0

This may be a basic question... However I've just been picking a solution without giving much though to it...

Consider a page with a grid of forms: /FormList.aspx

where choosing to edit a form redirects the user to a page like: /FormEdit.aspx?Id=2

I usually am okay with passing the values in the query string, because I check in the code-behind of FormEdit that the Id is valid. Which is the best way to pass the value, though: session or query string? Or other?

While the user is editing the form... I usually save the Id temporarily in session (to avoid getting it from the url again). During the user's form edition, what is the best way to store the value? In the session or in a hidden field ? Or other? (When I want to store a temporary DataTable, I believe I can only use the session, but when it's an integer value...)

Thanks in advance for your suggestions :)

naruu
  • 169
  • 3
  • 16
  • Take a look @ storing page specific data in the ViewState. – Ranhiru Jude Cooray Nov 19 '10 at 11:19
  • I didn't know about this option, that we could store our own information (in this case the form's information) on the page view state... I'll be using the query string now, but it's good to know (http://msdn.microsoft.com/en-us/library/75x4ha6s%28v=VS.90%29.aspx , http://stackoverflow.com/questions/575568/why-would-you-ever-use-asp-nets-viewstate-storage-object-over-the-session-storag ). – naruu Nov 19 '10 at 11:57

5 Answers5

3

I would suggest not to use Session for something that can easily and quickly be stored and checked in a query string or hidden form field; the information you seem to be talking about here is perfect for the query string.

Note that Session could introduce bugs when someone attempts to edit multiple forms at once in different tabs. When they save one, the Session value taken would be from the last one they loaded up to save... likely not what you will want, and it would likely be difficult to figure this out.

What you should do is persist the formID in the query string/form fields, and just double-check it for sanity when they submit the save; Make sure it's an ID that exists and that they are allowed to edit, for example.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
  • In fact I haven't thought about the user editing multiple forms at the same time... Using the session to store form information isn't a good choice then. I'll be using the query string to pass the value, and to save the form, I'll get the id from the query string or the hidden field (and yes, check if the id is valid and the user can edit it). Thanks! – naruu Nov 19 '10 at 11:29
1

Normally QueryString is a good choice if you are having very small data to trasfer between your pages.

2- Session would be a great when you want to store user specific data.

in you case , best would be the querystring as you are sending very small data (ID ) to the next page.

TalentTuner
  • 17,262
  • 5
  • 38
  • 63
1

A few things to consider:

  1. If manipulation of the value is a security risk you need to either save it on the server side, or secure the value client side(Which isn't easy to get correct). Or even better: recalulate them.
  2. Saving in the session can easily create problems if the user has the website open in several tabs at the same time. It can also break the back button.
    For example if you safe the ID of the item the user is currently editing in the session, and the user edits two entries at the same time the content of the one he started editing first might be written into the entry he started editing later.
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • Didn't think about the user editing multiple pages at the same type... So the session should be for user-specific info, and not form-specific. Thanks! Thanks as well for bringing up the security issue, the forms I'm working on aren't sensitive information, so I'll just use the query string (and maybe the hidden field) however, I'll keep this in mind. – naruu Nov 19 '10 at 11:33
0

My suggestion is to keep the value in a session variable, but when you run the page_load of FormEdit.aspx for first time, save the value in the ViewState of the page, and clear the session var.

Something like that (in page_load of FormEdit.aspx):

if (!IsPostBack)
{
    ViewState["MyVar"] = Session["MyVar"];
    Session.Remove("MyVar");
}
Christian Allin
  • 108
  • 5
0

The problem with ASP.NET and query strings is that they persist on postbacks. That is, the form action for any page defaults to the url including the query string that was used to load it.

If the ID in question is just used to choose a particular form (and is not related to user data) this is not a big deal, in fact it's probably what you want.

On the other hand, if it identifies a record, you may not want this. Assuming you code things properly, this should not present a security risk, but it can give the user the impression that there is one by exposing the internal ID of a record in the query string. It also just looks unfortunate.

There are ways to work around this, and I think in 3.5 you can programatically change the form action. (It used to be you had to use javascript to do that - even though the form action was exposed it could not be changed).

The best way to deal with this is avoid query strings for any data record identifiers. Use POSTs to load data records instead, e.g. instead of using an asp:HyperLink control, use an asp:LinkButton control.

Of course, since POSTS load the same page they are sourced from, this requires that your forms be on the same page as your list. So, instead of having two separate pages, FormList.aspx and FormEdit.aspx, just put the code on the same page so you can post back directly. Presumably each of your forms is in a UserControl anyway. So your main page just has the job of choosing which usercontrol to show, everything else is delegated to the user controls, and all the parameter-passing can be done through posts inside your main page. This is a better architecture and keeps everything nice and clean.

Jamie Treworgy
  • 23,934
  • 8
  • 76
  • 119