473,614 Members | 2,089 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

How to prevent direct browsing to a .asmx page?

All:

Pardon the newbie question, but let's say I've got two pages in my website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?

Thanks,
Bill
Sep 11 '06 #1
5 3221
Bill,

You could check the referrer using Request.UrlRefe rrer... which generally is
the page the user was looking at previous to the current request.

BUT... do not depend upon this... especially not for anything to do with
security (eg. no one can get to NoNav.aspx unless they come through
Welcome.aspx... so there for I don't need to check security.... no no no
no). It's very easy to fake the UrlReferrer. Also the referrer is an
optional field... and some requests just may not include it.

You could also use a cookie... though you'd have to set the cookie on
Welcome.aspx, clear the cookie on every other page. Seems like a lot of
work. Again... you can depend upon this.

Depending on what you're doing on the Welcome.aspx page you could have it
post back to NoNav.aspx. Have nonav.aspx check if page.previouspa ge is null
or not, and if not null if it was Welcome.aspx.

This one you might be ok depending on... if you protect the viewstate
(encrypting and mac address stuff).

All in all seems like any of the above are really fragile solutions and
generally hackish (gah! they are awful!!!!). You may want to redesign your
user interaction... what are you actually doing and why?

Regards,

Rob MacFadyen
"Bill Davidson" <Ra************ @newsgroup.nosp amwrote in message
news:u3******** ******@TK2MSFTN GP05.phx.gbl...
All:

Pardon the newbie question, but let's say I've got two pages in my
website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only
by a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?

Thanks,
Bill

Sep 12 '06 #2
Hi Bill,

Besides Rob's input, you may also use a session state to indicate whether
or not it's navigated from Welcome.aspx:

protected void Menu1_MenuItemC lick(object sender, MenuEventArgs e)
{
if (Menu1.Selected Value == "New Item2")
{
Session["secretkey"] = true;
Response.Redire ct("NoNav.aspx" );
}
}

In NoNav.aspx:

protected void Page_Load(objec t sender, EventArgs e)
{
if (!IsPostBack)
{
if (Session["secretkey"] == null)
{
throw new Exception("You are not allowed to view this page
directly.");
}
else
{
Session.Remove( "secretkey" );
}
}
}

I hope this helps. Please feel free to post here if anything is unclear.

Sincerely,
Walter Wang (wa****@online. microsoft.com, remove 'online.')
Microsoft Online Community Support

=============== =============== =============== =====
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscripti...t/default.aspx.
=============== =============== =============== =====

This posting is provided "AS IS" with no warranties, and confers no rights.

Sep 12 '06 #3

Bill Davidson wrote:
Pardon the newbie question, but let's say I've got two pages in my website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?
Set cookie (or session) in Welcome.aspx. Check in NoNav.aspx if
cookie/session is present. If not, redirect to Welcome.aspx.

--
BVH

Sep 12 '06 #4
Bill Davidson wrote:
All:

Pardon the newbie question, but let's say I've got two pages in my website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only by
a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?

Thanks,
Bill
For some of our sites, we got downright paranoid about navigation. What
we do is, during page load, we call a function called CanNavigate(),
passing it the name of the current page. The CanNavigate function has
an array of valid from/to pairs. If the page passed in, and the
previous page, are a matching pair, we let the navigation happen, and
store the page passed in into a session variable (so that we can use
that as the previous page the next time the funtion is called).

We use the session so that this data stays in server land and cannot be
tampered with by an attacker. Other notes:

Navigating to the same page as the previous page is always allowed
(this allows postbacks to occur).

The From/To pairs are checked in both directions. This allows the back
button to be used (provided it causes a page request to occur).

If the known previous page doesn't match the referer header (as passed
to us by the user agent), we traverse the from/to pairs backwards, to
see if the user has pressed the back button and it hasn't caused a
postback. We can do this because our navigation hierarchy is treelike
(no "to" page can be reached from multiple "from" pages, except where
one "from" page is in the path of the other).

If we cannot match the referer header either to the known previous
page, nor to any parent of that page, we conclude that the navigation
is illegal.
>From all of the above, we're reasonably sure that the users are
following the navigation hierarchy we have determined. And if we cannot
match based on that data, we record the data with as much detail as
possible (for later analysis), and redirect to the root page.

I know for a fact that we do get some false negatives with this system
(where it decides the navigation is illegal even though it should have
been fine). If your projected user base can tolerate this, then it's
usable. Never really gotten to the bottom of this though (I think it
may be when the referer is unexpected)

Damien

Sep 12 '06 #5
Great responses; thanks to all four of you. I can see from the different
approaches that website navigation control is a non-trivial issue that can
get pretty involved especially on complex sites.

I do believe I have enough information to get me started.

Thanks Again !!!

Bill

"Bill Davidson" <Ra************ @newsgroup.nosp amwrote in message
news:u3******** ******@TK2MSFTN GP05.phx.gbl...
All:

Pardon the newbie question, but let's say I've got two pages in my
website:

Welcome.aspx
NoNav.aspx

I want users to be able to navigate to the welcome.aspx page (e.g.
http://myserver.com/Welcome.aspx), but I don't want them to be able to
navigate directly to NoNav.aspx. The NoNav.aspx page will be loaded only
by a menu selection in Welcome.aspx.

How do I disable direct navigation to NoNav.aspx in this example?

Thanks,
Bill

Sep 12 '06 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
1991
by: Mike Brearley | last post by:
I have a counter (alright one I found on asp101.com) that checks for a session variable to prevent the counter from incrmenting if a user refreshes the page or returns to the page during the same session. The problem is, it also prevents other page counters from incrementing. Here's the code for this part: ' Increment the count if Session("iCount") <> iCount then iCount = iCount + 1 Session("iCount") = iCount
102
7333
by: me | last post by:
How do I prevent the save/print/email/mypictures toolbar from popping up when IE users place their cursor over photos at my website? Thank you in advance for your help. Signed, me
3
9994
by: Rob | last post by:
Each time a webform is posted back (submitted), another URL is added to the browser's history list. My web application allows a back button to return to previously visited pages, but I do not wish to return to each Postback URL, but rather only the initial page URL. Is there a way to prevent Postback URL's from being added to the browser's history list Thanks in advance for any help.
1
1688
by: Craig G | last post by:
is there any implications of having more than one asmx page in your webservice i was intending to use a new asmx for each of my classes but a colleague in work says there is problems with this. i cant find anything on the net that says not to do this we are using .net v1.1 Cheers,
2
1828
by: Dmitry Duginov | last post by:
I have a virtual directory where I allow browsing. When I implemented ISAPI filter for this directory (I deny access in some cases based on request headers), the contents of the directory are not being generated anymore. How do I (from my Http module code) explicitly call IIS script that generates directory contents? Or suggest, please other options to achieve the same result. Thanks in advance, Dmitry.
5
1561
by: Jon | last post by:
I am constantly getting reports in my task list like these: * 'someObjectName" is not a member of 'someOtherObjectName' * Handles clause requires a WithEvents variable. * Name 'someName' is not declared These errors are totally erroneous. If I go into the class and cut the offending code and repaste it in the same spot the errors temporarily go away. Also, more effective is to delete the files in project/bin and rebuild. Both fixes...
1
3279
by: PeterW | last post by:
On my machine I developed a WebService on localhost and if I browse the asmx file I get the usual page that defines the webmethods exposed by the webservice and the opportunity to get the wsdl file using the Service Description link. This is saved into SourceSafe and then another person in the team gets latest from sourceSafe onto his system to try to run the webService on his localhost, all of the solution builds properly, but any...
3
3252
by: Ben | last post by:
Hello I am in the final stages of developing my asp.net app and have a question. The app im creating has two frames, one being a menu and the other showing the detail. I would like to prevent the user for typing in direct addresses without using the application (ie server/appname/page.aspx?parameter=value). Is it possible to prevent a user from attemping this? Can it be detected and then rerouted to the default page (ie...
2
3372
by: yogarajan | last post by:
hi friends i have one problem. i m using forms authentication for my pages which consist of downloadable links (doc files, pdf files etc.,). the thing is, if i restrict access to the page, it works fine ( redirects anonymous users to login page). however, if someone types the url of the documents directly (ex:- mywebserver/myapp/downloads/documentname, it directly downloads without authenticating. any way to restrict direct downloading...
0
8627
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8579
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
8433
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7093
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6088
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4052
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
2568
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
1
1747
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
1425
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.