How to prevent direct browsing to a .asmx page?

[Bill Davidson]

All:

Pardon the newbie question, but let's say I've got two pages in my website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?

Thanks,
Bill

 

[Rob MacFadyen]

Bill,

You could check the referrer using Request.UrlReferrer... which generally is
the page the user was looking at previous to the current request.

BUT... do not depend upon this... especially not for anything to do with
security (eg. no one can get to NoNav.aspx unless they come through
Welcome.aspx... so there for I don't need to check security.... no no no
no). It's very easy to fake the UrlReferrer. Also the referrer is an
optional field... and some requests just may not include it.

You could also use a cookie... though you'd have to set the cookie on
Welcome.aspx, clear the cookie on every other page. Seems like a lot of
work. Again... you can depend upon this.

Depending on what you're doing on the Welcome.aspx page you could have it
post back to NoNav.aspx. Have nonav.aspx check if page.previouspage is null
or not, and if not null if it was Welcome.aspx.

This one you might be ok depending on... if you protect the viewstate
(encrypting and mac address stuff).

All in all seems like any of the above are really fragile solutions and
generally hackish (gah! they are awful!!!!). You may want to redesign your
user interaction... what are you actually doing and why?

Regards,

Rob MacFadyen

 

[Walter Wang [MSFT]]

Hi Bill,

Besides Rob's input, you may also use a session state to indicate whether
or not it's navigated from Welcome.aspx:

protected void Menu1_MenuItemClick(object sender, MenuEventArgs e)
{
if (Menu1.SelectedValue == "New Item2")
{
Session["secretkey"] = true;
Response.Redirect("NoNav.aspx");
}
}

In NoNav.aspx:

protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
if (Session["secretkey"] == null)
{
throw new Exception("You are not allowed to view this page
directly.");
}
else
{
Session.Remove("secretkey");
}
}
}

I hope this helps. Please feel free to post here if anything is unclear.

Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Bart Van Hemelen]

Pardon the newbie question, but let's say I've got two pages in my website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?

Set cookie (or session) in Welcome.aspx. Check in NoNav.aspx if
cookie/session is present. If not, redirect to Welcome.aspx.

 

[Damien]

All:

Pardon the newbie question, but let's say I've got two pages in my website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?

Thanks,
Bill

For some of our sites, we got downright paranoid about navigation. What
we do is, during page load, we call a function called CanNavigate(),
passing it the name of the current page. The CanNavigate function has
an array of valid from/to pairs. If the page passed in, and the
previous page, are a matching pair, we let the navigation happen, and
store the page passed in into a session variable (so that we can use
that as the previous page the next time the funtion is called).

We use the session so that this data stays in server land and cannot be
tampered with by an attacker. Other notes:

Navigating to the same page as the previous page is always allowed
(this allows postbacks to occur).

The From/To pairs are checked in both directions. This allows the back
button to be used (provided it causes a page request to occur).

If the known previous page doesn't match the referer header (as passed
to us by the user agent), we traverse the from/to pairs backwards, to
see if the user has pressed the back button and it hasn't caused a
postback. We can do this because our navigation hierarchy is treelike
(no "to" page can be reached from multiple "from" pages, except where
one "from" page is in the path of the other).

If we cannot match the referer header either to the known previous
page, nor to any parent of that page, we conclude that the navigation
is illegal.

From all of the above, we're reasonably sure that the users are

following the navigation hierarchy we have determined. And if we cannot
match based on that data, we record the data with as much detail as
possible (for later analysis), and redirect to the root page.

I know for a fact that we do get some false negatives with this system
(where it decides the navigation is illegal even though it should have
been fine). If your projected user base can tolerate this, then it's
usable. Never really gotten to the bottom of this though (I think it
may be when the referer is unexpected)

Damien

 

[Bill Davidson]

Great responses; thanks to all four of you. I can see from the different
approaches that website navigation control is a non-trivial issue that can
get pretty involved especially on complex sites.

I do believe I have enough information to get me started.

Thanks Again !!!

Bill