0

I have my page's url like:

http://www.ab.com/test.aspx?invitationID=XXXX

I check in my Page_Load whether the invitation is really valid:

if(!IsPostback)
{
   //login for validation. If not valid invitationID do a server.Transfer to 404 page
}

This works well. However once user clicks on Submit button on registration page. He is redirected to RegistrationSuccessful page. It works well till here. But now, if he presses browser's back button due to the cache he again sees the page and he can register again. This is a bug.

I did add:

  HttpContext.Current.Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1));
  HttpContext.Current.Response.Cache.SetCacheability(HttpCacheability.NoCache);
  HttpContext.Current.Response.Cache.SetNoStore();

in my Page_Load and it seems to work fine. However, do you guys see any security threat with this approach? Is the validation logic for invitation in !IsPostback correct or should I do it regardless of whether it is postback or not?

Jack
  • 7,433
  • 22
  • 63
  • 107

2 Answers2

0

Well, are you saving invitationID some where ? if you save that in db it can be benefit, so that you'll get to know that this invitationID is already used by marking it as used in db. This way you can validate double registration.

i have used this kind a invitation registration, i send url link an email then on clicking that link i do validation. before sending the link i generate a unique string and save it in db with respect to that user.

FosterZ
  • 3,863
  • 6
  • 38
  • 62
  • Yes I am saving invitationID and I delete it after user successfully registers. But problem is not that. Problem is when user presses the back button and he sees the page again. As it is cached version from browser he can still see the page and press submit button. I don't do validation for whether it is valid invitationID or not in submit button's click. I do it in !IsPostback in Page_Load since it is no point showing the page to user if it is not valid. Do I have to do it in both places? i.e Page_Load's if (!isPostback) and also on submitbutton_click? – Jack May 17 '12 at 05:38
  • i guess you should not delete that invitationID instead you should mark it as used, and you should validate on `!PostBack`, that wheather this `invitationID` is used or not – FosterZ May 17 '12 at 05:41
0

Is "http://www.ab.com/test.aspx" RegistrationPage? If yes, you must not to do any moves with cache. Because for registred users - RegistrationPage automaticaly must redirect to HomePage. You must check InvitationId only inside RegistrationProcedure:

Regsister(..., Request.QueryString["invitationID"]);

An yes, as FosterZ say - you must have InvitationId linked with user's account in database.

vladimir
  • 11
  • 2