Click here to Skip to main content
13,901,026 members
Rate this:
Please Sign up or sign in to vote.
See more:

How to prevent when the user changing the file name in the URL.?

For example,

User user shall be access only (by default).
But, he should not access other page which is not authorized page.

How to restrict in aspx page.

What I have tried:

User user shall be access only (by default).
Updated 1-Jul-16 2:02am
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

The whole idea is wrong. Security is not done be preventing the user to change any URL. It's not under your control; the user, by definition, can enter any thinkable URL and send any HTTP request with that URL, even the request which cannot be sent based on any of your pages — and you should always assume that any HTTP request is possible, without any limitations.

The security starts when your code behind (in your case, ASP.NET code) handles an HTTP request. Then you have to detect that the user is not authenticated and generate appropriate page content, for example, the page redirecting to your Login page. This is just one of the fundamentals of authentication. If the user is authenticated, the content of other pages may depend on the user's record.

You can start here: ASP.NET Authentication.
See also: HttpRequest.IsAuthenticated Property (System.Web).

gani7787 29-Jun-16 5:51am
Thanks for your reply.

i am using sitemap path menu and this will be enable based on the roles.

i have mentioned my role which is defined in web.config below.

<location path="Searchpage.aspx">
<allow roles="ADM">
<deny users="*">

<location path="user1.aspx">
<allow roles="ADM,USER1">
<deny users="*">

<location path="Home.aspx">
<allow roles="ADM,USER1,USER2">
<deny users="*">

Role "ADM" can able to access all the pages.

Role "User1" can able to access only "user1.aspx" and "Home.aspx"

Role "User2" can able to access only "Home.aspx"

like the above i want allow/deny pages based on the roles.
Then do exactly that. Will you accept my answer formally? Do you have any further questions?

Again, you do not allow or deny pages; you just present different page content in response to different requests from different users. It's better not even show anything like "access denied", even if it is denied, but show something useful, or redirect.

Rate this: bad
Please Sign up or sign in to vote.

Solution 2

Dim roles As String() = Session(Accesstype)
HttpContext.Current.User = New GenericPrincipal(HttpContext.Current.User.Identity, roles)
If Not (Me.Page.User.IsInRole("ADM")) Then
End If

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Cookies | Terms of Service
Web06 | 2.8.190306.1 | Last Updated 1 Jul 2016
Copyright © CodeProject, 1999-2019
All Rights Reserved.
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100