Solved

How do I allow access to a website resource only from within the site?

Posted on 2011-03-22
2
321 Views
Last Modified: 2012-08-14
I am hosting a public web site and I am wanting to control access to a shared directory within it.

The main site is a Moodle site (not really relevant, just noteworthy that it is PHP, SQL2008 R2) and within the learning environment I'd like to provide access to an internal site.

I have the link within Moodle working, and the internal site loads with no problems (it is a shared folder within the site), but the concern is I can access the internal site simply by entering the url in the browser.

My question therefore is, is there a way to only allow access to the internal site only via the link from the Moodle site (the request comes from Moodle), and not allow access via URL entry (or any other way for that matter!).

Preliminary research has suggested it may be possible by setting up a module within IIS 7, but before further time is spent on researching this technology, I thought I'd check with the experts. (And if this is the case any help would be appreciated!)

Thanks in advance.
0
Comment
Question by:Dragor
2 Comments
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 35200058
The technology is relevant and I'll explain why.  You may be aware of some of what I describe but I want to be clear and cover the whole topic to be sure you understand the issues.

IIS is configured to either serve static files (HTM or HTML) or dynamic files mapped to a ISAPI DLL that processes the file requests.  In your case it's a PHP DLL.  That DLL then runs the script for the file extensions mapped to it which exist in a web site or web application.

IIS provides security only for the original page request.  So, if your site is set as Anonymous then any client browser can execute a GET/POST to any page in the web site.  If you turn off Anonymous authentication and select Basic, Digest or Windows authentication then credentials for access have to exist in the host server.  Form based authentication redirects requests to a log in page you have to build to then authenticate the user and manage authentication.

The key is that if you are not using integrated authentication then your scripts have to execute the authentication to control access.

In ASP.NET I would solve this problem by using Anonymous access at the root site, then using a nested web application configure the shared folder to use one of ASP.NET's choices.  ASP.NET gives you ways in the web.config to control access without writing any code.  If you choose to write code, form based authentication is trivial to setup and get running.

So, in your case because you are using Moodle, you either have to get IIS to block access to the intranet site using integrated security or you have to customize the Moodle scripts to implement authentication.
0
 

Author Closing Comment

by:Dragor
ID: 35202911
Thank you very much for your time @tedbilly.
I had a feeling we would need to create another site rather than sharing within the anonymous access site.
Muchly appreciated.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question