Solved

ASP.NET Master Pages prevent unauthorised page access

Posted on 2011-02-24
11
711 Views
Last Modified: 2012-05-11
I have an ASP.NET project using a master page. I am not using much behind code but prefer to comm with the server using jQuery and ajax, so I'm calling child pages using window.location.href in JavaScript, which works fine.

I'm looking to a way to prevent someone accessing a child page by it's URL directly through their browser. Given how I've set things up as above, please recommend a good solution, preferably one that doesn't make use of the URL.

Thanks.
0
Comment
Question by:jonatec
  • 4
  • 2
  • 2
  • +1
11 Comments
 
LVL 13

Expert Comment

by:agarwalrahul
Comment Utility
Try this:

function ShowRolePermission(Role_Id)
        {
        var hidFlag= document.getElementById('<%=hidFlag.ClientID %>');
       
         if (hidFlag.value=="")
         {
         
         var windowUrl = "Page.aspx?RoleId="+Role_Id;
          window.location = windowUrl;
         }
        }
0
 
LVL 20

Expert Comment

by:Proculopsis
Comment Utility

You need to obfuscate the url and pass this information to another aspx which will validate the information and redirect:

  nextPage.aspx?key=67456FE456BC65454DD6465ABA564674485D876565FFBC444444AAA76456875CD

where key contains encrypted information on the page to redirect to and a time span, so the url cannot be bookmarked.
0
 

Author Comment

by:jonatec
Comment Utility
Proculopsis:

I like the encryption possibility. Please help me understand further please:
You mention a "time span", do you mean encrypt a datetime and pass that?

Also, what is to stop the user copy/paste the whole url, together with encrypted parameter into another browser window ?
0
 
LVL 20

Accepted Solution

by:
Proculopsis earned 500 total points
Comment Utility

>>>Also, what is to stop the user copy/paste the whole url, together with encrypted parameter into another browser window ?

Nothing, that's why you need to encode a time span for which the url is still valid.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:jonatec
Comment Utility
So you mean if the current time in the child page is > passed date/time + (say 60 seconds) then reject ?
0
 
LVL 16

Expert Comment

by:Kamal Khaleefa
Comment Utility
@jonatec

i recomet to use like a session in your master page
for exaplme if the link is coming from the master page set your session to some value
and in the child page check the session value
if it is equal to what you set then it means it come from master page
otherwise
redirect him to the master page
0
 

Author Comment

by:jonatec
Comment Utility
king2002

I want to use JavaScript window.location.href = "nextpage.aspx" to call the next page, then, for example, in nextpage.aspx use jQuery or JavaScript to check for direct page access. So perhaps the solution Proculopsis gave would be better suited as I would then have to craft or find an encryption algorithm written in JavaScript.
0
 
LVL 16

Expert Comment

by:Kamal Khaleefa
Comment Utility
THEN TRY TO USE QUERY STRING WITH ENCRYPTION
0
 

Author Closing Comment

by:jonatec
Comment Utility
I can't believe that it's such a big deal to prevent direct access to a web page through a saved URL. Anyway based on the lack on alternative answers from this forum I have to concede that if I want to control this through JavaScript then an encrypted URL with a timestamp wil do. Thanks.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

A long time ago (May 2011), I have written an article showing you how to create a DLL using Visual Studio 2005 to be hosted in SQL Server 2005. That was valid at that time and it is still valid if you are still using these versions. You can still re…
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
The viewer will learn how to count occurrences of each item in an array.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now