MsFox
asked on
Javascript/ASP problem
Hi Experts,
I have a content page (a page from our content management tool) which calls a javascript which in turn call an asp page to authenticate users if they have access to the page and if they have, will be submitted back to our content page.
So to illustrate, in our content page, calls secure.js. This is contained in content page 7918. This page contains:
location =
'/INTRANET/PRODUCTION/mm4a pplication s/ConfigFi les/Secure Access/Sec ureIndex.a sp?Page=79 18
The Page in the querystring is the page numnber of the content page so I'll know where to submit it back:
So my SecureIndex.asp page contains code to authenticate the user. And in the html portion of my asp page contains:
<BODY>
<form name="ConfigForm" action="http://sydintra01/intranet/firm/me.get?site.sitelayouts.home&<%=request.queryst ring("Page ")%>" method = "POST" target="_top" >
</form>
<script language=javascript>
document.ConfigForm.submit ()
</script>
</BODY>
So it actually submits the page to itself. But the problem with this, it goes into an endless loop because my content page (in the action attribute) contains the javascript which calls the asp page.
My question is, how can I prevent this from looping again. What I wanted is to have a flag that will be set when the call is done once. And will prevent it from calling it again.
I hope I have explained my problem clearly. I have tried something but I cannot make it to work right.
Please help.
Thanks.
I have a content page (a page from our content management tool) which calls a javascript which in turn call an asp page to authenticate users if they have access to the page and if they have, will be submitted back to our content page.
So to illustrate, in our content page, calls secure.js. This is contained in content page 7918. This page contains:
location =
'/INTRANET/PRODUCTION/mm4a
The Page in the querystring is the page numnber of the content page so I'll know where to submit it back:
So my SecureIndex.asp page contains code to authenticate the user. And in the html portion of my asp page contains:
<BODY>
<form name="ConfigForm" action="http://sydintra01/intranet/firm/me.get?site.sitelayouts.home&<%=request.queryst
</form>
<script language=javascript>
document.ConfigForm.submit
</script>
</BODY>
So it actually submits the page to itself. But the problem with this, it goes into an endless loop because my content page (in the action attribute) contains the javascript which calls the asp page.
My question is, how can I prevent this from looping again. What I wanted is to have a flag that will be set when the call is done once. And will prevent it from calling it again.
I hope I have explained my problem clearly. I have tried something but I cannot make it to work right.
Please help.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Rod,
It's true, its not looping but the page remains in the asp page that contains this:
<%
if NOT session("7918")=true then
response.redirect("/INTRAN ET/PRODUCT ION/mm4app lications/ ConfigFile s/SecureAc cess/Secur eIndex.asp ?Page=7918 ")
end if
%>
I want the page to be in the action attribute of this page:
<BODY>
<form name="ConfigForm" action="http://sydintra01/intranet/firm/me.get?site.sitelayouts.home&<%=request.queryst ring("Page ")%>" method = "POST" target="_top" >
</form>
<script language=javascript>
document.ConfigForm.submit ()
</script>
</BODY>
With regards to SSL, I'll talk to my superior about the possibility of using this.
Thanks.
It's true, its not looping but the page remains in the asp page that contains this:
<%
if NOT session("7918")=true then
response.redirect("/INTRAN
end if
%>
I want the page to be in the action attribute of this page:
<BODY>
<form name="ConfigForm" action="http://sydintra01/intranet/firm/me.get?site.sitelayouts.home&<%=request.queryst
</form>
<script language=javascript>
document.ConfigForm.submit
</script>
</BODY>
With regards to SSL, I'll talk to my superior about the possibility of using this.
Thanks.
try like this, or u can use hidden fields setting its value to true/false whether the form is submitted or not
<%
If LCase(Request.ServerVariab les("REQUE ST_METHOD" )) <> "post" Then
%>
<script language=javascript>
document.ConfigForm.submit ()
</script>
<%
End If
%>
<%
If LCase(Request.ServerVariab
%>
<script language=javascript>
document.ConfigForm.submit
</script>
<%
End If
%>
Hey MsFox
Everyone who's contributed here has had good ideas and intentions - I have lots of respect for Rod and Nurbek.
I agree with Rod, there are certainly security implications of what you're doing - however I'm not certain you can fix them in the SecureIndex.asp file alone - the real security needs to take place in your CMS in whatever is behind the me.Get code - that could be asp mapped to a .get extension or it could be java or something else - but ultimately that's where the security needs to take place.
It didn't sound like you had the ability to change the CMS - if you do - then there's a whole new topic of the best way to handle the security.
Rod's suggestion of:
=========== begin quote from rod ==============
This would normally be something like this...
<%
if NOT session("7918")=true then
response.redirect("/INTRAN ET/PRODUCT ION/mm4app lications/ ConfigFile s/SecureAc cess/Secur eIndex.asp ?Page=7918 ")
end if
%>
============ end quote from rod ==============
would be right on the money - if you could put that code in the get.me that displays the document.
however, if you're limited to changing only the secure.js file and the SecureIndex.asp files - then rods suggestion won't work - that code is asp based, and would need to run on the server - but the secure.js file runs on the client - the client won't have access to the session variables that would have been set with the secureindex.asp page.
There could be an exception to this - if your CMS is implemented in asp.net - you can modify the web.config file to use forms authentication -the .net platform takes care of the redirection automatically - you just provide an asp.net form and some minimal code to say yes or no (also I'm no expert in java - but if it's java based there might be a similar authentication scheme available)
So anyhow - I wasn't trying to steer you towards an insecure solution - just trying to work within the boundaries you mentioned you were working in.
- Jack
Everyone who's contributed here has had good ideas and intentions - I have lots of respect for Rod and Nurbek.
I agree with Rod, there are certainly security implications of what you're doing - however I'm not certain you can fix them in the SecureIndex.asp file alone - the real security needs to take place in your CMS in whatever is behind the me.Get code - that could be asp mapped to a .get extension or it could be java or something else - but ultimately that's where the security needs to take place.
It didn't sound like you had the ability to change the CMS - if you do - then there's a whole new topic of the best way to handle the security.
Rod's suggestion of:
=========== begin quote from rod ==============
This would normally be something like this...
<%
if NOT session("7918")=true then
response.redirect("/INTRAN
end if
%>
============ end quote from rod ==============
would be right on the money - if you could put that code in the get.me that displays the document.
however, if you're limited to changing only the secure.js file and the SecureIndex.asp files - then rods suggestion won't work - that code is asp based, and would need to run on the server - but the secure.js file runs on the client - the client won't have access to the session variables that would have been set with the secureindex.asp page.
There could be an exception to this - if your CMS is implemented in asp.net - you can modify the web.config file to use forms authentication -the .net platform takes care of the redirection automatically - you just provide an asp.net form and some minimal code to say yes or no (also I'm no expert in java - but if it's java based there might be a similar authentication scheme available)
So anyhow - I wasn't trying to steer you towards an insecure solution - just trying to work within the boundaries you mentioned you were working in.
- Jack
ASKER
I tried this but the value of document.location in the js file remains the same. How can you bring the URL with the AuthPostback=true value back to the js file?
Thanks