Solved

How do I allow access to a website resource only from within the site?

Posted on 2011-03-22
2
323 Views
Last Modified: 2012-08-14
I am hosting a public web site and I am wanting to control access to a shared directory within it.

The main site is a Moodle site (not really relevant, just noteworthy that it is PHP, SQL2008 R2) and within the learning environment I'd like to provide access to an internal site.

I have the link within Moodle working, and the internal site loads with no problems (it is a shared folder within the site), but the concern is I can access the internal site simply by entering the url in the browser.

My question therefore is, is there a way to only allow access to the internal site only via the link from the Moodle site (the request comes from Moodle), and not allow access via URL entry (or any other way for that matter!).

Preliminary research has suggested it may be possible by setting up a module within IIS 7, but before further time is spent on researching this technology, I thought I'd check with the experts. (And if this is the case any help would be appreciated!)

Thanks in advance.
0
Comment
Question by:Dragor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 35200058
The technology is relevant and I'll explain why.  You may be aware of some of what I describe but I want to be clear and cover the whole topic to be sure you understand the issues.

IIS is configured to either serve static files (HTM or HTML) or dynamic files mapped to a ISAPI DLL that processes the file requests.  In your case it's a PHP DLL.  That DLL then runs the script for the file extensions mapped to it which exist in a web site or web application.

IIS provides security only for the original page request.  So, if your site is set as Anonymous then any client browser can execute a GET/POST to any page in the web site.  If you turn off Anonymous authentication and select Basic, Digest or Windows authentication then credentials for access have to exist in the host server.  Form based authentication redirects requests to a log in page you have to build to then authenticate the user and manage authentication.

The key is that if you are not using integrated authentication then your scripts have to execute the authentication to control access.

In ASP.NET I would solve this problem by using Anonymous access at the root site, then using a nested web application configure the shared folder to use one of ASP.NET's choices.  ASP.NET gives you ways in the web.config to control access without writing any code.  If you choose to write code, form based authentication is trivial to setup and get running.

So, in your case because you are using Moodle, you either have to get IIS to block access to the intranet site using integrated security or you have to customize the Moodle scripts to implement authentication.
0
 

Author Closing Comment

by:Dragor
ID: 35202911
Thank you very much for your time @tedbilly.
I had a feeling we would need to create another site rather than sharing within the anonymous access site.
Muchly appreciated.
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question