Post and response.redirect

  • Thread starter Thread starter tshad
  • Start date Start date
T

tshad

I am using method=POST in my Form field, but am also using
response.redirects to go to my next pages.

response.redirect("x.aspx?a=1)

But the a=1 shows in the query string. I thought the Post method was
supposed to put the querys into the page and not the URL?

I am trying to take some of my pages that already are doing redirects and
make them more secure by not having data in the URL. Is there an easy way
to do this without having to rewrite my code?

Thanks,

Tom
 
Hi Tom,

The word "Secure" is a very relative term. So, I would use that term
very diplomatically :-)

When you are using a POST in a form, you are posting a.k.a pushing all
the fields in the form in a relatively secure manner than when you use
a querystring. But, when you are using a Response.Redirect, you are
playing out of that context, that is you are ending the page abruptly
and redirecting the control to another page. And using the querystring
is by your option.

So, if you do not want to pass the value of "a" in querystring, but
want to persist across page calls, there are other ways:
1. Use Hidden form fields.
2. Store the value of "a" in a session variable.
3. Use HttpContext values.

Thanks,
Rajeev Gopal
http://www.geekswithblogs.net/rajeevgopal
 
Rajeev Gopal said:
Hi Tom,

The word "Secure" is a very relative term. So, I would use that term
very diplomatically :-)

When you are using a POST in a form, you are posting a.k.a pushing all
the fields in the form in a relatively secure manner than when you use
a querystring. But, when you are using a Response.Redirect, you are
playing out of that context, that is you are ending the page abruptly
and redirecting the control to another page. And using the querystring
is by your option.

So, if you do not want to pass the value of "a" in querystring, but
want to persist across page calls, there are other ways:
1. Use Hidden form fields.
Click to expand...

Are these special fields that get sent in a POST - even during redirect?

Or are you talking about hidden fields that get repopulated durning
Postback?

Thanks,

Tom
 
tshad said:
I am using method=POST in my Form field, but am also using
response.redirects to go to my next pages.

response.redirect("x.aspx?a=1)

But the a=1 shows in the query string. I thought the Post method was
supposed to put the querys into the page and not the URL?
Click to expand...

Yes, payload is carried in the HTTP message body and thus "invisible",
but the request URI (which contains the query string) *isn't* part of
the payload. It's part of the header.
I am trying to take some of my pages that already are doing redirects
and make them more secure by not having data in the URL. Is there an
easy way to do this without having to rewrite my code?
Click to expand...

As long as you don't apply encryption, there's no real security here.
One approach is to use encrypted query strings, but there's no
framework support for this AFAIK.

Cheers,
 
Back
Top