ASP.NET Master Pages prevent unauthorised page access

I have an ASP.NET project using a master page. I am not using much behind code but prefer to comm with the server using jQuery and ajax, so I'm calling child pages using window.location.href in JavaScript, which works fine.

I'm looking to a way to prevent someone accessing a child page by it's URL directly through their browser. Given how I've set things up as above, please recommend a good solution, preferably one that doesn't make use of the URL.

Thanks.
jonatecAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ProculopsisConnect With a Mentor Commented:

>>>Also, what is to stop the user copy/paste the whole url, together with encrypted parameter into another browser window ?

Nothing, that's why you need to encode a time span for which the url is still valid.
0
 
Rahul AgarwalTeam LeaderCommented:
Try this:

function ShowRolePermission(Role_Id)
        {
        var hidFlag= document.getElementById('<%=hidFlag.ClientID %>');
       
         if (hidFlag.value=="")
         {
         
         var windowUrl = "Page.aspx?RoleId="+Role_Id;
          window.location = windowUrl;
         }
        }
0
 
ProculopsisCommented:

You need to obfuscate the url and pass this information to another aspx which will validate the information and redirect:

  nextPage.aspx?key=67456FE456BC65454DD6465ABA564674485D876565FFBC444444AAA76456875CD

where key contains encrypted information on the page to redirect to and a time span, so the url cannot be bookmarked.
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
jonatecAuthor Commented:
Proculopsis:

I like the encryption possibility. Please help me understand further please:
You mention a "time span", do you mean encrypt a datetime and pass that?

Also, what is to stop the user copy/paste the whole url, together with encrypted parameter into another browser window ?
0
 
jonatecAuthor Commented:
So you mean if the current time in the child page is > passed date/time + (say 60 seconds) then reject ?
0
 
Kamal KhaleefaInformation Security SpecialistCommented:
@jonatec

i recomet to use like a session in your master page
for exaplme if the link is coming from the master page set your session to some value
and in the child page check the session value
if it is equal to what you set then it means it come from master page
otherwise
redirect him to the master page
0
 
jonatecAuthor Commented:
king2002

I want to use JavaScript window.location.href = "nextpage.aspx" to call the next page, then, for example, in nextpage.aspx use jQuery or JavaScript to check for direct page access. So perhaps the solution Proculopsis gave would be better suited as I would then have to craft or find an encryption algorithm written in JavaScript.
0
 
Kamal KhaleefaInformation Security SpecialistCommented:
THEN TRY TO USE QUERY STRING WITH ENCRYPTION
0
 
jonatecAuthor Commented:
I can't believe that it's such a big deal to prevent direct access to a web page through a saved URL. Anyway based on the lack on alternative answers from this forum I have to concede that if I want to control this through JavaScript then an encrypted URL with a timestamp wil do. Thanks.
0
All Courses

From novice to tech pro — start learning today.