Hello,

I am preparing a site where it is important that the user moves from
page 1 to page 2 to page 3 etc as a series of tests are presented and
the order is important.

Is it possible to make sure that this happens?!

One thought I've had is that to stop a user arriving at say page 2 by
using Google, I can put all these pages into a password protected
folder (using htaccss/htpasswd). The users would be presented with the
same user name and password on the public page. Is there any other
way?

'would appreciate any thoughts on this.

Cheers

Geoff

"Geoff Cox" <gcox@freeuk.notcom> wrote in message
news:h3j3v315jrg4ttj011l8r0ajodatgasaas@4ax.com...
> Hello,
>
> I am preparing a site where it is important that the user moves from
> page 1 to page 2 to page 3 etc as a series of tests are presented and
> the order is important.
>
> Is it possible to make sure that this happens?!

No.

Make the all the same page and control the content server side, probably
with a session.

--
Richard.

On Tue, 01 Apr 2008 06:04:36 GMT, "rf" <rf@invalid.com> wrote:

>
>"Geoff Cox" <gcox@freeuk.notcom> wrote in message
>news:h3j3v315jrg4ttj011l8r0ajodatgasaas@4ax.com.. .
>> Hello,
>>
>> I am preparing a site where it is important that the user moves from
>> page 1 to page 2 to page 3 etc as a series of tests are presented and
>> the order is important.
>>
>> Is it possible to make sure that this happens?!
>
>No.
>
>Make the all the same page and control the content server side, probably
>with a session.

I've thought of putting all on the one page - trouble is that would
involve a lot of scrolling ...

Could you say what you mean by "control the content server side,
probably with a session"?

Cheers

Geoff

Geoff Cox <gcox@freeuk.notcom> writes:

> On Tue, 01 Apr 2008 06:04:36 GMT, "rf" <rf@invalid.com> wrote:
>>
>>"Geoff Cox" <gcox@freeuk.notcom> wrote in message
>>news:h3j3v315jrg4ttj011l8r0ajodatgasaas@4ax.com. ..
>>>
>>> I am preparing a site where it is important that the user moves from
>>> page 1 to page 2 to page 3 etc as a series of tests are presented and
>>> the order is important.
>>>
>>> Is it possible to make sure that this happens?!
>>
>>No.
>>
>>Make the all the same page and control the content server side, probably
>>with a session.
>
> I've thought of putting all on the one page - trouble is that would
> involve a lot of scrolling ...
>
> Could you say what you mean by "control the content server side,
> probably with a session"?

You store a on the client side. Your server displays page one
if the is missing. Page one sets the to show that page
1 has been seen. The "next" button just re-loads the page but now the
server will show page 2. Rinse and repeat.

If are not acceptable, you can do this with form data.

--
Ben.

Use a server-side validation using sessions and throw the user on the
page he should be if he tries to access another one.

Scripsit Geoff Cox:

> I am preparing a site where it is important that the user moves from
> page 1 to page 2 to page 3 etc as a series of tests are presented and
> the order is important.

What makes you think this is an HTML question, or a JavaScript question?
Followups set to the the group where this is less off-topic than in the
other. In future, please select _a_ group properly. (Hint: use
comp.infosystems.www.authoring.misc if you think it's about WWW
authoring but you cannot select a more specific group.)

> Is it possible to make sure that this happens?!

No.

> One thought I've had is that to stop a user arriving at say page 2 by
> using Google, I can put all these pages into a password protected
> folder (using htaccss/htpasswd). The users would be presented with the
> same user name and password on the public page. Is there any other
> way?

That does not prevent people from accessing page 2 first. They just need
the password from a pal. Or something like that.

But it would piss off users.

You can use <meta> tags to ask indexing robots not to index pages 2, 3,
etc. Most of them will honor the request. Does this leave you some
_real_ problems? Which? What will happen, really, if someone views page
2 before viewing page 1? The world, as we know it, will end? You will be
prosecuted? The user sees a spoiler?

If this is a _real_ problem, please re-raise it in a more appropriate
forum and explain what you are really doing and what your server-side
programming capabilities and skills are.

You would probably get reasonably close by arranging things so that page
2 has no direct address of its own and page 1 contains a form consisting
only of a submit button and some hidden field(s), and the form would
have method="POST". The action="..." attribute would refer to a
server-side script that checks its data for the presence of some
specific field(s) with specific value(s) (as specified in the hidden
field[s] of the form); if they are present, the script would return the
content of page 2, otherwise an error code and an error explanation
page.

Of course, the "protection" would be easy to break, but only by someone
who is really interested and studies the techniques used. For a safer
approach, you would make page 1 dynamically generated and would make the
hidden field be different for each occasion, and your server would
contain a file of generated hidden field values and would remove a value
as soon as it has been found in a request. That is, for each page 1
generated, page 2 could be accessed _once_. So page 2 would resemble the
scrolls in Rogue, the game (you know, "as you read the scroll, it
vanishes").

Now, there's the simple problem of a user who has so accessed page 2 and
saves a local copy of it and uploads it on a server. I hope your next
question won't be "How do I prevent people from saving my page?"

--
Jukka K. Korpela ("Yucca")
http://www.cs.tut.fi/~jkorpela/

In our last episode, <h3j3v315jrg4ttj011l8r0ajodatgasaas@4ax.com>, the
lovely and talented Geoff Cox broadcast on
comp.infosystems.www.authoring.html:

> Hello,

> I am preparing a site where it is important that the user moves from
> page 1 to page 2 to page 3 etc as a series of tests are presented and
> the order is important.

> Is it possible to make sure that this happens?!

If all you want to do is present a sequence of pages to a casual user, you
can do this with server-side scripting. The only HTML issue involved here
is using a hidden input to tell your script what page the user was on
previously (if any) so the script can write the next page. Of course if you
have a sequence of tests, the script can probably be devised to deduce what
page to write next by the values of test items it has.

This will be good enough for "What is your Luv IQ?" kinds of amusements or
evaluate-your-own-knowledge types of test. It won't be secure in any sense
from someone interested in cheating or otherwise messing with the results.

> One thought I've had is that to stop a user arriving at say page 2 by
> using Google, I can put all these pages into a password protected
> folder (using htaccss/htpasswd). The users would be presented with the
> same user name and password on the public page. Is there any other
> way?

I don't quite understand how Google comes into it. If all you want to do is
ensure that someone who comes to the test always gets the first page, simply
have your script write the first page if no test variables are set. If you
do not want casual users to bookmark intermediate results, use POST and not
GET. .htaccess is not necessary for that and doesn't provide sufficient
security for serious employment/academic test where someone would be
motivated to cheat.

In other words:

Your test url looks like:

http://mydomain/testscript.cgi (or .php or .pl or whatever)

That is also the form ACTION for all the pages of your test.

The url does not look like http://mydomain/test/page1.cgi,
http://mydomain/test/page2.cgi, http://mydomain/test/page3.cgi, etc.
It always looks like http://mydomain/testscript.cgi, so there are no links
or booksmarks to page 2, page 3, etc.

If your script finds no test variables set (POSTed), it writes page 1. If
it finds page 1 items set but not page 2 variables set, it sticks the page 1
values in hidden inputs and writes page 2, and so forth. You can use either
server-side or client-side scripting to check for the validity of responses
(i.e. can users skip some/all items, are item basically in the right form,
etc.) Since this isn't really secure from people who intend to cheat, you
could user client-side scripting to score as you go along --- but this will
leave out and piss off people who do not have client-side scripting or do
not have it turned on. It also won't save much hassle when scoring of items
on later pages depends on responses to earlier items.

How to do the scripting is, of course, not within the scope of this
newsgroup.

--
Lars Eighner <http://larseighner.com/> usenet@larseighner.com
Countdown: 294 days to go.

On Tue, 1 Apr 2008, Geoff Cox wrote:

> I am preparing a site where it is important that the user moves from
> page 1 to page 2 to page 3 etc

"I am the publisher of a newspaper where it is important that the
reader moves from page 1 to page 2 to page 3 etc. How do I do this?"

--
In memoriam Alan J. Flavell
http://groups.google.com/groups/sear...Alan.J.Flavell

On Tue, 01 Apr 2008 06:54:05 +0100, Geoff Cox <gcox@freeuk.notcom>
wrote:

Thanks everyone for the useful comments - will work through them now.

Cheers

Geoff

Ben Bacarisse wrote:
> Geoff Cox <gcox@freeuk.notcom> writes:
>> On Tue, 01 Apr 2008 06:04:36 GMT, "rf" <rf@invalid.com> wrote:
>>> "Geoff Cox" <gcox@freeuk.notcom> wrote in message
>>> news:h3j3v315jrg4ttj011l8r0ajodatgasaas@4ax.com...
>>>> I am preparing a site where it is important that the user moves from
>>>> page 1 to page 2 to page 3 etc as a series of tests are presented and
>>>> the order is important.
>>>>
>>>> Is it possible to make sure that this happens?!
>>> No.
>>
>>> Make the all the same page and control the content server side, probably
>>> with a session.

Full ACK.

> [...]
> You store a on the client side. Your server displays page one
> if the is missing. Page one sets the to show that page
> 1 has been seen. The "next" button just re-loads the page but now the
> server will show page 2. Rinse and repeat.
>
> If are not acceptable, you can do this with form data.

are as susceptible to a forging attack as is form data.
http://getfirebug.com/ and see how easy it actually is.


PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee

Thomas 'PointedEars' Lahn <PointedEars@web.de> writes:

> Ben Bacarisse wrote:
<snip>
>> If are not acceptable, you can do this with form data.
>
> are as susceptible to a forging attack as is form data.
> http://getfirebug.com/ and see how easy it actually is.

Of course. I never suggested otherwise.

--
Ben.

Ben Bacarisse wrote:
> Thomas 'PointedEars' Lahn <PointedEars@web.de> writes:
>> Ben Bacarisse wrote:
> <snip>
>>> If are not acceptable, you can do this with form data.
>> are as susceptible to a forging attack as is form data.
>> http://getfirebug.com/ and see how easy it actually is.
>
> Of course. I never suggested otherwise.

IBTD. Did you or did you not suggest that storing or form data
would be a way to "'force' [a] user to use [a] [Web] site in [a] defined order?

I have disproved that.


F'up2 comp.infosystems.www.authoring.misc

PointedEars
--
Anyone who slaps a 'this page is best viewed with Browser X' label on
a Web page appears to be yearning for the bad old days, before the Web,
when you had very little chance of reading a document written on another
computer, another word processor, or another network. -- Tim Berners-Lee

Thomas 'PointedEars' Lahn <PointedEars@web.de> writes:
> IBTD. Did you or did you not suggest that storing or form
> data would be a way to "'force' [a] user to use [a] [Web] site in
> [a] defined order?
>
> I have disproved that.

Either will work if the right measures are taken.

1) Generate a global encryption key for the application.

2) When the user arrives at page 1, encrypt '1' together with a unique
identifier for the user, and set it as a or hidden form
field. Send the unique identifier unencrypted as well.

3) When the user arrives at page 2, decrypt the or hidden form
field and check that it contains '1' and the unique identifier. If
it doesn't, redirect to page 1. If it does, generate a new one
containing '1,2'.

4) Repeat as needed for future pages, alternative branches, etc.

While the user can obviously send whatever form or data they
like back to the server, the server has a straightforward way to
validate that the 'previously visited' data is data that it generated
(up to the security of the key and encryption algorithm, of course)
and reject modified data.

The unique identifier is to stop someone finding out what the
encrypted value of '3' is for a particular application and jumping
straight to page 3. You could alternatively generate a unique
encryption key for each user.

--
Chris

Thomas 'PointedEars' Lahn <PointedEars@web.de> writes:

> Ben Bacarisse wrote:
>> Thomas 'PointedEars' Lahn <PointedEars@web.de> writes:
>>> Ben Bacarisse wrote:
>> <snip>
>>>> If are not acceptable, you can do this with form data.
>>> are as susceptible to a forging attack as is form data.
>>> http://getfirebug.com/ and see how easy it actually is.
>>
>> Of course. I never suggested otherwise.
>
> IBTD. Did you or did you not suggest that storing or form data
> would be a way to "'force' [a] user to use [a] [Web] site in [a]
> defined order?

What has that got to do with it? I did not suggest that were
any less susceptible to being "forged" and you seemed to think I had.

> F'up2 comp.infosystems.www.authoring.misc

The usual practice is to set a followup-to header in order to limit
the discussion to more suitable groups. You seem to have just added
comp.infosystems.www.authoring.misc. Why do you think more people
want to see this?

--
Ben.

Ben Bacarisse wrote:
> Thomas 'PointedEars' Lahn <PointedEars@web.de> writes:
>> Ben Bacarisse wrote:
>>> Thomas 'PointedEars' Lahn <PointedEars@web.de> writes:
>>>> Ben Bacarisse wrote:
>>> <snip>
>>>>> If are not acceptable, you can do this with form data.
>>>> are as susceptible to a forging attack as is form data.
>>>> http://getfirebug.com/ and see how easy it actually is.
>>> Of course. I never suggested otherwise.
>> IBTD. Did you or did you not suggest that storing or form data
>> would be a way to "'force' [a] user to use [a] [Web] site in [a]
>> defined order?
>
> What has that got to do with it? I did not suggest that were
> any less susceptible to being "forged" and you seemed to think I had.

No, I said that one approach (that you dismissed) is as suspectible to a
forging attack as the other one (that you mentioned as a proper
replacement). That is quite a different thing.

>> F'up2 comp.infosystems.www.authoring.misc
>
> The usual practice is to set a followup-to header in order to limit
> the discussion to more suitable groups. You seem to have just added
> comp.infosystems.www.authoring.misc. Why do you think more people
> want to see this?

Temporary malfunction on layer 8 in interaction with layer 7.

Interestingly, you forgot to set the Followup-To header as well, so I guess
we are even now


F'up2 ciwam

PointedEars
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16

Tue, 01 Apr 2008 14:15:07 +0100, /Geoff Cox/:

> Thanks everyone for the useful comments - will work through them now.

Just wanted to point out there are frameworks which can manage the
thing for you, like the "Seam conversations":

http://docs.jboss.com/seam/2.0.1.GA/...l.html#d0e1568

But using specific framework may not be applicable, often.

--
Stanimir