Solved

How do I allow access to a website resource only from within the site?

Posted on 2011-03-22
2
322 Views
Last Modified: 2012-08-14
I am hosting a public web site and I am wanting to control access to a shared directory within it.

The main site is a Moodle site (not really relevant, just noteworthy that it is PHP, SQL2008 R2) and within the learning environment I'd like to provide access to an internal site.

I have the link within Moodle working, and the internal site loads with no problems (it is a shared folder within the site), but the concern is I can access the internal site simply by entering the url in the browser.

My question therefore is, is there a way to only allow access to the internal site only via the link from the Moodle site (the request comes from Moodle), and not allow access via URL entry (or any other way for that matter!).

Preliminary research has suggested it may be possible by setting up a module within IIS 7, but before further time is spent on researching this technology, I thought I'd check with the experts. (And if this is the case any help would be appreciated!)

Thanks in advance.
0
Comment
Question by:Dragor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 51

Accepted Solution

by:
Ted Bouskill earned 500 total points
ID: 35200058
The technology is relevant and I'll explain why.  You may be aware of some of what I describe but I want to be clear and cover the whole topic to be sure you understand the issues.

IIS is configured to either serve static files (HTM or HTML) or dynamic files mapped to a ISAPI DLL that processes the file requests.  In your case it's a PHP DLL.  That DLL then runs the script for the file extensions mapped to it which exist in a web site or web application.

IIS provides security only for the original page request.  So, if your site is set as Anonymous then any client browser can execute a GET/POST to any page in the web site.  If you turn off Anonymous authentication and select Basic, Digest or Windows authentication then credentials for access have to exist in the host server.  Form based authentication redirects requests to a log in page you have to build to then authenticate the user and manage authentication.

The key is that if you are not using integrated authentication then your scripts have to execute the authentication to control access.

In ASP.NET I would solve this problem by using Anonymous access at the root site, then using a nested web application configure the shared folder to use one of ASP.NET's choices.  ASP.NET gives you ways in the web.config to control access without writing any code.  If you choose to write code, form based authentication is trivial to setup and get running.

So, in your case because you are using Moodle, you either have to get IIS to block access to the intranet site using integrated security or you have to customize the Moodle scripts to implement authentication.
0
 

Author Closing Comment

by:Dragor
ID: 35202911
Thank you very much for your time @tedbilly.
I had a feeling we would need to create another site rather than sharing within the anonymous access site.
Muchly appreciated.
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need to trim my database size 9 53
Need multiple Group By's 8 55
T-SQL: How to extract records into a new table 7 44
Help with SQL pivot 11 49
In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question