im in the middle of creating my website and need some help with stopping people from going to a page in my website manually. Basically, i've set up a contact form and once it's filled in, it sends you to a thankyou page. I want to stop people going to that page manually by typing in the url for it. I want them to only be able to access it by filling out the form and hitting 'send'.
Firstly, is this possible, and if so, HOW?!
Thanks in advance!!
Have the page as the response to the POST and don't redirect to it.
You'll need to use a redirect in combination with some kind of persistent storage (DB, cookie, session).
Essentially on the thank you page, check that they came from the contact form, via persistent storage, otherwise redirect them.
Maybe you can check the http method. If it is post, presumably the user used the form. If it is get, presumably they typed the address themselves.
Good luck!
You can insert a special hidden hash value in your form and check for it on the page you redirect to. It's not foolproof though.
Related
Think of it like a login page. You type in all the credentials and click login. But I wanna check the username and password are correct or not and they will be in my database. So i use a API to communicate. And then u click login then through JavaScript i send a request but then the browser totally changes the page. All i want is the result but the browser changes the URL. Is there a way to do it?. Currently I am letting the page redirect back, its working fine but it just looks ugly.
Sorry i didn't include any code, I thought Code isn't necessary.
It's difficult to guess without seeing the code.
Anyway, are you using fetch?
Fetch is used if a browser should not navigate to a new page. The response is processed using Javascript instead.
Take a closer look at the fetch API, I think it can solve your problem.
Can I use my HTML form to perform multiple actions?
Post the information to another destination.
Navigate a user to another page once they submit the form.
At the moment I can post the filled form to the destination but cant navigate the user to another page using HTML specifically. Is there any method in HTML to do this?
Any suggestions?
Things are easy if you control the server and/or are on the same domain, then you can do a server side redirect. But since you are using salesforce surely you don't control that. Nevertheless, double check their documentation for a redirect option you can put in the form.
If that fails, one thing I'd try is to submit it to an iframe: add <iframe name="foo" id="foo"></iframe> somewhere to your html (you can hide it too if you want) and add target="foo" to your form. Then, also add an onsubmit javascript handler to the form that redirects after a delay to allow the form to be processed. The timing of the delay is likely to be a source of bugs btw, checking for errors in the submitted form can't be easily done across domains, you'd be guessing. Maybe an onload handler on the iframe can do the redirect though, I'm not sure, but worth a try.
This isn't guaranteed to work either, some sites don't like being in iframes. If that fails, you might try setting target="_BLANK" to submit the form to a popup window then redirect your main window using javascript or something. This will require you to give an instruction to the user to close the window.
Lastly, if you can submit the data via a server side API call to salesforce, that would be good too because then the plain redirect option is back under your control.
You can use redirect after you perform whatever you are going to do on the first page (the one from form action)
I have an HTML form:
<form id="form" action="Secret.asp" method="POST">
This form sends data from my website visitor to a database.
I want to hide it so that whoever sees my HTML will not be able to send data to my ASP file.
Or maybe there is another way to block an ASP file from anyone but the HTML file?
I suppose you could set up a default document on a virtual directory, and set the action to that. Then your user wouldn't see the page name, but the form data would still get posted.
The bigger question is... why do you want to do this? If it's a matter of security through obscurity, this is the wrong approach. Whatever page receives the form data should not trust it at all, and should sanitize anything going into a database anyway.
No.
If you want browsers to be able to send data to a URL, then you have to tell them what that URL is.
Anything you tell a browser, you tell to the user in control of that browser.
No matter what you do, anyone can see their own HTTP requests going out to your server.
If you press F12 on Chrome or Firefox you can see your incoming and outgoing traffic, so it's useless to try and do anything about it.
If you want to secure something, that's not the way to go about it.
I have a feedback page in my website. In my website's homepage, when someone clicks on 'Feedback', it will open a modal window to ask a human verification question. If the response is correct, i want to programatically open the url to my feedback page.
My concerns is:
The feedback page should not be accessible by directly entering the url,i.e., www.mysite\feedback.html. How can i prevent this from opening my feedback page?
I'm also aware that my anti-spamming effort isnt the best option, but for now i dont need a robust mechanism.
Any solution?
Thanks.
Why don't you just put the CAPTCHA on your feedback page?
If that's not an option you need to use sessions to store the "captcha passed" flag and check for it on the contact page (also in your server-side code). After successfully submitting the form you need to clear the flag so someone cannot spam manually after completing just a single captcha.
You should be able to access the Referrer header of the request in your web platform. You can check this value to see if the referrer is from a page you accept. If not, you can return a 403 or whatever response, and if so, you can return the actual page. You will need access to a server-side framework, such as PHP or ASP.NET. Note, however, that it is easy to create HTTP requests and spoof the Referrer header.
Say you have a legacy website running on an old code-base that offers certain functionality. The successor website is up and running, providing all the old functionality and more. For some time, there has been an HTML link on the old site pointing to the new one, for those users that care to click over.
Now, the legacy site is reaching its end of life, and you want to automatically redirect users to the new site, for example via a 301 or 302 redirect. However, when a user encounters this redirect, you want to also display a friendly message on the new site welcoming them and explaining why they are not seeing the old version.
When the user clicks an HTML link, the HTTP_REFERER header is populated, and the welcome message can be triggered via that value. However it appears that the same is not true when using 3XX redirect codes.
The top Google hit for this issue has this to say:
"HTTP 1.1 specification states it clearly: if a 3XX code is given, no
Referer value is passed. (eventualy, the URL that pointed to 3XX site)."
(http://www.usenet-forums.com/apache-web-server/37811-how-set-referer-redirect.html#post145986)
However I could not find this statement in a quick read through the spec (https://www.rfc-editor.org/rfc/rfc2616).
Can anyone suggest the proper way to achieve this functionality?
Note: This is not meant to be an all-encompassing solution. We understand that some clients don't even send the HTTP_REFERER header for privacy reasons, but for the sake of argument, let's ignore that use case.
First, This should be a 301, not a 302 redirect. Your redirection is permanent, so you want to indicate that. As to how to indicate the redirect, just add a parm to the url. Instead of redirecting to http://www.newsite.com redirect them to http://www.newsite.com?FromOldSite=Y
Could you just redirect them to a specific launch page? Like if try try to visit http://oldsite.com/desired/page, just send them to http://newsite.com/welcome?nextpage=/desired/page. The welcome page could show the message and then pass them over to the content. Alternatively, you could send them right to the new page with a ?show_welcome=true in the URL.
Not sure how you plan to redirect your users, but if you don't want to "ugly" up your URL, you might just set your own custom header when hitting the old site and then check for it at the new.