What are the different ways of communication between asp.net page and a popup page? Query strings etc. Which is most secure?
asp.net页面和弹出页面之间有什么不同的通信方式?查询字符串等哪个最安全?
5 个解决方案
#1
You say "communication between" the pop-up and the main ASP.NET page. First, I assume that the pop-up is an ASP.NET page as well so the communication from the main page to the pop-up is no different from the communication from one page to the next in a series of pages. That is, you can store and then use data in the session (if the data is available when the main page is loaded), via query strings, etc. Unless the data is sensitive, the simplest way by far is to include a variable in the call to the pop-up that is replaced by the appropriate arguments. Here is a sample image link:
您说弹出窗口和主ASP.NET页面之间的“通信”。首先,我假设弹出窗口也是一个ASP.NET页面,因此从主页面到弹出窗口的通信与一系列页面中从一个页面到下一个页面的通信没有什么不同。也就是说,您可以在会话中存储然后使用数据(如果数据在加载主页时可用),通过查询字符串等。除非数据是敏感的,否则最简单的方法是在对弹出窗口的调用由适当的参数替换。这是一个示例图像链接:
<img style='cursor:hand;' alt="Open Note" onclick="javascript:window.open('NoteEdit.aspx?T=3&UID=<%#NoteUID%>', 'Note', 'HEIGHT=400,WIDTH=420');" src="images/Note.gif" />
Note the "NoteUID" replacement argument.
注意“NoteUID”替换参数。
The more interesting question is how to pass information back to the window that popped up the pop up. To do that, start with this javascript:
更有趣的问题是如何将信息传递回弹出弹出窗口的窗口。要做到这一点,请从这个javascript开始:
<script type="text/javascript">
function OpenHRAResults()
{
opener.location.href="<%#DestName%>";
window.close();
}
</script>
This is taken from code where I re-open a specific page but, as you can guess, you can do all sorts of things with the "opener" window (the window that popped-up the pop up).
这是从我重新打开特定页面的代码中获取的,但是,正如您所猜测的,您可以使用“开启者”窗口(弹出弹出窗口的窗口)执行各种操作。
Hope this helps...
希望这可以帮助...
#2
If you are talking about an actual pop-up page, where you are using window.open from javascript. You have the querystring and Javascript as your only real available options for passing information between.
如果你在谈论一个实际的弹出页面,你在javascript中使用window.open。您有查询字符串和Javascript作为您之间传递信息的唯一真实可用选项。
As for "security" of this. The users will be able to see anything via a querystring, JavaScript can move values across, but they would be existing on the other page. But you could pass something like an excrypted value to make things more secure.
至于这个“安全”。用户可以通过查询字符串查看任何内容,JavaScript可以移动值,但它们将存在于另一页上。但是你可以传递一些类似于被删除的值来使事情变得更加安全。
#3
We try to avoid query strings where possible in sometimes they are just too convenient. In those cases we always encrypt the querystring. There are several ways to do this - example of one approach:
我们尽可能避免使用查询字符串,有时它们太方便了。在这些情况下,我们总是加密查询字符串。有几种方法可以做到这一点 - 一种方法的例子:
http://www.codeproject.com/kb/web-security/querystringencryptionnet.aspx
#4
A few methods
几种方法
- Query strings (window.open('/users/123'..)
- Javascript (window.opener)
- HTTP POST (open a popup via javascript, set the form target to it's name as target and post)
- Sessions or other server side methods
查询字符串(window.open('/ users / 123'..)
HTTP POST(通过javascript打开一个弹出窗口,将表单目标设置为它的名称作为目标并发布)
会话或其他服务器端方法
In answer to the security consideration I'd say that query strings in combination with server side security is the way to go. Open the popup passing the information via query strings, then validate that the logged in user has permissions to access that user. Some specific requirements would call for encrypting the querystring data.
在回答安全考虑时,我会说查询字符串与服务器端安全性相结合是可行的方法。打开通过查询字符串传递信息的弹出窗口,然后验证登录用户是否有权访问该用户。某些特定要求会要求加密查询字符串数据。
For delete operations I'd probably use a postback to avoid problems like "my indexing spider deleted all users".
对于删除操作,我可能会使用回发来避免像“我的索引蜘蛛删除所有用户”这样的问题。
#5
You don't need to sent the real data to the popup window. Just create a GUID on the opener page. Create a class in asp.net which represent all the data you need to sent between the popup page and the opener page. For example popupdata Store the serialized class in the Session with the GUID as the name Session[Guid] = class object Session[Guid] = popupdata;
您无需将实际数据发送到弹出窗口。只需在开启者页面上创建一个GUID即可。在asp.net中创建一个类,它表示您需要在弹出页面和开启者页面之间发送的所有数据。例如,popupdata将序列化类存储在Session中,GUID作为名称Session [Guid] =类对象Session [Guid] = popupdata;
Open the popup with f.i. ~/popupwindow.aspx?PageID=Guid Retrieve the session object with calling the Session[Guid] again (Guid is coming from the PageID querystring.
用f.i打开弹出窗口。 〜/ popupwindow.aspx?PageID = Guid再次调用Session [Guid]检索会话对象(Guid来自PageID查询字符串。
so on the popup page call popupdata data = (popupdata)Session[Guid];
所以在弹出页面上调用popupdata data =(popupdata)Session [Guid];
And then do whatever yuo like withthe data.
然后做任何与数据一样的事情。
If data is changed on the popupwindow you can store it in the Session variable again and send it back to the opener...
如果在弹出窗口中更改了数据,您可以再次将其存储在Session变量中并将其发送回开启器...
Very secure since no data is sent to the client.
非常安全,因为没有数据发送到客户端。
#1
You say "communication between" the pop-up and the main ASP.NET page. First, I assume that the pop-up is an ASP.NET page as well so the communication from the main page to the pop-up is no different from the communication from one page to the next in a series of pages. That is, you can store and then use data in the session (if the data is available when the main page is loaded), via query strings, etc. Unless the data is sensitive, the simplest way by far is to include a variable in the call to the pop-up that is replaced by the appropriate arguments. Here is a sample image link:
您说弹出窗口和主ASP.NET页面之间的“通信”。首先,我假设弹出窗口也是一个ASP.NET页面,因此从主页面到弹出窗口的通信与一系列页面中从一个页面到下一个页面的通信没有什么不同。也就是说,您可以在会话中存储然后使用数据(如果数据在加载主页时可用),通过查询字符串等。除非数据是敏感的,否则最简单的方法是在对弹出窗口的调用由适当的参数替换。这是一个示例图像链接:
<img style='cursor:hand;' alt="Open Note" onclick="javascript:window.open('NoteEdit.aspx?T=3&UID=<%#NoteUID%>', 'Note', 'HEIGHT=400,WIDTH=420');" src="images/Note.gif" />
Note the "NoteUID" replacement argument.
注意“NoteUID”替换参数。
The more interesting question is how to pass information back to the window that popped up the pop up. To do that, start with this javascript:
更有趣的问题是如何将信息传递回弹出弹出窗口的窗口。要做到这一点,请从这个javascript开始:
<script type="text/javascript">
function OpenHRAResults()
{
opener.location.href="<%#DestName%>";
window.close();
}
</script>
This is taken from code where I re-open a specific page but, as you can guess, you can do all sorts of things with the "opener" window (the window that popped-up the pop up).
这是从我重新打开特定页面的代码中获取的,但是,正如您所猜测的,您可以使用“开启者”窗口(弹出弹出窗口的窗口)执行各种操作。
Hope this helps...
希望这可以帮助...
#2
If you are talking about an actual pop-up page, where you are using window.open from javascript. You have the querystring and Javascript as your only real available options for passing information between.
如果你在谈论一个实际的弹出页面,你在javascript中使用window.open。您有查询字符串和Javascript作为您之间传递信息的唯一真实可用选项。
As for "security" of this. The users will be able to see anything via a querystring, JavaScript can move values across, but they would be existing on the other page. But you could pass something like an excrypted value to make things more secure.
至于这个“安全”。用户可以通过查询字符串查看任何内容,JavaScript可以移动值,但它们将存在于另一页上。但是你可以传递一些类似于被删除的值来使事情变得更加安全。
#3
We try to avoid query strings where possible in sometimes they are just too convenient. In those cases we always encrypt the querystring. There are several ways to do this - example of one approach:
我们尽可能避免使用查询字符串,有时它们太方便了。在这些情况下,我们总是加密查询字符串。有几种方法可以做到这一点 - 一种方法的例子:
http://www.codeproject.com/kb/web-security/querystringencryptionnet.aspx
#4
A few methods
几种方法
- Query strings (window.open('/users/123'..)
- Javascript (window.opener)
- HTTP POST (open a popup via javascript, set the form target to it's name as target and post)
- Sessions or other server side methods
查询字符串(window.open('/ users / 123'..)
HTTP POST(通过javascript打开一个弹出窗口,将表单目标设置为它的名称作为目标并发布)
会话或其他服务器端方法
In answer to the security consideration I'd say that query strings in combination with server side security is the way to go. Open the popup passing the information via query strings, then validate that the logged in user has permissions to access that user. Some specific requirements would call for encrypting the querystring data.
在回答安全考虑时,我会说查询字符串与服务器端安全性相结合是可行的方法。打开通过查询字符串传递信息的弹出窗口,然后验证登录用户是否有权访问该用户。某些特定要求会要求加密查询字符串数据。
For delete operations I'd probably use a postback to avoid problems like "my indexing spider deleted all users".
对于删除操作,我可能会使用回发来避免像“我的索引蜘蛛删除所有用户”这样的问题。
#5
You don't need to sent the real data to the popup window. Just create a GUID on the opener page. Create a class in asp.net which represent all the data you need to sent between the popup page and the opener page. For example popupdata Store the serialized class in the Session with the GUID as the name Session[Guid] = class object Session[Guid] = popupdata;
您无需将实际数据发送到弹出窗口。只需在开启者页面上创建一个GUID即可。在asp.net中创建一个类,它表示您需要在弹出页面和开启者页面之间发送的所有数据。例如,popupdata将序列化类存储在Session中,GUID作为名称Session [Guid] =类对象Session [Guid] = popupdata;
Open the popup with f.i. ~/popupwindow.aspx?PageID=Guid Retrieve the session object with calling the Session[Guid] again (Guid is coming from the PageID querystring.
用f.i打开弹出窗口。 〜/ popupwindow.aspx?PageID = Guid再次调用Session [Guid]检索会话对象(Guid来自PageID查询字符串。
so on the popup page call popupdata data = (popupdata)Session[Guid];
所以在弹出页面上调用popupdata data =(popupdata)Session [Guid];
And then do whatever yuo like withthe data.
然后做任何与数据一样的事情。
If data is changed on the popupwindow you can store it in the Session variable again and send it back to the opener...
如果在弹出窗口中更改了数据,您可以再次将其存储在Session变量中并将其发送回开启器...
Very secure since no data is sent to the client.
非常安全,因为没有数据发送到客户端。