[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 751
  • Last Modified:

Bypass forms authentication if IP matches list

I have a folder that I want to protect from anonymous users. I know how to do this with a login control using their username and password and forms authentication, but I also want to allow subscribers that have given us their ip, ip ranges access.
So basically I need to allow access to these files in a folder if the users IP or IP range matches the list in my table, if their IP or IP range doesn't match any in my table then I need to redirect them to the login form where they have a chance to enter a username and password to gain access.

Any ideas and/or examples?
0
flukester
Asked:
flukester
  • 5
  • 3
2 Solutions
 
Kyle AbrahamsSenior .Net DeveloperCommented:
pseudo code:

'Put in not postback.
If Authenticated = false then
if check_ip() then
 exit if
else
  'do nothing
end if

end sub 'page load

private function check_ip() as boolean
'get remote IP
  Dim h As System.Net.IPHostEntry = System.Net.Dns.GetHostEntry(System.Net.Dns.GetHostName)        
  Dim ip as string
  ip = h.AddressList.GetValue(0).ToString

'lookup in database to see if range exists.
end function
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Sorry logic is a bit off.

'page.NotPost Back
if Authenticated = false then
if check_ip() then
  Authenticated = true
  exit if
end if 'check_ip
else
  display_login_control()
end if ' authenticated

end if 'Page.Postback (if not shown)


if Authenticated
 'display data
else
   display_login_control()
 
0
 
jmwheelerCommented:
I could be wrong but I believe the example above will return the IP address for the server, not for the user accessing the site.

Try this:
Dim ipAddress As String
 
if (Not Request.ServerVariables["HTTP_X_FORWARDED_FOR"] Is Nothing)
    ipAddress = Request.ServerVariables["HTTP_X_FORWARDED_FOR"]
else
    ipAddress = Request.ServerVariables["REMOTE_ADDR"];

Open in new window

0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
Kyle AbrahamsSenior .Net DeveloperCommented:
Jim, you are correct, my mistake.

flukester, plug Jim's if into my overall logic.
0
 
flukesterAuthor Commented:
Thanks guys, I am to that point (Jim's code) so I can get the IP address from the client. I like your idea ged, but the problem I see if I am thinking straight is with forms authentication as soon as they try and hit a page in the protected folder they are going to be redirected to the login page. How can I stop that redirect to the login page if their IP is in my table?
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
you WANT that to go to the autentication page.

In your authentication page, check their IP and then redirect back to the page they were trying to view.
0
 
flukesterAuthor Commented:
So you are saying on the login page where they will be redirected automatically once they try and hit a protected page put the IP check in the preload event maybe? Then if their IP doesn't match load the login control to authenticate them with username password? I don't want the user to see the login control if they have IP access, know what I mean?
0
 
Kyle AbrahamsSenior .Net DeveloperCommented:
I hear you.  The authentication page is like a bouncer . . . are you allowed in?

If they're on the list, bouncer lets them through, they still need to go through the bouncer though.

So on a page_load check the IP first, if it's in then set your authenticated variable to true, redirect and thereby you don't challenge them.

Otherwise, show the authentication control.

0
 
flukesterAuthor Commented:
Cool, makes sense to me. I will give it a shot. Thanks for the help.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now