In one of my website I need to prevent direct access to non .aspx pages in a protected folder. Authentication works fine if I am going to [URL] but in one case my users are uploading html pages in that folder and if somebody cut and paste [URL]the page can be seen without the authentication process to be activated.
View 6 RepliesI am using IIS7's URLRewrite feature to hide the .aspx extension in my ASP.NET WebForms application's URLs.
I'm using the following configuration:
[code]....
I can now browse to:
[URL]
and this is rewritten to:
[URL]
This preserves the "pretty" url in the browser address bar. I have also updated all my links on the site to use the extensionless URLs.
The problem is that the underlying .aspx pages can still be accessed directly and I'd like to prevent this.
If a user browses to [URL] I'd like it to either redirect/rewrite to [URL], or at the very least just return a "Page not found".
Update:
I managed to get this working by redirecting all .aspx pages to the home directory. This isn't ideal as I'd prefer to send them to the non-.aspx version, but it will do for now.
<rule name="Block .aspx" stopProcessing="true">
<match url=".aspx" />
<action type="Redirect" url="/" />
</rule>`
How do I rewrite and redirect URLs that directly address .aspx pages to my friendly URL format?
I have certain pages in my application that are designed to be accessed only by redirect from other pages, and not directly(i.e they must get a query string from other page, otherwise there is an exception).
So I want to prevent users from accessing them by typing the URL, but I want them to be available by redirect.
I have a security issue in my web application where user can enter malicious data/can change the page path directory. To avoid these i want to restrict the user by accessing/typing in the URL.
View 5 RepliesI have a ASP.NET page called admin.aspx that needs to be protected from direct access.
I want it to be accessed only when the user enter his name & password in another page called login.aspx I'm working in ASP.NET with Visual Basic .NET 2008,how to do it.
There are some folders in my application that are only accessible by users in certain roles.In order to protect the contents of these folders, I placed web.config files in them which look like so:
[Code...]
Also,in the main web.config file, I have this configured:
[Code...]
However,when I try to access a folder that I'm not authorized to access, I'm not being redirected to unauthorized.aspx page as indicated in the main web.config. Instead,I'm getting sent to the login page.Any idea what I'm doing wrong? Here's the authentication section from the main web.config:
[Code...]
Using VS 2010 RC, VB, and Forms authentication to allow access to the site, depending on the login rights of a user, I want to turn on and off access to certain pages. I can turn on and off buttons to access the pages, but a user can type the page into the url, and it will still go to them.
View 5 RepliesI need to restrict access to pages based on permission given to roles based user .Roles created dynamically so that i can't restrict thru the WEB config file .i am using the custom sitemap so menu is showns correctly based on roles , but if we enter direct url in address bar we can access that page although its not permitted for the user .is there any other way to redirect to common access restrict page .
View 3 RepliesHere is my dilema, on my site i have a WordPress Audio player (http://wpaudioplayer.com/standalone) that plays my mp3's.
It loads the Mp3's in by javascript...example below:
AudioPlayer.embed("audioplayer_7", { soundFile: "/Files/Music/[name of file].mp3" });
This file name is clearly visible in the browser source. Not a problem, however this means that any user can legitimately browse to the file directly and download it.
Now i still need the mp3 player (which is flash) to have access to the file but if a user was to try accessing the file directly, they would not be allowed access to it.
I am not sure how to go about this, i am circling the idea of a httphandler but not sure if this is sufficiant to stop the direct access to the file.
Im using an aspx page as the srcl for an image in the host page to serve a dynamically generated image to the user based on parameters they supply
ie
<img alt="" src="generateimage.aspx" id="imagegen"/></div>
Id like for people only to access the content via default.aspx and not the dynamically generated content generateimage.aspx. Any attempt to browse here directly should be redirected to an error page
I have a web app developed using role & membership provider...
this is my web.config file
<authentication mode="Forms">
<forms loginUrl="Forms/LogIn.aspx" name=".ASPXFORMSAUTH" defaultUrl="Forms/main.aspx" timeout="30"></forms>
</authentication>[code]....
So i would like that the page "pag1.aspx" is reached bypassing the "main.aspx" so If I try to digit directly on the server http://localhost/forms/pag1.aspx?C=159 ......correctly appears the login page....and the URL became..
http://localhost/Forms/LogIn.aspx?ReturnUrl=%2fForms%2fpag1.aspx%3fC%3d151&C=159 and after login I can see correctly the page1.aspx . when I try to reach the page from my browser..I digit
http://myserver/forms/pag1.aspx?C=159 .... the login page appears...but the url became..
http://myserver/Forms/main.aspx
and after login I cannot see the page1.aspx....but main.aspx
I always create a folder "App_Pages" and use it ot put my aspx pages but I see with VS 2010 that it has several default folders created when adding a page. Which one is most applicable. Is it App_LocalResource? I assume that "App_Code" is where custom classes go.
View 3 RepliesI have developed an application in ASP.NET 3.5 which utilizes the Membership and Roles Providers and Forms Authentication to manage user access and profiles.
There are various area's of this application that are only to be used by an admin users whom login using their email and password and the rest of the users log in using their telephone number and password via their iPhone.
For simplicities sake, I would like to have two different login pages, one that is formatted for the iPhone and performs the correct validation for users adding a telephone number and the other for the application administrators.
I want to redirect the user to their respective login page based on which folder they are attempting to access. For example say I have an application structure like this
/Admin
/Couriers
/Customers
/Whatever
Default.aspx
iPhoneLogin.aspx
adminLogin.aspx
Web.config
I want to be able to redirect users who go to [URL]/Whatever to iPhoneLogin.aspx and users to go to [URL]/Admin to adminLogin.aspx
I am using the following in my webconfig, so that only admin an access the admin folder.
<location path="Admin" allowOverride="true">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
Now when the guest user tries to access this he is redirected to the Login page. I want the user to either sho a popup that user cannot access it or just stay on the same page with some error message in a label on that page... Here is more code in webconfig
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" name="Cookie" timeout="120" path="/" slidingExpiration="true"
defaultUrl="Default.aspx">
</forms>
I have a website that has anonymous authentication enabled. Now for a particular folder I want the users to be logged in with a userid and password. The user id and password is going to be same for everyone.
Eg user id is TEST and Password is answer. How can I do that?
I went in to that folder ->properties->directory security->edit-> And I disabled the anonymous access
But where should I add the User Id and Password? Under which option.
I'm wondering what would be the best solution for hidding a folder like for example "AdminFolder", and also .aspx pages inside this folder.
I have several pages inside "AdminFolder" which I (as "Administrator" :) ) plan to use for some background work on daily basis! I am using Membership shema and no one except me can not / or should not acces this area, but I'am afraid if web crawlers like google find and expose this part of my page in searching results!
I also need to create a second folder for PDF files which I also would like to hide (incl. PDF Files inside it) from web crawlers!
i need some lessons in how to create admin folder and pages to add user ,content ,authentication, etc
View 2 RepliesI am relatively new to ASP.NET and have searched the Internet to find guidance in preventing caching of web pages (in the latest versions of IE, Firefox, Chrome and Safari). Based on my search, I found a lot of conflicting/confusing info. As best as I can tell, it appears that I need to add the following 3 lines to the <head> section of my .aspx files:
[Code]....
if the aforementioned lines are correct and if all 3 lines are necessary? I have tried using different combinations of the 3 lines, but I get conflicting results (i.e., sometimes the page is cached and sometimes it's not).
I have a web service which is in a folder within my application. This folder is only accesible to certain roles. I use this service in a page on root of the application but I block creation of the javascript or the service definition in the aspx page if the user is not in the role.
The problem is that when anonymous users try to access the page in the root of the application they are prompted for a user name and password. I hope I am clear. The code below is what I have set up in the ASPX page:
[Code]....
I am trying to access Mysql database from aspx.pages using a web config file.
My web.config connection string is:
<configuration>
<connectionStrings>
<add connectionString="server-10.xxx.x.xx;uid=xxxxx;pwd=1234;database=Mydb"
providerName="MySql.Data.MySqlClient" />
</connectionStrings>
</configuration>
[Code]...
I developed our feature rich web page which is constantly changing. I'm not much of a programmer but I know HTML and CSS pretty well. I have a need to create a couple of login page for prospects and end users to get to secured content. I put together a page that works perfectly in Microsoft Visual Web developer Express 2010. This includes a login page. Ironically, after learning how to do all this from a book, there is a web page that perfectly chronicles what I am trying to accomplish and the steps to do it. It's here: [URL]
I don't expect you to watch it, but there is a simple aspx page created for login and then users are created and the content is displayed after successful login. It works fine in m development environment, but when I post, nothing. Furthermore, twice in the last two days, after downloading my current site to my hard drive, and then posting back after adding this functionality, my FrontPage forms stopped working. I had to have my website restored from backup. The whole thing makes no sense and I can't find any precedence posted on any user forums. So any testing I do seems to wipe out my navigation structure.
I'm going to establish the site on a different server tonight and see if its configuration. If that works, I'm not sure where to g next. I'd appreciate any thoughts. The worst part is I can't post a test page or my Fropage contact forms stop working.
I have a website statistics program that creates .htm pages for viewing. Im trying to keep them in their own folder on the root - "Statistics"After reading many posts I have tried many iterations of:
[code]...
Problem is, an .aspx pages in there won't get served with login, but all the .htm pages will.
I'm writing a simple Intranet application using windows authentication. I want to restrict access to Safe/UCantSeeMe.aspx. I am aware of the AuthorizeAttribute, but this only works on methods. I also found a good post on doing this with the MVC pattern, but I'm not using MVC. This can be done with roles in forms based security. I read on MSDN that using windows based security means roles are based on groups, but it doesn't go into any detail. how can I restrict access to Safe/UCantSeeMe.aspx?
View 1 RepliesI am trying to access a shared folder which is located on a different server rather than on the asp.net server.
I configured windows authentication and set impersonation to true. Also try with enable/disable basic authentication.
I have tried the following:
with a mapped driveshared folder access (\sharedfolder)virtual directory pointing to shared folder with pass through configuration. However none of the above works. I am getting "Access Denied" error when trying with shared folder and virtual directory. In the case of mapped drive getting "Not Found" error.
[Code]....
Trying to restrict access to folder but can't?