Re: "hash" doce

From: Steven Cheng[MSFT] (v-schang_at_online.microsoft.com)
Date: 03/21/05

Next message: Viktor Popov: "ASP.NET MS SQL cyrillic problem"
Previous message: Daniel Walzenbach: "RE: How to replace [...] in DataGrid when doing custom paging?"
In reply to: Thom Little: "Re: "hash" doce"
Messages sorted by: [ date ] [ thread ]

Date: Mon, 21 Mar 2005 07:49:45 GMT

Thanks for your prompt response Thom,

The "hash(#)" url parameter is a bit different from the other params such
as querystring, the standard HTTP url schema dosn't include the "hash"
section, refer to the RFC2616 http 1.1 protocol:

http://www.faqs.org/rfcs/rfc2616.html
===========================
3.2.2 http URL

   The "http" scheme is used to locate network resources via the HTTP
   protocol. This section defines the scheme-specific syntax and
   semantics for http URLs.

http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
===========================

When we navigate to a page with a url like:

http://servername/webapp/page.xxx?var=xxx#section_name

only the

"http://servername/webapp/page.xxx?var=xxx"

will be sent by the webbrowser(IE, Mozilla,....) in the HTTP request to
the serverside. The hash param (#...) will be used only at clientside in
browser. That's why we can't get it in our asp.net web page's server code.
Also, as I mentioned in the former message, we can use some tools such as
netmon or Trace Utility to capture the HTTP request from client , we can
find that the comming http message dosn't contain the "hash" info. Thus,
the serverside web service have no idea of the "hash" parameter no matter
what active document technique we're using at serverside ( ASP/ASP.NET ,
JSP , PHP.......).

Thanks for your understanding.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Next message: Viktor Popov: "ASP.NET MS SQL cyrillic problem"
Previous message: Daniel Walzenbach: "RE: How to replace [...] in DataGrid when doing custom paging?"
In reply to: Thom Little: "Re: "hash" doce"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

RE: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerabi lity
... The HTTP URL scheme is used to designate Internet resources ... The HTTP protocol is specified elsewhere. ...
(Full-Disclosure)
Re: MS announces change in IE behavior
... the RFC specification says that http authentication is not ... The HTTP URL scheme is used to designate Internet resources ...
(NT-Bugtraq)
Re: ASP.Net 2.0 menu control causing non-secure dialog
... >>Why do I get this dialog when hovering over the menu? ... > Are there any images being pulled from an http URL instead of an https ...
(microsoft.public.dotnet.framework.aspnet)
Re: Encryption Question
... No encryption needed at server side, ... However, if a 'hash' of the password is sent in plain text over HTTP, and ... all the server knows is the 'hash' of the password, ... in the mysql database as SHA1 hash. ...
(comp.lang.javascript)
Re: Encryption Question
... No encryption needed at server side, ... Isn't the problem with sending the password in plain text over HTTP that someone may intercept the traffic and so acquire the password for later use in gaining access that they are not entitled to? ... However, if a 'hash' of the password is sent in plain text over HTTP, and all the server knows is the 'hash' of the password, has the situation really changed? ...
(comp.lang.javascript)