• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

ASP IIs directory protect

I have these 2 files firs called lector.asp:

<style type="text/css">
<!--
.Estilo1 {font-family: Arial, Helvetica, sans-serif}
-->
</style>
<span class="Estilo1">Selectcourse:</span><br />
<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.QueryString("testcn")
testcourse=Request.QueryString("testcourse")


if testcn<>"checado" then response.redirect "error.html"


directorio_protegido= "C:\inetpub\wwwroot\proteccion\"


'response.redirect "lector2.asp?testcn=checado&testcourse="& testcourse& "/runfile.html"
%>

<body onLoad="javascript:document.SSLForm.submit();" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" rightmargin="0"> 

<form name="SSLForm" method="POST" action="lector2.asp">
    
<input type="hidden" name="testcn" value="checado">
     
<input type="hidden" name="testcourse" value="<%= testcourse %>">



</form>  

</body>

Open in new window


Second called lector2.asp:

<%
Response.Buffer= True

dim testcourse, testcn, archivo1

testcn=Request.Form("testcn")
testcourse=Request.Form("testcourse") & "/runfile.html"


if testcn<>"checado" then response.redirect "error.html"

 

url_protegido = "http://" & Request.ServerVariables("HTTP_HOST") & "/proteccion/" & testcourse







Dim xml, bData, strWmaUrl, rhead1, rhead2


Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP")
xml.Open "GET", url_protegido, False
xml.Send()

bData = xml.ResponseBody
rhead1 = xml.getResponseHeader("Content-Length")
rhead2 = xml.getResponseHeader("Accept-Ranges")
Set xml = Nothing


termina = LCASE(right(url_protegido,3))



select case termina
       case "gif"
           Response.contentType ="image/gif"
       case "jpg"
           Response.contentType ="image/jpeg"
       case "peg"
           Response.contentType ="image/jpeg"
       case "png"
           Response.contentType ="image/png"
       case "bmp"
           Response.contentType ="image/bmp"
       case "xls"
           Response.contentType ="application/x-excel"
       case "ptx"
           Response.contentType ="application/ms-powerpoint"
       case "zip"
           Response.contentType ="application/zip"
       case "php"
           Response.contentType ="application/x-httpd-php"
       case "zip"
           Response.contentType ="application/zip"

       case "pdf"
          Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".pdf"
           Response.contentType ="application/pdf"

       case "tml"
           Response.contentType ="text/html"  
       case "htm"
           Response.contentType ="text/html"  
       case "doc"
           Response.contentType ="application/msword"
       case "ocx"
           Response.contentType ="application/msword"
       case "mp3"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".mp3"
       case "wma"
           Response.contentType ="audio/x-ms-wma"
           Response.AddHeader "Content-Disposition", "attachment;filename="&  Day(Date) & "-" & Month(date) & "-" & Year(Date) & ".WMA"
       case else
           Response.contentType ="text/html; charset=iso-8859-1" 
End Select



Response.AddHeader "Content-Length", rhead1
Response.AddHeader "Accept-Ranges", rhead2


Response.BinaryWrite(bData)


%>

Open in new window


Then we can make many sudbirs in the same route for an example let´s create a subdir course1 in the same route of that 2 files inside that dir will be an html page with main launcher called: runfile.html
Now if you launch the first link like this and supposing we are in local no problem with the is just needed to be inside IIs:
http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

Now if you see the http link has the same name in variable testcourse than the dir name we made what it does the program when we launch that link is go to dir we made course1 and run the file runfile.html all ok is working perfect but I want to block the access from this link for an example:

http://127.0.0.1/proteccion/course1/runfile.html

In this last link if the user use that link can does the same than the first link enter to course1 and see the file runfile.html I want to block access if the user enter like second link only to see the course1 and the file runfile.html must be called from first in other words:

http://127.0.0.1/proteccion/lector.asp?testcn=checado&testcourse=course1

This link is the only way to enter to see that how can I do that to protect the script you are looking in the 2 files?

I don´t know if we can make via Iis or maybe an script I hope someone can help because the script is very important and we need to avoid the users see content in cause launch in other ways.
Thank you
0
coerrace
Asked:
coerrace
  • 2
  • 2
1 Solution
 
becraigCommented:
I think I hear what you are trying to do here, so here is a suggestion:


1. you can do this via Javascript:
if (document.referrer != "") {
   var referringURL = document.referrer;
   var local = referringURL.substring(referringURL.indexOf("?"), referringURL.length);
   location.href = "http://page.com/login" + local; 
}

Open in new window


(problem here is the client needs to have JS enabled)

2. You can design your app in such a way as to have only one way to get to
http://127.0.0.1/proteccion/course1/runfile.html in each directory.
Simply have a landing page the user has to click from to get to runfile.htm and have your asp code check for http referrer -  if the referrer is the landing page then they can load the page, if it is not then redirect them to another page.
0
 
coerraceAuthor Commented:
in what part I need to put your code?
Thank you
0
 
becraigCommented:
I found an asp solution for you:

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        If Request.ServerVariables("HTTP_REFERER") <> "http://www.somesite.com/page.aspx" Then
            'redirect to error page
        Else
            'allow page to process
        End If
End Sub  

Open in new window


Reposted from:
http://forums.asp.net/t/1240920.aspx
0
 
coerraceAuthor Commented:
Is working thank you for the link.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now