Web Application and URLs

  

I have followed the beginners web application tutorial and found it very helpful. Functionality-wise, outsystems can do what it needs to do. Upon completing the tutorial and completing my Movie application I checked the source code from screen to screen (Movies, movie details, people, etc) to see what URL was in the iframe for my application when running it from my outsystems space. Each screen had the exact same URL and I wondered how values were passed from screen to screen so that, for example,. the MovieDetails page knew what movie ID to work with. Upon inspecting the URL I noticed that there is a VIEWSTATE hidden field, a feature that is supported in web forms, which seems to be what outsystem uses for ASP.NET applications. Moving forward, Microsoft is discontinuing web forms and I know that when you build with outsystems that "it shouldn't matter" what technology it uses, such as moving to MVC, but it really does. If it switches to MVC, then the URL will start changing and values will likely be passed in the URL of the application. 


Normally, this isn't a huge deal since you should be checking the security on any variables passed in the URL to make sure the current user should have access to that resource, but some applications depend on the URL format itself. When webforms is finally discontinued and when/if outsystems changes to use MVC or Razor pages or whatever new ASP.NET platform makes sense, how will that affect the URL of the application that outsystems generates. Those of us who have applications where we have built in security based on the actual URL need to know how to plan for this.

Solution

Hi Brian,

I'm not sure why you are mentioning iframes, as unless you are previewing a mobile app, there's no iframes used.

That said, when clicking on a link or button that uses the Navigate Method, the Screen Input Parameters are visible to the user (https://www.mydomain.com/NameOfEspace/MyScreen.aspx?myFirstParameter=Value1). Only when using Submit or Ajax Submit the URL stays the same. I've been told this is inherent to the way HTTP works.

OutSystems is a secure platform by design, but of course you need to develop your apps with security in mind. Any Screen that receives parameters should (like you mentioned) do both a sanity check and a security check of those parameters in the Preperation, and refuse to run of the user isn't allowed to view the content based on those parameters. Security through obscurity is never ever a good idea.

As a final thought, though I can understand you find it interesting what goes on "under the hood" of the Platform, I wouldn't worry too much about the finer details. OutSystems has a great track record of backwards compatibility, and will always explicitly and clearly mention any breaking changes in the release notes of a new Platform version.

Solution