All geek questions in one place

Saving HTTP POST data when a request is interrupted on the login page

Say the user is browsing the website and then performing some actions that change the database (let them add a comment). When asked to add a comment, we find that we need to get them to log in before they can continue.

Suppose the login page asks for the username and password and redirects the user back to the URL that they collected when the login is required. This redirect works to search for URLs with only GET parameters, but if the request originally contained some HTTP POST data that is now lost.

Can anyone recommend a way to handle this scenario when HTTP POST data is involved?

Obviously, if necessary, the login page could dynamically generate a form with all the POST parameters to pass them (although this seems messy), but even then I donโ€™t know how to redirect the user login page to their intended page, saving POST data in the request.

Edit : one additional limitation that I had to make clear - imagine that we donโ€™t know whether the login will be requested until the user sends a comment. For example, their cookie may have expired when they downloaded the form and actually submitted a comment.

+4
source share
6 answers

2 options:

  • Write out a messy form from the login page and JavaScript form.submit () on the page.
  • Before loading the login page itself to the request page (with the previous values), and this page controller performs a login check. Turn this over to any logic that you already have to detect an unregistered user (the scope depends on how they do it). In pseudo-MVC:
CommentController { void AddComment() { if (!Request.User.IsAuthenticated && !AuthenticateUser()) { return; } // add comment to database } bool AuthenticateUser() { if (Request.Form["username"] == "") { // show login page foreach (Key key in Request.Form) { // copy form values ViewData.Form.Add("hidden", key, Request.Form[key]); } ViewData.Form.Action = Request.Url; ShowLoginView(); return false; } else { // validate login return TryLogin(Request.Form["username"], Request.Form["password"]); } } }
+2
source

This is one good place where Ajax methods can be useful. When the user clicks the submit button, displays the login dialog on the client side and checks it with the server before sending the page.

Another way I can imagine is to show or hide the input controls in the DIV tag dynamically on the main page.

+11
source

You might want to find out why Django removed this feature before deploying it. This doesn't look like a specific Django problem, but rather a different cross-site fake attack.

+3
source

Just save all the necessary data from the POST in the session until the login process is complete. Or you have some kind of temp table in db for storage and then retrieval. Obviously, this is pseudo code, but:

 if ( !loggedIn ) { StorePostInSession(); ShowLoginForm(); } if ( postIsStored ) { RetrievePostFromSession(); }

Or something like that.

+2
source

Collect the data on the page that they sent and save it in your backend (database?), Until they exit the login sequence, hide the transaction ID or similar on the page with the login form. When everything is ready, return them to the page that they asked for by viewing it with the transaction ID on the backend and uploading all the data that they sent to the preview form, or simply run any code that will be executed on this page.

Please note that in many systems, such as blogs, you can get around this by adding the fields for entering the same form as for posting comments, if the user must log in for comments and has not yet been created.

+1
source

I know this speaks of an agnostic language, but why not take advantage of the conventions provided in the server language that you use? If it was Java, data can be saved by setting the Request attribute. You must use the controller to process the form, detect the input, and then proceed. If the attributes are set, then just pre-fill the form with this data?

Edit: You can also use the session as indicated, but I'm sure that if you go to Java on the login page, the Request attribute will be saved.

+1
source

Source: https://habr.com/ru/post/1276620/

More articles:


All Articles