Home/ Questions/Q 7978103
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T09:24:01+00:00

We need to post from data to a partner who is providing a service

  • 0

We need to post from data to a partner who is providing a service to us. We want to do this via a form post to keep things simple.

We will post form data (an id) to a form on the service providers website using JavaScript etc.The service needs to take this id and show some associated data to the user. We pictured this posting to a form on their server and then displaying the result in a popup. If the user is happy with the associated data they will hit submit on the form in the popup (which is on the service providers server) and the service provider will post to a controller on our server.

  1. User clicks link on our website
  2. This posts data to the service providers site and displays content from service providers site in a popup/iframe
  3. User checks the data displayed in popup and sees they are happy with it
  4. The user hits submit in the popup (service provider updates something on their site)
  5. Service provider submits form data to our controller (we update something on our site)

We need to make sure that only our server can post to their page and only they can post to our page.

We are using MVC3. They are using a web technology of their choice.

Any advice on the simplest quickest, and secure way of doing this. Obviously need to prevent replay attacks and be sure that they are the only ones that can post to us.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    We want to do this via a form post to keep things simple. We will post
    to a web page on their server, they will do some processing and post
    the data back to a controller action on our server.

    Ah no, that’s impossible. If you have an HTML <form> whose action is pointing to some url (no matter if this url is located on your server or on a third-party server), when this form is submitted the browser will POST to this url and redirect to it. This means that while you will be able to send the request to the remote source and it might then query some controller action on your domain you will not be able to show the results of the execution of this controller action in the browser, because the browser will show the result of the execution of this remote url.

    So one technique would be to have the HTML <form> POST to a controller action of yours which itself will delegate the request to the remote service (using a WebClient) and then return some view to the user.

    Now all that’s left is to ask the network administrator of the remote server to allow HTTP requests only from the IP address of your web server.

    Of course this is leaving the possibility for the user to craft an HTTP request to the controller action of yours and thus indirectly hit the remote service. The only possible way to prevent this from happening is to use authentication and deny public access to anyone to this controller action.

    • 0