Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I allow access to a website resource only from within the site?

Posted on 2011-03-22
2
Medium Priority
?
325 Views
Last Modified: 2012-08-14
I am hosting a public web site and I am wanting to control access to a shared directory within it.

The main site is a Moodle site (not really relevant, just noteworthy that it is PHP, SQL2008 R2) and within the learning environment I'd like to provide access to an internal site.

I have the link within Moodle working, and the internal site loads with no problems (it is a shared folder within the site), but the concern is I can access the internal site simply by entering the url in the browser.

My question therefore is, is there a way to only allow access to the internal site only via the link from the Moodle site (the request comes from Moodle), and not allow access via URL entry (or any other way for that matter!).

Preliminary research has suggested it may be possible by setting up a module within IIS 7, but before further time is spent on researching this technology, I thought I'd check with the experts. (And if this is the case any help would be appreciated!)

Thanks in advance.
0
Comment
Question by:Dragor
2 Comments
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 2000 total points
ID: 35200058
The technology is relevant and I'll explain why.  You may be aware of some of what I describe but I want to be clear and cover the whole topic to be sure you understand the issues.

IIS is configured to either serve static files (HTM or HTML) or dynamic files mapped to a ISAPI DLL that processes the file requests.  In your case it's a PHP DLL.  That DLL then runs the script for the file extensions mapped to it which exist in a web site or web application.

IIS provides security only for the original page request.  So, if your site is set as Anonymous then any client browser can execute a GET/POST to any page in the web site.  If you turn off Anonymous authentication and select Basic, Digest or Windows authentication then credentials for access have to exist in the host server.  Form based authentication redirects requests to a log in page you have to build to then authenticate the user and manage authentication.

The key is that if you are not using integrated authentication then your scripts have to execute the authentication to control access.

In ASP.NET I would solve this problem by using Anonymous access at the root site, then using a nested web application configure the shared folder to use one of ASP.NET's choices.  ASP.NET gives you ways in the web.config to control access without writing any code.  If you choose to write code, form based authentication is trivial to setup and get running.

So, in your case because you are using Moodle, you either have to get IIS to block access to the intranet site using integrated security or you have to customize the Moodle scripts to implement authentication.
0
 

Author Closing Comment

by:Dragor
ID: 35202911
Thank you very much for your time @tedbilly.
I had a feeling we would need to create another site rather than sharing within the anonymous access site.
Muchly appreciated.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to leverage one TLS certificate to encrypt Microsoft SQL traffic and Remote Desktop Services, versus creating multiple tickets for the same server.
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question