0

Here's the scenario, I want a single page to display different content depending on a session variable. The issue is , the only solution I can think of for using a code-behind method is to hide the div showing the content but I just can't help but feel that it isn't secure. The other method I have in mind is to have code within the markup as you would do in PHP, for e.g.

<% if (Session["variable"].ToString() == "food") { %>
   //Markup
<% } %>

So do you think hiding a div doesn't have security risks or is there a better method for dynamically changing the content using code-behind?

aelsheikh
  • 2,268
  • 5
  • 26
  • 41

3 Answers3

3

The security concerns heavily depends on how Session["variable"] is set.

But a control set to runat="server" and Visible=false; is not even rendered to the client, so I don't see a problem with this approach.

Oscar
  • 13,594
  • 8
  • 47
  • 75
1

In asp.net there are various controls which you can use to display different content depending on different variables.

For your solution you could use the <asp:PlaceHolder /> control. This would allow you to insert HTML markup and other controls into it, then in the code behind you can show/hide depending on your varialble.

So your markup on the .aspx page would be;

<asp:PlaceHolder runat="server" id="phOne" visible="false">
    <p>Show Me if condition is met</p>
</asp:PlaceHolder>

Then in your code behind you can show/hide;

this.phOne.visible = Session["variable"].ToString() == "food";

I would make sure that by default it is not visible visible="false" then show in the code. If the control is not visible, then is it not rendered on the page at all, so no security risk in this.

Another would be the <asp:Panel /> which renders as a <div /> on the page. This would work in the same fashion as the placeholder

Tim B James
  • 20,084
  • 4
  • 73
  • 103
  • Placeholder control is not intended to this, but to add controls dynamically. In the other hand, all objects inheriting from Control have a Visible property that you can set to false without needing a Placeholder for that. Any control with the runat=server tag can have it's visible property set to false in code behind. – Oscar Aug 25 '13 at 20:02
  • @Oscar This is exactly the purpose of the Placeholder. There is no difference in adding the Controls to the placeholder dynamically vs in the markup. – Tim B James Aug 25 '13 at 20:24
  • @TimBJames From MSDN: "Reserves a location in the page control hierarchy for controls that are added programmatically." http://msdn.microsoft.com/en-us/library/as54k8b6(v=vs.85).aspx – Oscar Aug 25 '13 at 20:26
  • Thanks, this worked. However, I prefer using a div like the other answer suggested. – aelsheikh Aug 25 '13 at 20:44
  • @Zizo47 Use the `` control then. Personally I would stick to .net controls rather than adding `runat="server"` to generic html controls. – Tim B James Aug 25 '13 at 21:39
-1

Perhaps you want to use Server.Transfer . See more about it here: Server.Transfer Vs. Response.Redirect .

Of course, you can also simply set the content from codebehind:

<p id="a" runat="server">
    abc
</p>

And:

a.InnerHtml = "def";
Community
  • 1
  • 1
ispiro
  • 26,556
  • 38
  • 136
  • 291