ASP IIs directory protect

Posted on 2013-01-22
Medium Priority
Last Modified: 2013-02-13
I have these 2 files firs called lector.asp:

<style type="text/css">
.Estilo1 {font-family: Arial, Helvetica, sans-serif}
<span class="Estilo1">Selectcourse:</span><br />
Response.Buffer= True

dim testcourse, testcn, archivo1


if testcn<>"checado" then response.redirect "error.html"

directorio_protegido= "C:\inetpub\wwwroot\proteccion\"

'response.redirect "lector2.asp?testcn=checado&testcourse="& testcourse& "/runfile.html"

<body onLoad="javascript:document.SSLForm.submit();" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" rightmargin="0"> 

<form name="SSLForm" method="POST" action="lector2.asp">
<input type="hidden" name="testcn" value="checado">
<input type="hidden" name="testcourse" value="<%= testcourse %>">



Open in new window

Second called lector2.asp:

Response.Buffer= True

dim testcourse, testcn, archivo1

testcourse=Request.Form("testcourse") & "/runfile.html"

if testcn<>"checado" then response.redirect "error.html"


url_protegido = "http://" & Request.ServerVariables("HTTP_HOST") & "/proteccion/" & testcourse

Dim xml, bData, strWmaUrl, rhead1, rhead2

Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP")
xml.Open "GET", url_protegido, False

bData = xml.ResponseBody
rhead1 = xml.getResponseHeader("Content-Length")
rhead2 = xml.getResponseHeader("Accept-Ranges")
Set xml = Nothing

termina = LCASE(right(url_protegido,3))

select case termina
       case "gif"
           Response.contentType ="image/gif"
       case "jpg"
           Response.contentType ="image/jpeg"
       case "peg"
           Response.contentType ="image/jpeg"
       case "png"
           Response.contentType ="image/png"
       case "bmp"
           Response.contentType ="image/bmp"
       case "xls"
           Response.contentType ="application/x-excel"
       case "ptx"
           Response.contentType ="application/ms-powerpoint"
       case "zip"
           Response.contentType ="application/zip"
       case "php"
           Response.contentType ="application/x-httpd-php"
       case "zip"
           Response.contentType ="application/zip"

       case "pdf"
          Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".pdf"
           Response.contentType ="application/pdf"

       case "tml"
           Response.contentType ="text/html"  
       case "htm"
           Response.contentType ="text/html"  
       case "doc"
           Response.contentType ="application/msword"
       case "ocx"
           Response.contentType ="application/msword"
       case "mp3"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".mp3"
       case "wma"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".WMA"
       case else
           Response.contentType ="text/html; charset=iso-8859-1" 
End Select

Response.AddHeader "Content-Length", rhead1
Response.AddHeader "Accept-Ranges", rhead2



Open in new window

Then we can make many sudbirs in the same route for an example let´s create a subdir course1 in the same route of that 2 files inside that dir will be an html page with main launcher called: runfile.html
Now if you launch the first link like this and supposing we are in local no problem with the is just needed to be inside IIs:

Now if you see the http link has the same name in variable testcourse than the dir name we made what it does the program when we launch that link is go to dir we made course1 and run the file runfile.html all ok is working perfect but I want to block the access from this link for an example:

In this last link if the user use that link can does the same than the first link enter to course1 and see the file runfile.html I want to block access if the user enter like second link only to see the course1 and the file runfile.html must be called from first in other words:

This link is the only way to enter to see that how can I do that to protect the script you are looking in the 2 files?

I don´t know if we can make via Iis or maybe an script I hope someone can help because the script is very important and we need to avoid the users see content in cause launch in other ways.
Thank you
Question by:coerrace
  • 2
  • 2
LVL 29

Expert Comment

ID: 38865879
I think I hear what you are trying to do here, so here is a suggestion:

1. you can do this via Javascript:
if (document.referrer != "") {
   var referringURL = document.referrer;
   var local = referringURL.substring(referringURL.indexOf("?"), referringURL.length);
   location.href = "http://page.com/login" + local; 

Open in new window

(problem here is the client needs to have JS enabled)

2. You can design your app in such a way as to have only one way to get to in each directory.
Simply have a landing page the user has to click from to get to runfile.htm and have your asp code check for http referrer -  if the referrer is the landing page then they can load the page, if it is not then redirect them to another page.

Author Comment

ID: 38866254
in what part I need to put your code?
Thank you
LVL 29

Accepted Solution

becraig earned 2000 total points
ID: 38866276
I found an asp solution for you:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        If Request.ServerVariables("HTTP_REFERER") <> "http://www.somesite.com/page.aspx" Then
            'redirect to error page
            'allow page to process
        End If
End Sub  

Open in new window

Reposted from:

Author Closing Comment

ID: 38886288
Is working thank you for the link.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
No other job is as rewarding and demanding as building an iPhone app is. It is not really in the hands of the developer for the success of an iPhone app. Many factors operate jointly for every iOS application's success in the market.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question