Topic: Restricting a user from going to a certain page directly

I guess this post could apply to all web programming languages but since I am using ASP, this might be the best place.

I have a form that I want users to fill out and when they click submit it takes them to a success page (typical scenario). On the success page is where I have my ASP code that actually inserts the data into the database. The problem is that if a user knows the address to the success page (e.g. http://www.blah.com/success.asp) and goes directly to it, it will submit blank data to the database.

How would I go about preventing the user from going directly to that success page without first going to the form and filling it out?

Exercise your faith!

Re: Restricting a user from going to a certain page directly

You could easily set a condition that would look for a POST or GET variable/value pair (form_submit=true or something like that) and if that condition is not met, redirect them back to the form page.

In PHP and Ruby, I usually roll my forms into one script, that has conditions determining what actions are taken: Show the empty form, show a partially filled out, (non)-validated form, show the success message if all form conditions are met, or more if I so desire.

I've done the same with ASP back in the day, so let us know if you need anything else.

Re: Restricting a user from going to a certain page directly

Thanks very much AJP. I opted to check it against a POST variable and redirect back to the form page.

Exercise your faith!

Re: Restricting a user from going to a certain page directly

I would agree with ajp about keeping all of your code on 1 page; i.e. form, postback condition and processing, redirect to confirmation.  It keeps things more packaged together from a functionality perpective.  If you are worried about "too much" code on 1 page, then put a processing page between the form and the confirmation/error page (this would allow you to post to 1 logic page from 2 forms (add/edit).  ajp's suggestion of using a hidden field to alert your code to the "state" in the process "action=save" or in my second scenario action=add or action=save/edit is an ecellent way to control that postback condition.

Re: Restricting a user from going to a certain page directly

Awesome, glad I could help out.

I definitely am a proponent of keeping everything in one file. This allows me to keep my logic for the form at the top, and is easily accessible. At the same time, it keeps all my functions organized, so that if I were to move things around, all my logic for this object stays in one place. And file size isn't a problem. Textmate allows you to fold it all. smile

Extending that example of rolling forms in one page, I usually do something along the following (pseudo-PHP):

<?

$action = (CONDITION) ? (VALUE) : (DEFAULT); // usually from POST/GET
$id = GET UNIQUE ID OF OBJECT; // usually from POST/GET

switch($action) {
  case "add": 
    show_form();  // SHOWS AN EMPTY FORM FOR NEW RECORD
    break;
  case "edit":
    show_form($id); // SHOWS AN EDIT FORM FOR RECORD 
    break;
  case "success":
    show_success(); // DOES SUCCESS ACTIONS
    break;
} // end switch

// The end of the switch statement ends all of my logic for each individual action. 
//Everything is passed to the appropriate function in the switch.

function show_form($id =0) { 
    // DISPLAY THE FORM, 
    //use the ID to get info and display it if an ID is passed
    // It also allows me to use the same function for both add and edit
}

function show_success() {   // DO SOMETHING ON SUCCESS }

function insert_object() { // do the appropriate SQL magic to insert }

...

// As many functions as you need.

?>

Last edited by ajp (2006-08-24 18:25:31)

Re: Restricting a user from going to a certain page directly

here's an alternate method where a simple session variable would serve this purpose.

a) in the form submit method, set Session["userstatus"] = "validform";
b) in the page load method of the success page put this check:

    if (! Session["userstatus"].Equals("validform"))
    {
        //redirect to home page
    }
   
    Session["userstatus"] = String.Empty;

     // perform database update

Content Management with Standards In Mind: Vine Type | www.vinetype.com

Re: Restricting a user from going to a certain page directly

Hey guys thanks for the suggestions and pseudo code. I think those pages I was working on might be launched soon, so I'll try and see if I can make the changes. If not then the current solution that I used above will stay and I will make sure that in future projects I use the single page solution. I really appreciate the help.

Peace and God Bless.

Exercise your faith!