ASP.Net Protecting My Page without Forms Authentication

Question

I have a web application which has Forms Authentication however one of the pages has to be accessed via a 3rd party application. This 3rd party app sends its request with querystring parameters and data is returned. This page has been setup so Forms Authentication does not apply to it.

I do not want this data available if someone finds the URL that the 3rd party app is using (and their is a high chance of this happening) and they put it in the browser.

How is this possible?

Answer 1

I don't know if this will work for the situation you are describing, but you might try calling

MembershipUser User = Membership.GetUser();

In your Page_Load method for the page in question and checking to see if a valid user was returned. This is probably not a perfect solution though, as it would only block authenticated users.

What are the circumstances that would allow a user to find the link to this page? Also, do you have any sort of control over how the 3rd party app is sending its request?

Answer 2

Well, depending on what you are doing there a few things.

1. If the third party application will always be calling from the same IP you could limit based on request IP, but not 100% fool-proof
2. If you are concerned about people stealing the link DO NOT pass authentication via querystring, as then they have everything setup
3. Potentially look at implementing basic authentication at the IIS level, if the 3rd party can pass credentials through their request

Added Detail

Per your request, here is a link on how to setup basic authentication. Basic IIS Authentication.

This should work out well in your case.