0

Our site consists of 3 main pages we call "Start.aspx" and then a content iframe inside of that where the user does nearly all of the site interactions.

Recently though, I've had to implement functionality that will jump between Start.aspx pages in different products and automatically change the content iframe to a specified page.

The actual functionality works just fine, but the issue we're having is that the full querystring is exposed. Because we load all pages in the content iframe, the page URL remains at "Product/Start.aspx" during regular site usage.

However, this new functionality is passing a querystring to Start.aspx (which has appropriate parsers to load the requested page in the content iframe), and we need that URL to remain as "Start.aspx".

So far, I've researched into URL Rewriting, which was throwing errors because the landing page for each product is "[Product]/Start.aspx". I've looked at a different URL Rewriting solution, as well as ScottGu's blog post on routing.

The issue is that these solutions seem to be used for simplifying navigation, such as taking "Blogpost.aspx?Year=2013&Month=07&Day=15" and turning it into "Blogpost.aspx/2013/07/14" which really isn't what we're going for. We're not trying to simplify navigation via URL, we're really just trying to completely hide our querystrings.

What we're going for is turning "[Product]/Start.aspx?frame=Company.aspx?id=1570" into "[Product]/Start.aspx" once the content iframe has what it needs from the initial querystring. We don't need to account for every single page. We just need that to be the overarching rule. 90% of the time it won't be an issue, as most of the work being done doesn't jump from product to product without the user just switching products (which is done in a fashion that specifically uses "Response.Redirect("[Product]/Start.aspx")".

Once the content iframe has loaded from the Querystring paramters, we don't need them anymore for anything. The rest of the functionality runs through the iframe without any issue.

Am I overthinking this, or am I asking for something that's not really feasible?

Improve this question
4
  • Why are you trying to hide the querystring? If your inner frame has a querystring, then it's still exposed, just takes an extra click to get it. Commented Jul 15, 2013 at 21:24
  • Yeah, you and I know that, but it's part of the functionality spec. Commented Jul 15, 2013 at 21:26
  • Could you make the start page use AJAX for making additional queries so the user doesn't always get to see what the new URL is? Unless they are using Fiddler, Wireshark or something to intercept the traffic that is. Commented Jul 15, 2013 at 21:31
  • Hmmm. Maybe time to upgrade from .NET 2.0? It's about eight years old by now. Commented Jul 15, 2013 at 21:42

3 Answers 3

Reset to default
2

As far as literally "removing all of the query string characters" and still beg able to pass the querystring values to another page, I do not think that is possible. Unless you do it in a Session Variable or something like that.

IF you're simply worried about sensitive data being displayed in plain text in the query string, there is the option of "encrypting" the query string:

http://www.codeproject.com/Articles/33350/Encrypting-Query-Strings

The query string will still show but it will be "Product/Start.aspx?e0ayfefae0y0someencryptedmess108yfe0ayf0a". The page that receives the query string would decrypt it. So the functionality of the query string is there, but the values are not known to the end user.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Since you've tagged this as an ASP.NET question, I'd say the way to go is to keep navigation data in your Session variables.

Improve this answer

5 Comments

Yeah, that'd seem intuitive as well, right? Except our lead has stressed using QueryString parameters and not session variables.
So the question is, "How do I use QueryString parameters in my web application without the user seeing them?" The answer is, "You can't." By definition, it's part of the URL.
Yeah, that's what I've been afraid of. I was thinking finding some ramshackle way of having the iframe change its parent's URL to "Start.aspx" after it has loaded or something, given that it's an aesthetic thing.
You might be able to simulate that effect. But now you're talking browser kludges. It's a kinda-sorta solution that will be fragile and crazymaking no matter what you do.
OK, after some discussion, my lead said that his kibosh on session variables was just so our site wasn't a mess of un-debuggable session variables that was impossible for our Jr Dev to learn in. They should work well to handle the querystring information.
1

Can you use a POST instead of a GET? That way, the data is in the form, rather than the Query String.

As a side note, hiding the parameters as a way of making the URL look nicer and be bookmark-able is fine. If you're doing it for any kind of security reasons, it's very shallow security. It's trivial for a user to see what's being passed in both the form and on the query string and to change and repost those. Security needs to be handled primarily on the server side.

Improve this answer

2 Comments

It's definitely not security-related. Purely aesthetics. Which usually ends up being the hardest part of the development process.
So maybe POST is the way to go. Check out forums.asp.net/t/1635835.aspx/1 for a discussion about posting an iframe to another page from a containing page.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.