redirect.asp
    :
    : I want to protect a page from accessing directly with the help of session
    :
    : I am new to ASP and have never used/implemented sessions.
    :
    : How can I go about making sessions to limit the user from directly typing in the address and go on the page directly. The page should only be accessed when he fills the form on form.asp and hits Submit.
    :
    : Thanks in advance
    :
    :

    In the form page,once the page is submitted,assign a value to a session variable.
    Like Session("submitted")="yes"

    and in the redirect page,check this value:

    if trim(Session("submitted"))<> "" then
    response.redirect
    End if

    Is that what you are asking ?

  • DonChoudhryDonChoudhry Member Posts: 5
    : : (Using ASP 3 with VBScript)
    : :
    : : I have a website that has a page I need to protect from direct accessing. What the site does is that when the user fills the order form and hits submit, he is transfered to a redirect.asp page where he is transferted to the third party website where he completes the payent process.
    : :
    : : As of now anybody can enter www.mysite.com/redirect.asp and access the page directly. I want the user to restrict so he fills in the order and only upon clicking the submit button he is transferred to redirect.asp
    : :
    : : I want to protect a page from accessing directly with the help of session
    : :
    : : I am new to ASP and have never used/implemented sessions.
    : :
    : : How can I go about making sessions to limit the user from directly typing in the address and go on the page directly. The page should only be accessed when he fills the form on form.asp and hits Submit.
    : :
    : : Thanks in advance
    : :
    : :
    :
    : In the form page,once the page is submitted,assign a value to a session variable.
    : Like Session("submitted")="yes"
    :
    : and in the redirect page,check this value:
    :
    : if trim(Session("submitted"))<> "" then
    : response.redirect
    : End if
    :
    : Is that what you are asking ?
    :
    :

    I just inserted Session("submitted")="yes" in the processing code (b/w head tag) in the index.asp page where my form resides. In the redirecting page, redirect.asp, I have inserted the follwoing

    <% If trim(Session("submitted"))<> "" Then %>








    <% Else
    response.redirect "index.asp"
    End If
    %>

    Idially it should do the trick. But now if I fill the form and hit submit I get transfered to index.asp and if I type mywebsite
    edirect.asp, then too, I get transfered to index.asp. Kindly suggest what wrong here. Thanks

    _______________________________________________________________________

    Yes, I think you got me right. If not read at the end the flow of the pages to understand it better.

    1. There is index.asp page which itself contains an order form.

    2. Upon clicking the submit button the values gets stored in my database and the user is transffered to a page called redirect.asp

    3. Redirect.asp itself contains hidden fields which are transfered to the third party payment site. So as the user is transfered to redirect.asp, both the values and the user himself is being transfered to the third part site.

    The problem is that the user can easily type in redirect.asp and gets transfereed to the third party website without even fillingin the form. So thats wy I want to restrict the users that they cannot access redirect.asp page unlessthey hit submit button on the form inside index.asp page

    I hope I am clear now
  • FlakesFlakes Member Posts: 642
    : : : (Using ASP 3 with VBScript)
    : : :
    : : : I have a website that has a page I need to protect from direct accessing. What the site does is that when the user fills the order form and hits submit, he is transfered to a redirect.asp page where he is transferted to the third party website where he completes the payent process.
    : : :
    : : : As of now anybody can enter www.mysite.com/redirect.asp and access the page directly. I want the user to restrict so he fills in the order and only upon clicking the submit button he is transferred to redirect.asp
    : : :
    : : : I want to protect a page from accessing directly with the help of session
    : : :
    : : : I am new to ASP and have never used/implemented sessions.
    : : :
    : : : How can I go about making sessions to limit the user from directly typing in the address and go on the page directly. The page should only be accessed when he fills the form on form.asp and hits Submit.
    : : :
    : : : Thanks in advance
    : : :
    : : :
    : :
    : : In the form page,once the page is submitted,assign a value to a session variable.
    : : Like Session("submitted")="yes"
    : :
    : : and in the redirect page,check this value:
    : :
    : : if trim(Session("submitted"))<> "" then
    : : response.redirect
    : : End if
    : :
    : : Is that what you are asking ?
    : :
    : :
    :
    : I just inserted Session("submitted")="yes" in the processing code (b/w head tag) in the index.asp page where my form resides. In the redirecting page, redirect.asp, I have inserted the follwoing
    :
    : <% If trim(Session("submitted"))<> "" Then %>
    :
    :

    :
    :
    :
    :
    :

    :
    : <% Else
    : response.redirect "index.asp"
    : End If
    : %>
    :
    : Idially it should do the trick. But now if I fill the form and hit submit I get transfered to index.asp and if I type mywebsite
    edirect.asp, then too, I get transfered to index.asp. Kindly suggest what wrong here. Thanks
    :
    : _______________________________________________________________________
    :
    : Yes, I think you got me right. If not read at the end the flow of the pages to understand it better.
    :
    : 1. There is index.asp page which itself contains an order form.
    :
    : 2. Upon clicking the submit button the values gets stored in my database and the user is transffered to a page called redirect.asp
    :
    : 3. Redirect.asp itself contains hidden fields which are transfered to the third party payment site. So as the user is transfered to redirect.asp, both the values and the user himself is being transfered to the third part site.
    :
    : The problem is that the user can easily type in redirect.asp and gets transfereed to the third party website without even fillingin the form. So thats wy I want to restrict the users that they cannot access redirect.asp page unlessthey hit submit button on the form inside index.asp page
    :
    : I hope I am clear now
    :


    In the index.asp page,after you have assigned the value Session("submitted"))="yes",do a :
    Response.write "Debug:Submitted="&Session("submitted"))
    Response.end

    What do you see ?If no value is shown,then the Session variable isgetting no value...

    What you are doing now should work,dont know why it isnt...

    can you show the code where you assign the value in index.asp?


  • zythophiloszythophilos Member Posts: 7
    I don't know. I didnt read it with attention. But, how about using the value of request.servervariables("HTTP_REFERRER") for checking the users origin? If this variable has no value or if its value isnt the forms URL the user is blocked or redirected to a unauthorized page.


    : : : : (Using ASP 3 with VBScript)
    : : : :
    : : : : I have a website that has a page I need to protect from direct accessing. What the site does is that when the user fills the order form and hits submit, he is transfered to a redirect.asp page where he is transferted to the third party website where he completes the payent process.
    : : : :
    : : : : As of now anybody can enter www.mysite.com/redirect.asp and access the page directly. I want the user to restrict so he fills in the order and only upon clicking the submit button he is transferred to redirect.asp
    : : : :
    : : : : I want to protect a page from accessing directly with the help of session
    : : : :
    : : : : I am new to ASP and have never used/implemented sessions.
    : : : :
    : : : : How can I go about making sessions to limit the user from directly typing in the address and go on the page directly. The page should only be accessed when he fills the form on form.asp and hits Submit.
    : : : :
    : : : : Thanks in advance
    : : : :
    : : : :
    : : :
    : : : In the form page,once the page is submitted,assign a value to a session variable.
    : : : Like Session("submitted")="yes"
    : : :
    : : : and in the redirect page,check this value:
    : : :
    : : : if trim(Session("submitted"))<> "" then
    : : : response.redirect
    : : : End if
    : : :
    : : : Is that what you are asking ?
    : : :
    : : :
    : :
    : : I just inserted Session("submitted")="yes" in the processing code (b/w head tag) in the index.asp page where my form resides. In the redirecting page, redirect.asp, I have inserted the follwoing
    : :
    : : <% If trim(Session("submitted"))<> "" Then %>
    : :
    : :

    : :
    : :
    : :
    : :
    : :

    : :
    : : <% Else
    : : response.redirect "index.asp"
    : : End If
    : : %>
    : :
    : : Idially it should do the trick. But now if I fill the form and hit submit I get transfered to index.asp and if I type mywebsite
    edirect.asp, then too, I get transfered to index.asp. Kindly suggest what wrong here. Thanks
    : :
    : : _______________________________________________________________________
    : :
    : : Yes, I think you got me right. If not read at the end the flow of the pages to understand it better.
    : :
    : : 1. There is index.asp page which itself contains an order form.
    : :
    : : 2. Upon clicking the submit button the values gets stored in my database and the user is transffered to a page called redirect.asp
    : :
    : : 3. Redirect.asp itself contains hidden fields which are transfered to the third party payment site. So as the user is transfered to redirect.asp, both the values and the user himself is being transfered to the third part site.
    : :
    : : The problem is that the user can easily type in redirect.asp and gets transfereed to the third party website without even fillingin the form. So thats wy I want to restrict the users that they cannot access redirect.asp page unlessthey hit submit button on the form inside index.asp page
    : :
    : : I hope I am clear now
    : :
    :
    :
    : In the index.asp page,after you have assigned the value Session("submitted"))="yes",do a :
    : Response.write "Debug:Submitted="&Session("submitted"))
    : Response.end
    :
    : What do you see ?If no value is shown,then the Session variable isgetting no value...
    :
    : What you are doing now should work,dont know why it isnt...
    :
    : can you show the code where you assign the value in index.asp?
    :
    :
    :

  • DonChoudhryDonChoudhry Member Posts: 5
    [b][red]This message was edited by DonChoudhry at 2004-11-4 16:15:2[/red][/b][hr]
    You have got to help me Sir .. this thing is eating me alive ... :(

    Here is the code that I have been trying:

    Index.asp : The page starts with the coding for opeining and adding value in the from into the database. Then there is a form which the user is suppose to fill. At the end I have written the following code

    <%
    Session("submitted")="yes"
    Response.write "Debug:Submitted="&Session("submitted")
    Response.end
    %>

    So the purpose of the page is that the values in the form gets stored in the database when the user hits submit button, user goes to redirect.asp, session becomes activated with value "Yes" so I can check at the other page weather he is coming from index.asp or not. Debuging gives me "Yes" so I know value is being set

    Redirect.asp: The page is nothing but a message showing the user that he is being redirected to 2CheckOut.com website to complete the process. Following is the code I have to check the user weather he is coming from index.asp or not. If a user is coming from index.asp he is being farwarded to 2checkout.com's website along with a form, if not then he is taken back to index.asp so he can fill the form before accessing this page

    <% If (trim(Session("submitted")) <> "") Then %>








    <% Else
    response.redirect "index.asp"
    Response.end
    End If
    %>

    Although I am very new to asp v3 but logically I see no problem that should arrise after this code. But weather I try to access redirect.asp page by clicking Submit button on index.asp or type in direct address of redirect.asp on the address bar, the code takes me back to index.asp

    PLEASE HELP!!!!

    : I don't know. I didnt read it with attention. But, how about using the value of request.servervariables("HTTP_REFERRER") for checking the users origin? If this variable has no value or if its value isnt the forms URL the user is blocked or redirected to a unauthorized page.
    :
    :
    : : : : : (Using ASP 3 with VBScript)
    : : : : :
    : : : : : I have a website that has a page I need to protect from direct accessing. What the site does is that when the user fills the order form and hits submit, he is transfered to a redirect.asp page where he is transferted to the third party website where he completes the payent process.
    : : : : :
    : : : : : As of now anybody can enter www.mysite.com/redirect.asp and access the page directly. I want the user to restrict so he fills in the order and only upon clicking the submit button he is transferred to redirect.asp
    : : : : :
    : : : : : I want to protect a page from accessing directly with the help of session
    : : : : :
    : : : : : I am new to ASP and have never used/implemented sessions.
    : : : : :
    : : : : : How can I go about making sessions to limit the user from directly typing in the address and go on the page directly. The page should only be accessed when he fills the form on form.asp and hits Submit.
    : : : : :
    : : : : : Thanks in advance
    : : : : :
    : : : : :
    : : : :
    : : : : In the form page,once the page is submitted,assign a value to a session variable.
    : : : : Like Session("submitted")="yes"
    : : : :
    : : : : and in the redirect page,check this value:
    : : : :
    : : : : if trim(Session("submitted"))<> "" then
    : : : : response.redirect
    : : : : End if
    : : : :
    : : : : Is that what you are asking ?
    : : : :
    : : : :
    : : :
    : : : I just inserted Session("submitted")="yes" in the processing code (b/w head tag) in the index.asp page where my form resides. In the redirecting page, redirect.asp, I have inserted the follwoing
    : : :
    : : : <% If trim(Session("submitted"))<> "" Then %>
    : : :
    : : :

    : : :
    : : :
    : : :
    : : :
    : : :

    : : :
    : : : <% Else
    : : : response.redirect "index.asp"
    : : : End If
    : : : %>
    : : :
    : : : Idially it should do the trick. But now if I fill the form and hit submit I get transfered to index.asp and if I type mywebsite
    edirect.asp, then too, I get transfered to index.asp. Kindly suggest what wrong here. Thanks
    : : :
    : : : _______________________________________________________________________
    : : :
    : : : Yes, I think you got me right. If not read at the end the flow of the pages to understand it better.
    : : :
    : : : 1. There is index.asp page which itself contains an order form.
    : : :
    : : : 2. Upon clicking the submit button the values gets stored in my database and the user is transffered to a page called redirect.asp
    : : :
    : : : 3. Redirect.asp itself contains hidden fields which are transfered to the third party payment site. So as the user is transfered to redirect.asp, both the values and the user himself is being transfered to the third part site.
    : : :
    : : : The problem is that the user can easily type in redirect.asp and gets transfereed to the third party website without even fillingin the form. So thats wy I want to restrict the users that they cannot access redirect.asp page unlessthey hit submit button on the form inside index.asp page
    : : :
    : : : I hope I am clear now
    : : :
    : :
    : :
    : : In the index.asp page,after you have assigned the value Session("submitted"))="yes",do a :
    : : Response.write "Debug:Submitted="&Session("submitted"))
    : : Response.end
    : :
    : : What do you see ?If no value is shown,then the Session variable isgetting no value...
    : :
    : : What you are doing now should work,dont know why it isnt...
    : :
    : : can you show the code where you assign the value in index.asp?
    : :
    : :
    : :
    :
    :



  • FlakesFlakes Member Posts: 642
    [b][red]This message was edited by Flakes at 2004-11-4 22:35:4[/red][/b][hr]
    Try this:

    [code]
    <%
    response.write "Debug:Session="&Session("submitted")
    If (trim(Session("submitted")) = "yes") Then

    %>








    <% Else
    response.redirect "index.asp"
    Response.end
    End If
    %>
    [/code]

    It should work.Ifit doesn't,then there is another way to check if the request is coming from index .asp,using the request.servervariables collection:
    [code]
    <%
    Dim pos
    pos=inStr(request.ServerVariables("HTTP_REFERER"),"index.asp")

    If pos=0 'it is not from index.asp
    response.redirect "index.asp"
    Else
    %>








    <%End If%>
    [/code]


    Let us know how it goes.


  • DonChoudhryDonChoudhry Member Posts: 5
    [b][red]This message was edited by DonChoudhry at 2004-11-5 6:53:29[/red][/b][hr]
    Sir, you are right ... The session variable is not being carried over to redirect.asp. I know because I set a variable "submitted" to "Yes" in the index.asp ... Then on redirect.asp page I wrote-- response.write "Debug:Session="&Session("submitted")-- Upon clicking submit button on index.asp there was no value returned on redirect.asp page.

    I tried you second suggesion aswell but same result ... no variable named "pos" was farwarded to redirect.asp and it took me back to index.asp

    I cant figure out why the session or any other value is not being farwarded to another page. I have used dreamweaver to connect and add data in the database. I am pasting the complete code that dreamweaver generated for index.asp as well as the code for redirect.asp so maybe it could be any help to you to look into my problem

    index.asp:

    <%@LANGUAGE="VBSCRIPT"%>;

    <%
    ' *** Edit Operations: declare variables

    Session("submitted")="yes"

    Dim MM_editAction
    Dim MM_abortEdit
    Dim MM_editQuery
    Dim MM_editCmd

    Dim MM_editConnection
    Dim MM_editTable
    Dim MM_editRedirectUrl
    Dim MM_editColumn
    Dim MM_recordId

    Dim MM_fieldsStr
    Dim MM_columnsStr
    Dim MM_fields
    Dim MM_columns
    Dim MM_typeArray
    Dim MM_formVal
    Dim MM_delim
    Dim MM_altVal
    Dim MM_emptyVal
    Dim MM_i

    MM_editAction = CStr(Request.ServerVariables("SCRIPT_NAME"))
    If (Request.QueryString <> "") Then
    MM_editAction = MM_editAction & "?" & Server.HTMLEncode(Request.QueryString)
    End If

    ' boolean to abort record edit
    MM_abortEdit = false

    ' query string to execute
    MM_editQuery = ""
    %>
    <%
    ' *** Insert Record: set variables

    If (CStr(Request("MM_insert")) = "form1") Then

    MM_editConnection = MM_connGYTP_STRING
    MM_editTable = "PersonalInfo"
    MM_editRedirectUrl = "redirect.asp"
    MM_fieldsStr = "TopicCategory|value|TopicTitle|value|PaperDetails|value|Sources|value|PaperFormat|value|CourseLevel|value|PagesRequired|value|Deadline|value"
    MM_columnsStr = "TopicCategory|',none,''|TopicTitle|',none,''|PaperDetails|',none,''|Sources|none,none,NULL|PaperFormat|',none,''|CourseLevel|',none,''|PagesRequired|none,none,NULL|DeadLine|',none,''"

    ' create the MM_fields and MM_columns arrays
    MM_fields = Split(MM_fieldsStr, "|")
    MM_columns = Split(MM_columnsStr, "|")

    ' set the form values
    For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
    MM_fields(MM_i+1) = CStr(Request.Form(MM_fields(MM_i)))
    Next

    ' append the query string to the redirect URL
    If (MM_editRedirectUrl <> "" And Request.QueryString <> "") Then
    If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0 And Request.QueryString <> "") Then
    MM_editRedirectUrl = MM_editRedirectUrl & "?" & Request.QueryString
    Else
    MM_editRedirectUrl = MM_editRedirectUrl & "&" & Request.QueryString
    End If
    End If

    End If
    %>
    <%
    ' *** Insert Record: construct a sql insert statement and execute it

    Dim MM_tableValues
    Dim MM_dbValues

    If (CStr(Request("MM_insert")) <> "") Then

    ' create the sql insert statement
    MM_tableValues = ""
    MM_dbValues = ""
    For MM_i = LBound(MM_fields) To UBound(MM_fields) Step 2
    MM_formVal = MM_fields(MM_i+1)
    MM_typeArray = Split(MM_columns(MM_i+1),",")
    MM_delim = MM_typeArray(0)
    If (MM_delim = "none") Then MM_delim = ""
    MM_altVal = MM_typeArray(1)
    If (MM_altVal = "none") Then MM_altVal = ""
    MM_emptyVal = MM_typeArray(2)
    If (MM_emptyVal = "none") Then MM_emptyVal = ""
    If (MM_formVal = "") Then
    MM_formVal = MM_emptyVal
    Else
    If (MM_altVal <> "") Then
    MM_formVal = MM_altVal
    ElseIf (MM_delim = "'") Then ' escape quotes
    MM_formVal = "'" & Replace(MM_formVal,"'","''") & "'"
    Else
    MM_formVal = MM_delim + MM_formVal + MM_delim
    End If
    End If
    If (MM_i <> LBound(MM_fields)) Then
    MM_tableValues = MM_tableValues & ","
    MM_dbValues = MM_dbValues & ","
    End If
    MM_tableValues = MM_tableValues & MM_columns(MM_i)
    MM_dbValues = MM_dbValues & MM_formVal
    Next
    MM_editQuery = "insert into " & MM_editTable & " (" & MM_tableValues & ") values (" & MM_dbValues & ")"

    If (Not MM_abortEdit) Then
    ' execute the insert
    Set MM_editCmd = Server.CreateObject("ADODB.Command")
    MM_editCmd.ActiveConnection = MM_editConnection
    MM_editCmd.CommandText = MM_editQuery
    MM_editCmd.Execute
    MM_editCmd.ActiveConnection.Close

    If (MM_editRedirectUrl <> "") Then
    Response.Redirect(MM_editRedirectUrl)
    End If
    End If

    End If
    %>


    .........

    redirect.asp: (The code in b/w the tag)

    You are being directed to 2CheckOut.com to complete the order process. Click the button below if your browser doesn't take you to 2.CheckOut.com automatically

    <%
    response.write "Debug:Session="&Session("submitted")
    If (trim(Session("submitted")) = "yes") Then

    %>








    <% Else
    response.redirect "index.asp"
    Response.end
    End If
    %>

    THANKS ALLOT FOR YOUR HELP


  • FlakesFlakes Member Posts: 642
    Find these lines:
    [code]
    If (MM_editRedirectUrl <> "") Then
    Response.Redirect(MM_editRedirectUrl)
    End If

    [/code]

    And Change it to:
    [code]
    If (MM_editRedirectUrl <> "") Then
    Server.Transfer(MM_editRedirectUrl)
    End If

    [/code]

    Let us know what happens,iwill look in later.


  • DonChoudhryDonChoudhry Member Posts: 5
    I can't express myself ... I am sooooooooooooo relieved ... Thanks allot

    I just did what you said and it worked like a charm. As if there was no problem at all .. and yet I was fighting this for days ... I feel so stupid now .. Thanks

    If you can teach me what I was doing wrong maybe I can avoid similer mistakes later on

    Thanks a billion and I LOVE this message board
  • FlakesFlakes Member Posts: 642
    : I can't express myself ... I am sooooooooooooo relieved ... Thanks allot
    :
    : I just did what you said and it worked like a charm. As if there was no problem at all .. and yet I was fighting this for days ... I feel so stupid now .. Thanks
    :
    : If you can teach me what I was doing wrong maybe I can avoid similer mistakes later on
    :
    : Thanks a billion and I LOVE this message board
    :


    I am glad it worked for you.

    I will take part blame for it taking so long.I thought response.redirect will preserve the session values.I know that response.redirect will lose all the variables set in the form,but session ?oh well,let me do some digging,if I find anything,i will let you know.

    It worked with Server.Transfer because Server.Transfer preserves variables.And sessions too,it seems.My only doubt was whether your web server will support it.Older versions of ASP doesnt have this.There are some real drawbacks in using this,maybe you should a googleabout it to find more...

    Happy Programming.




«1
Sign In or Register to comment.