Click here to Skip to main content
15,885,546 members
Search within:


URL tampering - prevent unauthorized page.
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
security
Hi,

How to prevent when the user changing the file name in the URL.?

For example,

User user shall be access only http://10.120.10.67/Login.aspx (by default).
But, he should not access other page which is not authorized page.

How to restrict in aspx page.

What I have tried:

User user shall be access only http://10.120.10.67/Login.aspx (by default).
Posted
Updated 1-Jul-16 2:02am
Add a Solution

2 solutions

The whole idea is wrong. Security is not done be preventing the user to change any URL. It's not under your control; the user, by definition, can enter any thinkable URL and send any HTTP request with that URL, even the request which cannot be sent based on any of your pages — and you should always assume that any HTTP request is possible, without any limitations.

The security starts when your code behind (in your case, ASP.NET code) handles an HTTP request. Then you have to detect that the user is not authenticated and generate appropriate page content, for example, the page redirecting to your Login page. This is just one of the fundamentals of authentication. If the user is authenticated, the content of other pages may depend on the user's record.

You can start here: ASP.NET Authentication.
See also: HttpRequest.IsAuthenticated Property (System.Web).

—SA
 
Share this answer
 
Posted
Updated 28-Jun-16 21:09pm
v3
Comments
gani7787 29-Jun-16 5:51am    
Thanks for your reply.

i am using sitemap path menu and this will be enable based on the roles.

i have mentioned my role which is defined in web.config below.


<location path="Searchpage.aspx">
<system.web>
<authorization>
<allow roles="ADM">
<deny users="*">



<location path="user1.aspx">
<system.web>
<authorization>
<allow roles="ADM,USER1">
<deny users="*">



<location path="Home.aspx">
<system.web>
<authorization>
<allow roles="ADM,USER1,USER2">
<deny users="*">




Role "ADM" can able to access all the pages.

Role "User1" can able to access only "user1.aspx" and "Home.aspx"

Role "User2" can able to access only "Home.aspx"

like the above i want allow/deny pages based on the roles.
Sergey Alexandrovich Kryukov 29-Jun-16 9:05am    
Then do exactly that. Will you accept my answer formally? Do you have any further questions?

Again, you do not allow or deny pages; you just present different page content in response to different requests from different users. It's better not even show anything like "access denied", even if it is denied, but show something useful, or redirect.

—SA
Dim roles As String() = Session(Accesstype)
HttpContext.Current.User = New GenericPrincipal(HttpContext.Current.User.Identity, roles)
If Not (Me.Page.User.IsInRole("ADM")) Then
Response.Redirect("UnAuthorizedAccess.aspx")
End If
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 1 Jul 2016
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900