views:

2871

answers:

5

What are the different ways of communication between asp.net page and a popup page? Query strings etc. Which is most secure?

A: 

If you are talking about an actual pop-up page, where you are using window.open from javascript. You have the querystring and Javascript as your only real available options for passing information between.

As for "security" of this. The users will be able to see anything via a querystring, JavaScript can move values across, but they would be existing on the other page. But you could pass something like an excrypted value to make things more secure.

Mitchel Sellers
A: 

A few methods

  • Query strings (window.open('/users/123'..)
  • Javascript (window.opener)
  • HTTP POST (open a popup via javascript, set the form target to it's name as target and post)
  • Sessions or other server side methods

In answer to the security consideration I'd say that query strings in combination with server side security is the way to go. Open the popup passing the information via query strings, then validate that the logged in user has permissions to access that user. Some specific requirements would call for encrypting the querystring data.

For delete operations I'd probably use a postback to avoid problems like "my indexing spider deleted all users".

Cristian Libardo
For example query strings don't look too secure. Cause the user can see that information. For example I might have a page that displays some user's information. When I want to delete it I redirect to another page. What would be the best way to pass information to that page?
Daud
+1  A: 

You say "communication between" the pop-up and the main ASP.NET page. First, I assume that the pop-up is an ASP.NET page as well so the communication from the main page to the pop-up is no different from the communication from one page to the next in a series of pages. That is, you can store and then use data in the session (if the data is available when the main page is loaded), via query strings, etc. Unless the data is sensitive, the simplest way by far is to include a variable in the call to the pop-up that is replaced by the appropriate arguments. Here is a sample image link:

<img style='cursor:hand;' alt="Open Note" onclick="javascript:window.open('NoteEdit.aspx?T=3&UID=<%#NoteUID%>', 'Note', 'HEIGHT=400,WIDTH=420');" src="images/Note.gif" />

Note the "NoteUID" replacement argument.

The more interesting question is how to pass information back to the window that popped up the pop up. To do that, start with this javascript:

<script type="text/javascript">
    function OpenHRAResults()
    {
        opener.location.href="<%#DestName%>";
        window.close();
    }
</script>

This is taken from code where I re-open a specific page but, as you can guess, you can do all sorts of things with the "opener" window (the window that popped-up the pop up).

Hope this helps...

Mark Brittingham
What about posting the information from the pop up back to the page? How would that work?
Daud
A: 

We try to avoid query strings where possible in sometimes they are just too convenient. In those cases we always encrypt the querystring. There are several ways to do this - example of one approach:

http://www.codeproject.com/kb/web-security/querystringencryptionnet.aspx

brendan
A: 

You don't need to sent the real data to the popup window. Just create a GUID on the opener page. Create a class in asp.net which represent all the data you need to sent between the popup page and the opener page. For example popupdata Store the serialized class in the Session with the GUID as the name Session[Guid] = class object Session[Guid] = popupdata;

Open the popup with f.i. ~/popupwindow.aspx?PageID=Guid Retrieve the session object with calling the Session[Guid] again (Guid is coming from the PageID querystring.

so on the popup page call popupdata data = (popupdata)Session[Guid];

And then do whatever yuo like withthe data.

If data is changed on the popupwindow you can store it in the Session variable again and send it back to the opener...

Very secure since no data is sent to the client.