CODEWITHSUNDEEP
c#asp.netactive-directory
monkeyhouse
monkeyhouse

Reputation: 2896

clean way to identify if user from intranet or internet

how can I determine if a user is accessing my application from the internet or intranet?

I'm very confused about the source and security of the IIS server variables. http://msdn.microsoft.com/en-us/library/ms524602.aspx for example, is Request.ServerVariables["AUTH_USER"] blank for remote users?

also, the documentation on Environment.UserDomainName at http://msdn.microsoft.com/en-us/library/system.environment.userdomainname.aspx makes me think it is possible to game this by naming the computer name equal to a domain name I'm checking for

Ideally, I'd just like to ...

if ( [ ... user is not remote ... ] && Enironment.UserDomainName == "TargetLocalDomainName" )
    var username = Environment.UserName;
    PrepareLocalUserSession(username);
    RedirectToHomePage();
 } 
 //else
 [... redirect to remote login page ...]

so my question is how do I determine if the user is coming from a remote destination? I'd strongly prefer to use something less messy than IP checking if possible.

Thanks

EDIT

I thought my approach above was so horrible that I wanted to post a sane approach

var hostAddress = System.Web.HttpContext.Current.Request.UserHostAddress;

bool localUser = hostAddress.StartsWith("192.") | hostAddress.StartsWith("10.") | hostAddress.StartsWith("172.") || HttpRequest.Current.Request.IsLocal;

string username = Request.ServerVariables["LOGON_USER"].split( new char[]{"/"})[0]; 
string domain   = Request.ServerVariables["LOGON_USER"].split( new char[]{"/"})[1];

if( localUser && domain == "TargetLocalDomainName" ){
   PrepareLocalUserSession(username);
   RedirectToHomePage();
} 

//else
[... redirect to remote login page ...]

Upvotes: 1

Views: 4913

Answers (1)

Corey
Corey

Reputation: 16574

Firstly, you can not use the Environment class to get information about the user making the request to your server. Environment accesses the local computer's environment, so you'll always get the server's details. Nothing in there is going to tell you thing one about the client.

All client information available to the server will be in the Request object. If you use authentication on your website you can get the user to log in, then check the user's security details in System.Web.HttpContext.Current.Request.LogonUserIdentity for example.

This still won't tell you where the client actually is however. Testing the user's login domain will only tell you if the user has authenticated against the domain, not whether the client is on your local network. If your website is accessible from outside your network (using NAT for instance, or mixed public + private address on the server) you'll still have to check the IP address on the request to make sure it's in the local network.

So the short answer is that you can't do this without checking the IP address against known internal network ranges.

Upvotes: 3

Related Questions