Restrict Access To Web Site Based On Referrer, Cookies Or Something Else?
Feb 22, 2010
We have a scenario whereby we are hosting an ASP.NET MVC web site on behalf of someone else.The customer in this case wants us to restrict access to the web site, to those users who have logged in to their main portal. They should then only be able to get to our web site via a link from that portal.At this point I'm not yet sure what technology or authentication mechanism the 3rd party are using but just wanted to clarify what the possible options might be.If we call our hosted site B, and their portal web site A,as I see it we could:Check the referrer for all requests to B, unless they've come from A they can't get inCheck for a specific cookie (assuming A uses cookies)
I have a page which I only want to be accessable via a certain other page.Example, PageTwo.aspx can only be accessed via PageOne.aspxAll other referrers redirect to asp.netCan this be done in asp?
I am faced with a rather tricky issue. I am developing a web application that resides beneath a web site. The web application is actually meant for the employees of the company owning the web site. The employees can access the web app from the login facility on the site.
The situation demands that an employee must be able to login to the app only from the office machines and not from anywhere outside. I thought of a logic where in the IP address of the machine in which the employee sits will be stored against the employee profile and when he logs in, the authentication will check for user credentials as well as whether he is logging from the designated IP. If not he is not allowed access to the app even if the login credentials where correct.
I am not sure if this is a good way, because I feel tricky persons can give the same IP of the office machine in another machine, say at home and the logic is broken. Can somebody provide me a better way of solving the issue. I am using ASP.Net login control for user login.
I have a simple intranet site. It has a role based authorization in the web.config file.
Any user's in a specific role called as "Apr-Sales-Writers" will be authorized to use those pages. If not, they will not be authorized. So far so good. Works fine. But we added additional functionality where a new active directory group (means new role) has to be added and user's belonging to this new AD group should be given access to only specific .aspx pages on the intranet site. I am using a web.sitemap and it looks like this.
If the user's belong to say AD group "Apr-Sales-Writers", they should access only default.aspx and salesData.aspx pages. User's belonging to new AD group (which I did not include in the web.config file below), should have access to other .aspx pages.
I need to get the calling page url referrer and host name. I works for me if the calling pages are within the same network. When a page is called from an internal site that are outside of my network, I got the following error:
Object reference not set to an instance of an object.
when i first made the DB i used access 2010 which uses the 2007 file type which supports attachments, however asp.net doesnt support the 2007 format. and the 2003 file type doesnt support attachments, i assume i use the OLE object data type but i have no idea how i get my aspx page "new.aspx" to upload an attachment. plus i want to restrict the file type to *.jpg
I am currently working on a website with a Tab Container with roughly 5-10 tabs. I would like to have an Admin tab that is disabled to all users except those who are assigned in an Admin role (I have 2 roles, Admins and Customers). I am fairly new to ASP.NET so please bare with me. I have been crashing through it for about 3 weeks now, trying to help a friend get a site up and running!
My site uses cookies. I need to have it use sessions instead. The reason for this is because there is a third party that needs to connect to it, and it's always requiring 3rd party cookies to be enable in the browser and that is annoying my customers. Is there any other way around this other than switching to sessions?
in my asp.net+vb web page which is use din INTRANET web . In a page i want to restrict the browsing for four peoples only, so that i used a code like below.
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load Dim ipaddress As String ipaddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR") If ipaddress = "" OrElse ipaddress Is Nothing Then ipaddress = Request.ServerVariables("REMOTE_ADDR") End If iptxt.Text = (ipaddress) If iptxt.Text = ("192.168.0.3") Then Response.Redirect("err.aspx") End If end sub
in my asp.net+vb web page which is use din INTRANET web . In a page i want to restrict the browsing for four peoples only, so that i used a code like below.
ProtectedSubPage_Load(ByVal sender AsObject,ByVal e AsSystem.EventArgs)HandlesMe.LoadDim ipaddress AsString ipaddress =Request.ServerVariables("HTTP_X_FORWARDED_FOR")If ipaddress =""OrElse ipaddress IsNothingThen ipaddress =Request.ServerVariables("REMOTE_ADDR")EndIf iptxt.Text=(ipaddress) If iptxt.Text=("192.168.0.3")ThenResponse.Redirect("err.aspx")EndIf
How can I Restrict Access to an specific folder, for example I have a folder that Authenticated users upload different files in it. the problem is that every user can access the files via URL in the browser.I don't use asp.net login controls for authenticating and role memberships, I have written login page and roles my self via code behind.
How can i prevent users from getting the list of files that exist in my website?
For example when users type on the address bar the WebsiteAddress+/DirectoryToSearch/ they get the list of files in that directory, without getting any permission denied error
Is there any setting in asp.net that am i missing?
I need a reliable method to switch off users' access to SSRS dynamically. If you care about the reason, users are not allowed to access SSRS from home, but they are allowed access from within the factory walls.
I can generate a token or event when they arrive at work or leave, no problem, such is the sophistication of our security system.
So I can create a little .net app that pokes SSRS in some way and tells SSRS to allow that username to access reports. When the users leaves the premises, the .net app will prod SSRS to deny that username access.
I considered dynamically adding and removing usernames from the authentication section of web.config in the SSRS root dir, as in <deny=usernamelist />. But given the frequency of changes (dozens per hour at peak times), that seems too intrusive, as it probably causes the restart of the app.
I tried adding usernames to the ACL on the SSRS physical directory (Microsoft SQL ServerMSSQL.2Reporting ServicesReportServer) as deny reader, and for a few brief minutes I thought I had arrived at a solution, but for some reason SSRS decided to serve pages to denied users seemingly at random. Must be cached somewhere, although I can't for the life of me figure out why that would be happening seemingly at random.
I rather like the ACL idea from the perspective of ease of control, and if there's a simple thing i have overlooked in the way SSRS interacts with IIS and NTFS permissions, I hope someone can point it out so I can understand why the ACL seems to be mostly ignored.
I want to secure a particular set of files in a folder by role type. I have the following entry (See below)...I notice this doesn't work (I.e., it doesn't secure the file by Role Type.. anyone can access the file). I've read that I need to map the .WMV extension to the ASp.Net DLL.
when i would like to restrict files to access only on my Test page , here i am retriving my files in iframe in Test page, problem occurs when a user authenticated themselves then they will be redirected on welcome page and he can access my files through welcome page on Browser by knowing my Folder Name. but i do'nt want to give permissions to access on welcome page using IBrowser i only want to give my files(.mht files) that should be accessed on iframe.
this code as shown below doing pretty well in Visual studio "Debug mode but when i deploy this on iis 7.0 then it is not restricting my .mht files so please help , if you have any othe idea to protect then please give me .
I need to restric access to my admin folder to certain people. Those with no authentication ticket should be redirectered to a "not allowed page". How do I identify all pages in my admin folder. I have so far but is it OK?
If url.Contains("/admin") Then 'If authentication ticket incorrect then `Response.Redirect("~/notallowed_admin.aspx")` End If
And not, I cannot use my web.config for this particular issue.
I have a security issue in my web application where user can enter malicious data/can change the page path directory. To avoid these i want to restrict the user by accessing/typing in the URL.
I have this Internet web service page(webservice.asmx) being consumed jquery ajax call.
And I am hoping to restrict public request to this webservice other than request from local pages (aspx or jquery ajax call).
The web service checks for form-authentication before it gets executed but I just don't feel comfortable the .asmx page and list of services are viewable.
So users can't just type www.mysite.com/webservice.asmx to access my webservice.
this might not be asp.net exactly but i hope it's ok that i ask this here?i'm looking to restrict access in web browsers to a particular extension like .mp3 - really i'd like to know how to do it two ways if possible 1: how can i restrict it so that nobody may embed/play/download mp3's on my server on their outside sites? I used to do this on php with .htaccesss but am new to .net2: how can i completely revoke the extensions' ability to function at all, even on my site? IE: I would test with a link on my own site/server to a mp3 on that server, and it would fail. I tried removing the MIME type for mp3 and restarting IIS but thatdoesn't seem to have done it.I can still go to the mp3 file in my browser by putting it's URL in the browser.
I am deploying a public ASP.NET website on an IIS7 web farm.
The application runs on 3 web servers and is behind a firewall.
We want to create a single page on the website that is accessible only to internal users. It is primarily used for diagnostics, trigger cache expiry, etc.
/admin/somepage.aspx
What is the best way to control access to this page? We need to:
Prevent all external (public) users from accessing the URL. Permit specific internal users to access the page, only from certain IPs or networks.
Should this access control be done at the (a) network level, (b) application level, etc.?
