I have a website. On this website is user authentication. Users log in. Once logged in they can run a series of reports and display information. The page flow looks like this in almost all cases.


Login --> SelectReport(link) --> Specify Criteria(form) --> Results

The issue here is people bookmark the results page. They may log in with one browser window, and then simply directly request the results page. When they do this sql statement crash amongst many other wierd mishabs because very simply, the form variables aren't there.

We have hundreds of pages and this kind of ovrehaul would be too crazy. Does anyone know of a simple solution?

So you have a login system on ONE page? Then on every other page it has no checks to make sure you are actually logged in?

I would say you need to start by creating login variables (cookies or session) and check for them on all the pages you speak of. If they don't exist then direct to the "homepage".

absolutely the opposite

you can't just view it without being logged in that would be absurd. Instead if users ARE logged in they can try to access a page through a bookmark or cutting and pasting a URL into the address bar they saved after previously viewing a report on that page. That gives them very mixed results because
A) no form post variables are there.
B) based on things missing from the form variables can see confidential information.

this was clearly an error in building these forms in the first place but in hindsight we need a solution, a "cover all" to accomplish this in any page.

I have tried checking referrers, this works great but unfortunately we have a lot of javascript links and IE don't deliver the HTTP_REFERRER header. So thats a wash.

We have thought of a bunch of different things but it comes down to this simple concept... NO DIRECT REQUESTS.

If they didn't come from a page in the site its is back to the home page with them. because more then often users open up a new browser window and use two to switch back and forth between data. This is legal but I want them to have to start from the home page if they do that.

hope I didn't lose anyone. anymore questions you may have to clear it up I will keep checking back

What if you place in each of these pages something like:

<%
If Request.Form = "" Then
Response.AddHeader "Location: www.homepage.com"
End If
%>

(I think I got the addHeader line wrong, but a quick google search and you will get the right syntax)

What about passing a date/time stamp in the querystring to the page, from the previous page.

At the start of the create page, check if the date/time stamp is in a reasonable range (say 20 seconds), if so process page, otherwise take them back to login, or that 2nd page of the system.

I guess simplest thing you need to do is to put a condition on results page, that check the value in DATE variables.
If it's empty, simply redirect it to search form.

Example:
dtFrom = request.Form("dtForm")

if NOT isDate(dtForm) then
-- Go to search form
end if


Another thing you can do is to pass the variables from search page to results page in query string. This way browser also saves the query string values when bookmarked.


Hope this helps.

The date time value is a good option.

Here is the next question... How do I append to the URL of every page to add that date/time value? I have include files on every page... is there a equivelant to php's "mod_rewrite" in asp?

disregard

Simple as it gets: how do I stop users from directly requesting a web page(maybe through IIS? if so how). ANY page weather it has form variables or a querystring.

How do bank web sites have a "Content Expired" web page?

How many pages are passing to the script that you need to validate that it is ligitamite link, as you would only need to add the date/time to this.

Personally, I recommend using some basic encryption on it, just so that users dont try and get tricky and modify the url.

So basically, your url would look something like /create.asp?t=1230138756123512312388162313

numbers for dramatic effect only.

All you need to do is add some javascript code to add the time to the submit URL. There are heaps of timer scripts out there. Remember though you will need to have a hidden variable on the page to store the server time, and of course continually add 1 second to it. Otherwise if they take 10 minutes to create the page then the time will be off and the script wont process.