How to prevent direct browsing to a .asmx page?

Discussion in 'ASP .Net' started by Bill Davidson, Sep 12, 2006.

  1. All:

    Pardon the newbie question, but let's say I've got two pages in my website:

    Welcome.aspx
    NoNav.aspx

    I want users to be able to navigate to the welcome.aspx page (e.g.
    http://myserver.com/Welcome.aspx), but I don't want them to be able to
    navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
    a menu selection in Welcome.aspx.

    How do I disable direct navigation to NoNav.aspx in this example?

    Thanks,
    Bill
    Bill Davidson, Sep 12, 2006
    #1
    1. Advertising

  2. Bill,

    You could check the referrer using Request.UrlReferrer... which generally is
    the page the user was looking at previous to the current request.

    BUT... do not depend upon this... especially not for anything to do with
    security (eg. no one can get to NoNav.aspx unless they come through
    Welcome.aspx... so there for I don't need to check security.... no no no
    no). It's very easy to fake the UrlReferrer. Also the referrer is an
    optional field... and some requests just may not include it.

    You could also use a cookie... though you'd have to set the cookie on
    Welcome.aspx, clear the cookie on every other page. Seems like a lot of
    work. Again... you can depend upon this.

    Depending on what you're doing on the Welcome.aspx page you could have it
    post back to NoNav.aspx. Have nonav.aspx check if page.previouspage is null
    or not, and if not null if it was Welcome.aspx.

    This one you might be ok depending on... if you protect the viewstate
    (encrypting and mac address stuff).

    All in all seems like any of the above are really fragile solutions and
    generally hackish (gah! they are awful!!!!). You may want to redesign your
    user interaction... what are you actually doing and why?

    Regards,

    Rob MacFadyen


    "Bill Davidson" <> wrote in message
    news:...
    > All:
    >
    > Pardon the newbie question, but let's say I've got two pages in my
    > website:
    >
    > Welcome.aspx
    > NoNav.aspx
    >
    > I want users to be able to navigate to the welcome.aspx page (e.g.
    > http://myserver.com/Welcome.aspx), but I don't want them to be able to
    > navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only
    > by a menu selection in Welcome.aspx.
    >
    > How do I disable direct navigation to NoNav.aspx in this example?
    >
    > Thanks,
    > Bill
    >
    Rob MacFadyen, Sep 12, 2006
    #2
    1. Advertising

  3. Hi Bill,

    Besides Rob's input, you may also use a session state to indicate whether
    or not it's navigated from Welcome.aspx:

    protected void Menu1_MenuItemClick(object sender, MenuEventArgs e)
    {
    if (Menu1.SelectedValue == "New Item2")
    {
    Session["secretkey"] = true;
    Response.Redirect("NoNav.aspx");
    }
    }

    In NoNav.aspx:

    protected void Page_Load(object sender, EventArgs e)
    {
    if (!IsPostBack)
    {
    if (Session["secretkey"] == null)
    {
    throw new Exception("You are not allowed to view this page
    directly.");
    }
    else
    {
    Session.Remove("secretkey");
    }
    }
    }

    I hope this helps. Please feel free to post here if anything is unclear.

    Sincerely,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications. If you are using Outlook Express, please make sure you clear the
    check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
    promptly.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Walter Wang [MSFT], Sep 12, 2006
    #3
  4. Bill Davidson wrote:
    > Pardon the newbie question, but let's say I've got two pages in my website:
    >
    > Welcome.aspx
    > NoNav.aspx
    >
    > I want users to be able to navigate to the welcome.aspx page (e.g.
    > http://myserver.com/Welcome.aspx), but I don't want them to be able to
    > navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
    > a menu selection in Welcome.aspx.
    >
    > How do I disable direct navigation to NoNav.aspx in this example?


    Set cookie (or session) in Welcome.aspx. Check in NoNav.aspx if
    cookie/session is present. If not, redirect to Welcome.aspx.

    --
    BVH
    Bart Van Hemelen, Sep 12, 2006
    #4
  5. Bill Davidson

    Damien Guest

    Bill Davidson wrote:
    > All:
    >
    > Pardon the newbie question, but let's say I've got two pages in my website:
    >
    > Welcome.aspx
    > NoNav.aspx
    >
    > I want users to be able to navigate to the welcome.aspx page (e.g.
    > http://myserver.com/Welcome.aspx), but I don't want them to be able to
    > navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
    > a menu selection in Welcome.aspx.
    >
    > How do I disable direct navigation to NoNav.aspx in this example?
    >
    > Thanks,
    > Bill


    For some of our sites, we got downright paranoid about navigation. What
    we do is, during page load, we call a function called CanNavigate(),
    passing it the name of the current page. The CanNavigate function has
    an array of valid from/to pairs. If the page passed in, and the
    previous page, are a matching pair, we let the navigation happen, and
    store the page passed in into a session variable (so that we can use
    that as the previous page the next time the funtion is called).

    We use the session so that this data stays in server land and cannot be
    tampered with by an attacker. Other notes:

    Navigating to the same page as the previous page is always allowed
    (this allows postbacks to occur).

    The From/To pairs are checked in both directions. This allows the back
    button to be used (provided it causes a page request to occur).

    If the known previous page doesn't match the referer header (as passed
    to us by the user agent), we traverse the from/to pairs backwards, to
    see if the user has pressed the back button and it hasn't caused a
    postback. We can do this because our navigation hierarchy is treelike
    (no "to" page can be reached from multiple "from" pages, except where
    one "from" page is in the path of the other).

    If we cannot match the referer header either to the known previous
    page, nor to any parent of that page, we conclude that the navigation
    is illegal.

    >From all of the above, we're reasonably sure that the users are

    following the navigation hierarchy we have determined. And if we cannot
    match based on that data, we record the data with as much detail as
    possible (for later analysis), and redirect to the root page.

    I know for a fact that we do get some false negatives with this system
    (where it decides the navigation is illegal even though it should have
    been fine). If your projected user base can tolerate this, then it's
    usable. Never really gotten to the bottom of this though (I think it
    may be when the referer is unexpected)

    Damien
    Damien, Sep 12, 2006
    #5
  6. Great responses; thanks to all four of you. I can see from the different
    approaches that website navigation control is a non-trivial issue that can
    get pretty involved especially on complex sites.

    I do believe I have enough information to get me started.

    Thanks Again !!!

    Bill

    "Bill Davidson" <> wrote in message
    news:...
    > All:
    >
    > Pardon the newbie question, but let's say I've got two pages in my
    > website:
    >
    > Welcome.aspx
    > NoNav.aspx
    >
    > I want users to be able to navigate to the welcome.aspx page (e.g.
    > http://myserver.com/Welcome.aspx), but I don't want them to be able to
    > navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only
    > by a menu selection in Welcome.aspx.
    >
    > How do I disable direct navigation to NoNav.aspx in this example?
    >
    > Thanks,
    > Bill
    >
    Bill Davidson, Sep 12, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Craig G
    Replies:
    1
    Views:
    457
    William F. Robertson, Jr.
    Dec 6, 2004
  2. moondaddy

    Not debugging into asmx page

    moondaddy, Sep 20, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    1,573
    moondaddy
    Sep 20, 2006
  3. Oriane

    [IIS 7.0]Handler for asmx page ?

    Oriane, Jun 18, 2007, in forum: ASP .Net
    Replies:
    7
    Views:
    813
    Oriane
    Jun 19, 2007
  4. Robert Watkins

    prevent direct access to JSP

    Robert Watkins, Jun 20, 2007, in forum: Java
    Replies:
    6
    Views:
    4,480
    Robert Watkins
    Jun 20, 2007
  5. konsu
    Replies:
    1
    Views:
    278
    Jan Tielens
    May 14, 2004
Loading...

Share This Page