User controls should never make redirects during GET request

Why is my page redirecting me back to front page although it gets all the data it requires? I was going out of my mind when exploring the problem in one system but this time there was really simple answer: you cannot fully trust the code written by n00bs. Okay, here is my story.

Suppose you have page with some user controls. Something like this.

There are some URL parameters that user controls use to make sure what data they need to show. I added new context: instead of numeric ID there is another unique parameter that can be used to detect products. ctlFeatured and ctlShoppingCard are written by good coders and ctlDiscount is written by not so well performing dude. After changes everything seems to work, tests show that page gets correct content etc but user is redirected to front page: this the default behavior for missing data (we have our own reasons why it is good).

I was debugging and debugging and everything seems to work fine – but still something redirects me away. Then I started to think about user controls on page. Maybe there is really something horrible done… and I was correct. ctlDiscount was my main suspect because it contains spaghetti code that was not audited yet. What was the problem? Simple – if there is no ID given by URL then redirect user away! This is bad mistake!

User controls should make redirects only during post backs initiated by some of their hosted controls. User controls should never make redirects during GET request.

If user control gets not enough data then it should write entry to error log about it and then hide itself or show error message (or warning). And… never trust the code written by n00bs!

Liked this post? Empower your friends by sharing it!
Categories: ASP.NET

View Comments (2)

  • I think it's even more important that user controls don't read info from the query string.

    The page should act like a router and inform the controls with the information they need, and act upon events from the use controls.

    It is the page that decides if an event from a user controls should result in a navigation or not.

  • Good article.

    >> User controls should make redirects only during post backs initiated by some of their hosted controls.

    I was wondering if this idea couldn't be strengthened: isn't is generally a bad idea for a user or server control to make redirects from within the page? This seems like poor design (with a few exceptions), with a subordinate, child object (the control) knowing about a larger scope (which page to view).

    The only exceptions would seem to be controls that are specifically navigation-related, or a control whose redirect page is programmatically set by the parent.

    Otherwise, are there any good cases to be made for when it's ok to redirect from a user (or server) control?

    -- Keith

Related Post