[2008] Set session variable before javascript fires onclick

[Ms.Longstocking]

A click on the linkbutton will fire some javascript (window.open) and open up a child browser window. I have to [securely] send over some text as well. I thought to send this text over to the new window using a session variable. This text that is to be sent over must not under any circumstances be visible client-side.

The trouble is that the javascript fires before the session variable can be set.

Any ideas?

Code:

Dim hl As LinkButton = New LinkButton
hl.ID = "hl" & Panel1.Controls.Count + 1
hl.Text = Title
hl.CssClass = "blockNewsLink"
hl.Attributes.Add("onclick", "return newswin('headlines.aspx');")
hl.CommandArgument = Link
AddHandler hl.Click, AddressOf bravka
Panel1.Controls.Add(hl)

Code:

Sub bravka(ByVal sender As Object, ByVal e As System.EventArgs)
     Session("bravka") = CType(sender, LinkButton).CommandArgument
End Sub

[Kasracer]

JavaScript is a client-side construct. Session is a server-side construct. You won't be able to set anything server-side until you return to the server which can be done via JavaScript. So your initial thought won't work.

I think we need to know a little more about what you're trying to accomplish in order to give you a good option. Why can't the text be client visible (i.e. through a query string) when the client is going to see it anyway? All authentication information should already be in the session so I would imagine anything passed via a query string would be information the client could see anyway.

Are you aware of this pop-up ahead of time? I don't like it but you could set the text via session before the user clicks on it.

Is this page different depending on what page you open it from or will it always show the same data? If it'll always show the same data then you should just use your session to verify the user then load the text most likely from a database.

[Ms.Longstocking]

The linkbuttons I mentioned will be RSS links to other websites.
however, the design will be such that upon clicking these links, the user will be directed to a special popup, 'headlines'. There, the URL of the website with the news item will be entered server-side where it will be scraped for the relevant text in the feed. The text will then be displayed in the special headlines window.

Since the popup is being opened using javascript, and since the URL in question must remain secret, I wish to pass it as a session variable. (I believe ViewState would suffice as well)

You asked.

[Kasracer]

ViewState does not work like that. ViewState is a serialized (and typically encrypted) object(s) that .Net uses to keep a specific state. ViewState is verified, on PostBack, via a mechanism that checks the integrity of the ViewState (so it isn't modified on the client side). ViewState is only intended to work on a page that receives a PostBack to itself so this wouldn't work for that (though I could totally see how ViewState would be useful in that scenario).

Regardless you're passing data that the client already knows about. For really sensative information such as SSN, Credit Card number, or even an address then you wouldn't want to pass it via a query string nor would you want to store it in the ViewState.

For an RSS feed? Just use a query string. I don't see what you gain trying to use any other constructs. The URL can't remain secret (it won't be, you'll be able to grab it from source or from the Window that pops up). Why do you want the URL to be secret anyway? If this is some super secret page that no one should be able to access then you should password protect it as security through obscurity is not security.

[Ms.Longstocking]

Querystring is not an option.

Goal: Set session variable on linkbutton click followed by firing of javascript immediately after.

What I have thus far:

My Linkbutton generation code:

Code:

Dim hl As LinkButton = New LinkButton
hl.ID = "hl" & Panel1.Controls.Count + 1
hl.Text = Title
hl.CssClass = "blockNewsLink"
hl.CommandArgument = Link
AddHandler hl.Click, AddressOf linkBtnClick
Panel1.Controls.Add(hl)

LinkButton Code-behind:

Code:

Sub linkBtnClick(ByVal sender As Object, ByVal e As System.EventArgs)
    Session("ValuePassed") = CType(sender, LinkButton).CommandArgument
    Dim strScript As String = "<script type=text/javascript>newswin();</script>"
    If (Not Page.ClientScript.IsStartupScriptRegistered("clientScript")) Then
        Page.ClientScript.RegisterStartupScript(Me.GetType, "clientScript", strScript)
    End If
End Sub

When the new page is opened, the Session variable will be used to do all kinds of diabolical things. It has to be passed this way by design.

The javascript has to be called only after the session variable has been set.


I suspect that the updatePanel that houses my linkButtons has something to do with my present quandary as well.

Code:

<asp:UpdatePanel ID="UpdatePanel2" runat="server">
    <ContentTemplate>
        <asp:Panel ID="Panel1" runat="server" CssClass="pnlBlockRight">
            <asp:Label ID="Label1" runat="server" CssClass="pnlTitle" Text="Diabolicalness in progress"></asp:Label>
        </asp:Panel>      
    </ContentTemplate>
</asp:UpdatePanel>

Goal revisted: Goal: Set session variable on linkbutton click followed by firing of javascript immediately after.

Thx,
MizPippz

[Kasracer]

Querystring is not an option.

Why?

When the new page is opened, the Session variable will be used to do all kinds of diabolical things. It has to be passed this way by design.
[....]
The javascript has to be called only after the session variable has been set.
[....]
Goal revisted: Goal: Set session variable on linkbutton click followed by firing of javascript immediately after.

Your design is flawed. If you really want to do this then you have to create a hacky solution which would basically involve handling the LinkButton click event (which would happen on PostBack), registering a script and set it to run on page load (window.load), set your session variable. Then, when the page posts back it opens a new window and you can read your session variable.

Like I said this is a hacky solution and your design needs to be revisited. The session object is meant to hold limited amounts of data across multiple pages and not for passing data to just one page; that's the job for a Query string or a Post submit. Using session variables to actually display content is going to hurt you in the end with slower performance and a site that's difficult to maintain.

[Ms.Longstocking]

ok, my tunnel vision has subsided.

I'm going to encrypt the data and send it using a queryString.

[Kasracer]

Why are you sending any sensitive data over a query string? That's not a good idea. What kind of data are you passing, exactly?

[Ms.Longstocking]

It's a string that I don't want for anyone else to see. The encryption method is the way to go. Earlier I was thinking too much along the lines of Fort Knox and less like a programmer(wanna be).

Thanks for your input. This solution is both effective, secure enough, and super easy to implement.

Regards,
MizPippz