How to insure a Web Request is Valid

Posted on 2011-05-10
Last Modified: 2013-11-19
I have two  websites ( call them A and B)
Website A will use class WebHTTPRequest to obtain a page from Website B

When pagetoget.aspx  on  Website B runs how can I insure the request is coming
from Website A?

I can know the IP address and Machine name of Website A. Does this help?
I am assuming someone can grab website A code and modify it and put it on a different machine
and do whatever to fool Website B.

Any help/ideas will be appreciated.

Question by:jimr111998
    LVL 38

    Expert Comment

    by:Aaron Tomosky
    You can check the headers for referrer, but it's easier just to use the iis built in ip filter on website b. I know it's included on iis7 and up, not sure about earlier versions.

    Author Comment

    I really don't want a solution that depends on configuring a server.
    LVL 38

    Assisted Solution

    by:Aaron Tomosky
    Ok, then check the referrer in the headers. If it's not site a then redirect to an error page
    LVL 21

    Accepted Solution

    You could try using Request.UrlReferrer to check if page is being accessed by another site.

    protected void Page_Load(object sender, EventArgs e)
            if (!IsPostBack)
                if (Page.Request.UrlReferrer != null)
                    string sUrl = Page.Request.UrlReferrer.ToString();
                    //Redirect from another page
                    //Not redirect from another page.  It is either being accessed directly.

    Author Closing Comment

    I am not sure that this method of just checking the
    referrer address is sufficient.  I've heard of IP spoofing.
    I wonder if someone  who new the TCP/IP  protocol
    well enough could  construct a TCP/IP message with
    the desired  IP source  inserted.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
    The viewer will learn how to dynamically set the form action using jQuery.
    The viewer will learn how to count occurrences of each item in an array.

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now