ColdFusion Cookie/Form Submission Loophole - html

Okay so here is my problem. I have developed a framework which does the following:
If, for example, you have four webpages... but you only want to allow users to reach the "4th" webpage after progressing through pages 1-3 sequentially - I have built this functionality (basically I set an encrypted cookie keeping track of what the user has completed thus allowing to know what they should be able to access). There are two parts of it:
1) If a page does NOT have a quiz, the user must only visit the webpages sequentially to be allowed to view the 4th page in the "progression".
2) However, if a page has a quiz on it, the user must successfully pass the quiz to go on to the next sequential page.
Now... Here is the real biggie... The last page will often be a web form which, obviously, I only want an individual to fill out and submit if they have reached the form by sequentially getting to that last page in the progression... BUT I found a flaw in the system. If someone were to go completely through the progression and fill the form out... they could delete their browser's "form data" and go "back" to the form and allow a friend to fill the form out. That would be detrimental to the system, and the users who will be navigating this progression are GOING to look for ways to get around going through it.
Some of the suggestions I will probably get will not be possible given the larger framework I am in, but rather than list all of the impossibilities I would like to see what you guys thought would be a way of getting around this issue?
P.S. This functionality is built in HTML and ColdFusion.
Thank you for any feedback, it is a great help!
EDIT:
Keep in mind the user must be able to back track any previous page they already completed.

Related

How do I keep a user from double clicking a link in an email?

When users request a password reset, they get an email with a link to generate a password reset code. This link is valid for 24 hours and can be re-used within the 24 hours to generate a new code if the first is lost or forgotten. When users double click the link, two codes are getting generated, leading to user confusion about which to use (the second code invalidates the first code with the way it has been developed).
Since the link in the email is just an html a tag, I'm not sure how I can keep users from double clicking the link.
This sounds like you're facing the XY problem. Your actual issue is that users get confused by visits in a quick succession causing a code that was just generated to be invalid, rather than the fact that the link can be clicked twice.
From a security point of view, these kind of links should really be single-use, and the user should request a new e-mail if they want to perform the action again. Assuming this is something you're forced to do, I believe the best compromise would be to limit code generation to a time frame, so visits within, let's say, 5-10 seconds would result in the same code being shown to the user, based on the server's time.
Implementing any CSS based solution for this that'd work across every e-mail client out there is challenging enough (if at all possible), and I doubt any self-respecting e-mail client is going to let you run any sort of JavaScript to intercept the event.
The following works in a modern browser on an actual web page, but this is not just a bad idea, it's also probably not going to work if you try to use it in an e-mail. I'm providing it here just for the sake of completeness, showing that it's somewhat possible, but please do not rely on this to fix the underlying issue.
<style>a:focus { pointer-events: none }</style>
<p>This is some text, here's a link you can't double click by the way.</p>

I need to build in offline HTML form for completion with a button the print the data in a table

I am looking to build an 'easy on the eye' offline form which will be saved locally on users machines.
The purpose of the form is to record information and minutes taken in a meeting.
The form will include a logo, a header, hopefully some a dividing strip (preferably blue) and fields to complete in a table
Date
Time
Location
Attendees
An expanding (Downwards) text box with gets bigger when you type enough to fill it.
A print button which gives you the option of saving as a PDF or actually print it.
I have trawled the internet and even tried to adapt source codes on forms I like the look of but I'm not confident that even when I have adapted the code that those forms still don't have have some kind of connection to the internet as the information recorded in the forms will be highly confidential.
Can you point me in the direction or give me some pointers?
I have seen tutorials but the forms look very basic.
Many Thanks

Can HTTP GET be used if there are small side-effects?

As far as I understand, GET has to be idempotent - it cannot change anything in the system and repeating it should always return the same unless something else changed the state of the application.
Problem is, on my website, there should be a lot of little changes based on whether some content has been already seen before by the user. I mean, like notifications, new message alerts, content sorting based on whether user saw it or not, how many users saw the content counters... For example when user clicks on notification, the notification should disappear from his notification panel and never be seen there again, so it changes something - state of the notification, but I can press F5 as many times as I want and it always returns the same page with same info, same buttons etc.
Can I ignore this kind of side-effect as too small and I can use GET or do I have to make most links and buttons on the website use POST like I do with links and buttons which lead to more "serious" changes? I do that by making forms around each of them with those links as form actions and original buttons as submit buttons of the form which seems a little messy to me and I don't want it almost everywhere (or is there a better way?).
This can be tackled from several points of view, I'll illuminate it from this angle:
The end result here is always the same, hence the request is idempotent.
The user visits the URL, the end result is that the notifications are cleared. They can visit the page again and again, the end result is that the notifications are cleared. They're not going to get an error message because the notifications have been previously cleared (that would not be idempotent). Yes, they will see different content each time they visit the page, but nothing says that the page content must be identical each time the resource is requested (that would put half the web in a bind).
Contrast that with a POST request to /questions (which creates a new question, for example): each time you repeat that POST request, a completely new resource is being created. You POST once, and /questions/12345 is being created. You repeat the same request, /questions/12346 is being created. That is not idempotent.
No, you do not need to make all those requests into POST requests.

Hold data for list to add later?

So no SQL tables or anything here. Basically, I have 3 pages that have 6 items each. Each item consists of an image and then some text and also a smaller image than changes from a check to an "x" depending on if user selects or not. So if the image is checked, the user is adding that to a list which would display on a fourth page. This data needs to persist through just a session and if the session times out, then it resets. If the list is complete and on that fourth page the user choices to email or share list via social sharing, then the data would be gone after that action. What I am trying to figure out is the best way to approach and implement this with minimal time and effort as it has to go out quickly. Can any of you explain and maybe point to some links with info on the best way to achieve?
This is being done in asp.net web forms with html, css, and javascript.
Much appreciated!
You can use ViewBag() (for view in razor) or ViewData[] (for page in .net) to hold data for one web page.when you want it to other page. You can pass it to other page.
check this out
ViewBag, ViewData and TempData

Time-Delayed MySQL "Update" for More Realistic Tally of Online Video Views

I'm creating a video embed page for a real estate site, where a user can go to watch a video tour of a given home. There is no other reason to visit that particular page, so I figured that I could use a simple MySQL Update to a "video view tally" column for that homes's row, which will update views=views+1 each time the page is loaded.
That's easy enough, but I want to give as realistic a "view" count as possible, so I'm trying to come up with a way to have that view tallied ONLY once the page has been loaded for a set number of seconds (say, 30).
Any thoughts on a good way to handle the timing aspect? I'd like to avoid javascript, if possible, but I'm open to if it it's handled simply enough.
Unfortunately the only way you will ever know if the page is still active is to have a client-side technology (like JavaScript) tell you that it is.
You can add a "counter" page that isn't meant to be viewed directly, but instead is accessed via JavaScript after a 30 second page timer has expired. The act of JavaScript accessing that page will trigger the counter logic.