5,699,997 members and growing! (24,823 online)
Email Password   helpLost your password?
Web Development » ASP.NET » General     Intermediate

Using ASP.NET HttpModules to restrict access by IP address

By Chris Fulstow

Demonstrates how to restrict access to your ASP.NET website by IP address, using an HttpModule. 		C# 2.0, C#, Windows, .NET, .NET 2.0, ASP.NET, VS2005, Visual Studio, Dev

Posted: 14 Nov 2006
Updated: 14 Nov 2006
Views: 22,656
Bookmarked: 31 times
Announcements
Comp Mobile Developer Contest
Comp Monthly Competition
Loading...
Chapters
Desktop Development
Web Development
Enterprise Systems
Multimedia
Database
Platforms, Frameworks & Libraries
Languages
General Programming
Graphics / Design
Development Lifecycle
General Reading
Third Party Products

Services
Job Board
Code Project Coffee
Free Magazines

Feature Zones
Product Showcase
IBM DeveloperWorks
WhitePapers / Webcasts
InstallShield 2009
Apress Bookstore
Search    
Advanced Search
Sitemap
print Print   Broken Article? Report Article       Discuss Discuss   Recommend Article Send to a friend
10 votes for this Article.
Popularity: 4.45 Rating: 4.45 out of 5
0 votes, 0.0%
1		 0 votes, 0.0%
2		 1 vote, 10.0%
3		 1 vote, 10.0%
4		 8 votes, 80.0%
5
Note: This is an unedited contribution. If this article is inappropriate, needs attention or copies someone else's work without reference then please Report This Article

Introduction

This short article demonstrates how to use an ASP.NET HTTP Module to restrict access to your ASP.NET website based on a user's IP address.  As you probably know, it's also possible to do this by configuring IIS, as explained in this Microsoft Knowledge Base article:

HOW TO: Restrict Site Access by IP Address or Domain Name

However, if IIS security doesn't give you enough control and flexibility, then you can build your own custom authorisation using an HTTP Module, for example if you need to look up permitted IP addresses in a database.

What are HTTP Modules?

An HTTP Module lets you add code that will be run every time a page is requested, so it's a great solution for adding custom security checks.

Rather than explain HTTP Modules in detail, I'll point you in the direction of these two MSDN articles for more in-depth information:

Building the HTTP Module

The code for the HttpModule class is pretty straightforward, it just a standard .NET class that implements the IHttpModule interface.  In this example, an IsValidIpAddress method checks whether the user is connecting from localhost, but this can be modified to suit your own needs.

If the connecting user's IP address isn't valid then the page will return the HTTP 403 code, indicating to the browser that access to the page is forbidden.

Here the complete HTTP Module code:

/// <summary>

/// HTTP module to restrict access by IP address

/// </summary>

public class SecurityHttpModule : IHttpModule
{
 public SecurityHttpModule() { }

    public void Init(HttpApplication context)
    {
        context.BeginRequest += new EventHandler(Application_BeginRequest);
    }

    private void Application_BeginRequest(object source, EventArgs e)
    {
        HttpContext context = ((HttpApplication)source).Context;
        string ipAddress = context.Request.UserHostAddress;
        if (!IsValidIpAddress(ipAddress))
        {
            context.Response.StatusCode = 403;  // (Forbidden)

        }
    }

    private bool IsValidIpAddress(string ipAddress)
    {
        return (ipAddress == "127.0.0.1");
    }

    public void Dispose() { /* clean up */ }
}

Registering the HTTP Module

Once the HttpModule class is built you need to register it in the httpModules section of your web.config file, like this:

<configuration>
    <system.web>
        <httpModules>
            <add name="SecurityHttpModule" type="SecurityHttpModule"/>
        </httpModules>
    </system.web>
</configuration>

This adds the module to the ASP.NET request pipeline for your web application.

Conclusion

That's all there is to it.  There are plenty of other uses for HTTP Modules, such as:

  • Adding custom headers and footers to content
  • Logging and collecting statistics
  • Custom caching mechanisms
  • User authentication

Experiment and have fun!

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

Chris Fulstow


 Chris is a software developer and Microsoft Certified Technology Specialist with over 9 years' commercial experience producing web-based solutions in a wide range of environments. For the past 6 years he has focused on Microsoft technologies, delivering to major clients in both the public and private sectors.

http://chrisfulstow.blogspot.com/
Occupation: Web Developer
Location: United Kingdom United Kingdom

Other popular ASP.NET articles:
Article Top
Sign Up to vote for this article
You must Sign In to use this message board.
FAQ FAQ Noise ToleranceSearch Search Messages 
 Layout  Per page   
 Msgs 1 to 2 of 2 (Total in Forum: 2) (Refresh)FirstPrevNext
Generalgood workmemberMinhajkk2:57 15 Nov '06  
GeneralRe: good workmembernoemailz4:07 15 Nov '06  
Last Visit: Wednesday, December 3, 2008 9:10 PM     Last Update:Wednesday, December 3, 2008 9:10 PM

General General    News News    Question Question    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

PermaLink | Privacy | Terms of Use
Last Updated: 14 Nov 2006
Editor:
Copyright 2006 by Chris Fulstow
Everything else Copyright © CodeProject, 1999-2008
Web13 | Advertise on the Code Project