Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


ASP.NET Master Pages prevent unauthorised page access

Posted on 2011-02-24
Medium Priority
Last Modified: 2012-05-11
I have an ASP.NET project using a master page. I am not using much behind code but prefer to comm with the server using jQuery and ajax, so I'm calling child pages using window.location.href in JavaScript, which works fine.

I'm looking to a way to prevent someone accessing a child page by it's URL directly through their browser. Given how I've set things up as above, please recommend a good solution, preferably one that doesn't make use of the URL.

Question by:jonatec
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
LVL 13

Expert Comment

by:Rahul Agarwal
ID: 34969203
Try this:

function ShowRolePermission(Role_Id)
        var hidFlag= document.getElementById('<%=hidFlag.ClientID %>');
         if (hidFlag.value=="")
         var windowUrl = "Page.aspx?RoleId="+Role_Id;
          window.location = windowUrl;
LVL 20

Expert Comment

ID: 34969210

You need to obfuscate the url and pass this information to another aspx which will validate the information and redirect:


where key contains encrypted information on the page to redirect to and a time span, so the url cannot be bookmarked.

Author Comment

ID: 34969698

I like the encryption possibility. Please help me understand further please:
You mention a "time span", do you mean encrypt a datetime and pass that?

Also, what is to stop the user copy/paste the whole url, together with encrypted parameter into another browser window ?
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

LVL 20

Accepted Solution

Proculopsis earned 1500 total points
ID: 34969742

>>>Also, what is to stop the user copy/paste the whole url, together with encrypted parameter into another browser window ?

Nothing, that's why you need to encode a time span for which the url is still valid.

Author Comment

ID: 34969761
So you mean if the current time in the child page is > passed date/time + (say 60 seconds) then reject ?
LVL 16

Expert Comment

by:Kamal Khaleefa
ID: 35119825

i recomet to use like a session in your master page
for exaplme if the link is coming from the master page set your session to some value
and in the child page check the session value
if it is equal to what you set then it means it come from master page
redirect him to the master page

Author Comment

ID: 35122385

I want to use JavaScript window.location.href = "nextpage.aspx" to call the next page, then, for example, in nextpage.aspx use jQuery or JavaScript to check for direct page access. So perhaps the solution Proculopsis gave would be better suited as I would then have to craft or find an encryption algorithm written in JavaScript.
LVL 16

Expert Comment

by:Kamal Khaleefa
ID: 35125434

Author Closing Comment

ID: 35126582
I can't believe that it's such a big deal to prevent direct access to a web page through a saved URL. Anyway based on the lack on alternative answers from this forum I have to concede that if I want to control this through JavaScript then an encrypted URL with a timestamp wil do. Thanks.

Featured Post

Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
This video teaches users how to migrate an existing Wordpress website to a new domain.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question