0

Using C# Web Forms, I am attempting to use hidden fields as part of a redirect from website A to website B (same domain, both sites password protected using Forms Authentication). I have tried different approaches, but so far am unable to extract the hidden field values from the Request.Form NameValueCollection in the website B Login code-behind, and am getting a null reference exception when trying to access the request form key.

Website A:

<asp:LinkButton ID="redirectLink" runat="server" OnClick="RedirectLink_Click"
OnClientClick="window.document.forms[0].target='_blank';">New Page - Website B
</asp:LinkButton>

Response.Clear();
StringBuilder sb = new StringBuilder();

sb.Append("<html>");
sb.Append("<body onload='submitForm()'>");
sb.AppendFormat("<form id='customForm' action='{0}' method='post'>", url + "/newpage.aspx?redirectPage=NewPage_Redirect");
sb.AppendFormat("<input type='hidden' name='Val1' value='{0}' id='Val1'>", Uri.EscapeDataString(value1));
sb.AppendFormat("<input type='hidden' name='Val2' value='{0}' id='Val2'>", Uri.EscapeDataString(value2));
sb.Append("</form>");
sb.Append("<script>");
sb.Append("function submitForm() {");
sb.Append("document.getElementById('customForm').submit();");
sb.Append("}");
sb.Append("</script>");
sb.Append("</body>");
sb.Append("</html>");
Response.Write(sb.ToString());
HttpContext.Current.ApplicationInstance.CompleteRequest();

Website B Page_Load:

if ((Request.QueryString["redirectPage"] != null)          
    && (Request.QueryString["redirectPage"].ToString() == "NewPage_Redirect"))
{
    Response.Write(Request.Form["Val1"].ToString()); // NULL REFERENCE EXCEPTION
    Response.Write(Request.Form["Val2"].ToString());
}

What am I missing?

UPDATE 1

Website A:

This is the HTML I see in VS 2022:

<html>
<body onload='submitForm()'>
<form id='customForm' action='https://websiteB.com/newpage.aspx?redirectPage=NewPage_Redirect' method='post'>
    <input type='hidden' name='Val1' value='abc123' id='Val1'>
    <input type='hidden' name='Val2' value='def456' id='Val2'>
</form>
<script>
    function submitForm() 
    {
        document.getElementById('customForm').submit();
    }
</script>
</body>
</html>

Website B Page_Load:

When I changed Response.Write(Request.Form["Val1"].ToString()) on website B to Response.Write(Request.Form["Val1"]), I no longer got the null reference exception. So, I replaced the test code on website B with the following which displays 0 for the length of keys:

string[] keys = Request.Form.AllKeys;
Response.Write(keys.Length.ToString()); //Displays 0

UPDATE 2:

Using browser tools, it seems the HTML being created in code is not appearing in the generated HTML. I'm starting to suspect this may be like an issue I dealt with 12 years ago, where ASP.NET Web Forms does not allow nested forms. Still investigating.

UPDATE 3

I forgot to mention I'm using a LinkButton on the ASPX page - code snippet above has been updated.

IrishChieftain
  • 15,108
  • 7
  • 50
  • 91
  • seems like you need to provide a value for "{0}".. so something like: Response.Write(sb.ToString(), "your-value"); ? (you may want to keep it all POST, btw... just add the redirect page as a hidden field too... seems messy with query params. – pcalkins Jul 27 '23 at 21:02
  • @pcalkins1 could you answer with a code sample. Not sure whst you mean exactly. – IrishChieftain Jul 27 '23 at 22:16
  • "{0}" is a placeholder for a variable methinks... so you'd need to set that to something... right now you've got Response.Write(sb.ToString()); There's no variable sent in... – pcalkins Jul 27 '23 at 22:18
  • 1
    @pcalkins, value='{0}' is replaced by Uri.EscapeDataString(value1) as outlined here: https://learn.microsoft.com/en-us/dotnet/api/system.text.stringbuilder.appendformat?view=netframework-4.7.2 I have confirmed this in the generated HTML. – IrishChieftain Jul 27 '23 at 23:10
  • 1
    got it... my bad. – pcalkins Jul 28 '23 at 16:14
  • @pcalkins I've updated the question with more info ;-) – IrishChieftain Jul 29 '23 at 13:31
  • What you are doing is a bit odd... generating the form and then auto-submitting it. Seems unnecessary. There must be a better way to go about this that avoids that kind of behavior and doesn't mix GET and POST requests. – pcalkins Aug 01 '23 at 16:50
  • @pcalkins, I totally agree. I was tasked with mimicking other legacy code that did this. I have since changed it to use HttpClient. I'll update when I solve it, but it's now looking like a server cert issue. – IrishChieftain Aug 01 '23 at 19:40

1 Answers1

1

The problem is that you are not actually submitting the form on Website A. You are just generating the HTML for the form and then displaying it. This means that the hidden fields are not actually being sent to Website B.

To fix this, you need to actually submit the form. You can do this by adding the following code to the RedirectLink_Click event handler:

// Create the form object.
Form form = new Form();

// Add the hidden fields to the form.
form.AddHiddenField("Val1", value1);
form.AddHiddenField("Val2", value2);

// Submit the form.
form.Submit();

This will actually submit the form, and the hidden fields will be sent to Website B.

Once the form is submitted, you can then access the hidden field values in the Page_Load event handler on Website B. The following code will show you how to do this:

string val1 = Request.Form["Val1"];
string val2 = Request.Form["Val2"];

// Do something with the hidden field values.

This code will get the values of the hidden fields and store them in the variables val1 and val2. You can then do something with these values, such as displaying them on the page or storing them in a database.

Ghulam Farid
  • 470
  • 4
  • 10