Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I allow access to a website resource only from within the site?

Posted on 2011-03-22
2
Medium Priority
?
324 Views
Last Modified: 2012-08-14
I am hosting a public web site and I am wanting to control access to a shared directory within it.

The main site is a Moodle site (not really relevant, just noteworthy that it is PHP, SQL2008 R2) and within the learning environment I'd like to provide access to an internal site.

I have the link within Moodle working, and the internal site loads with no problems (it is a shared folder within the site), but the concern is I can access the internal site simply by entering the url in the browser.

My question therefore is, is there a way to only allow access to the internal site only via the link from the Moodle site (the request comes from Moodle), and not allow access via URL entry (or any other way for that matter!).

Preliminary research has suggested it may be possible by setting up a module within IIS 7, but before further time is spent on researching this technology, I thought I'd check with the experts. (And if this is the case any help would be appreciated!)

Thanks in advance.
0
Comment
Question by:Dragor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 2000 total points
ID: 35200058
The technology is relevant and I'll explain why.  You may be aware of some of what I describe but I want to be clear and cover the whole topic to be sure you understand the issues.

IIS is configured to either serve static files (HTM or HTML) or dynamic files mapped to a ISAPI DLL that processes the file requests.  In your case it's a PHP DLL.  That DLL then runs the script for the file extensions mapped to it which exist in a web site or web application.

IIS provides security only for the original page request.  So, if your site is set as Anonymous then any client browser can execute a GET/POST to any page in the web site.  If you turn off Anonymous authentication and select Basic, Digest or Windows authentication then credentials for access have to exist in the host server.  Form based authentication redirects requests to a log in page you have to build to then authenticate the user and manage authentication.

The key is that if you are not using integrated authentication then your scripts have to execute the authentication to control access.

In ASP.NET I would solve this problem by using Anonymous access at the root site, then using a nested web application configure the shared folder to use one of ASP.NET's choices.  ASP.NET gives you ways in the web.config to control access without writing any code.  If you choose to write code, form based authentication is trivial to setup and get running.

So, in your case because you are using Moodle, you either have to get IIS to block access to the intranet site using integrated security or you have to customize the Moodle scripts to implement authentication.
0
 

Author Closing Comment

by:Dragor
ID: 35202911
Thank you very much for your time @tedbilly.
I had a feeling we would need to create another site rather than sharing within the anonymous access site.
Muchly appreciated.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question