CODEWITHSUNDEEP
c#asp.netsecuritysessionwebforms
Mert
Mert

Reputation: 99

How to prevent access to the web site from different ip with asp.net

I would like to create a layer of security. For example:

User = John (Signed in) has a Session["ipadress"]
Hacker = Unknown (using same session_id) has a same Session["ipadress"] or new one? i need an information..

Well, i would like to check an ip adress and if it's different from registered and logged in user than redirect to sessioninactive.aspx page.

Is it possible to do in global.asax?

Upvotes: 0

Views: 601

Answers (3)

Rashid Ali
Rashid Ali

Reputation: 617

Add the following methods in Global.asax

Save the IP to session on Session_Start:

protected void Session_Start()
{
  string userIp = HttpContext.Current.Request.UserHostAddress;
  Session["ipadress"] = userIp;
}

On each request, see if the request IP is same as saved in session:

protected void Application_AcquireRequestState()
{
  string userIp = HttpContext.Current.Request.UserHostAddress;

  if (Session["ipadress"] != null)
  {
    string originalUserIp = Session["ipadress"].ToString();
    if (originalUserIp != userIp)
    {
      Response.Redirect("sessioninactive.aspx");
    }
  }
}

Upvotes: 1

Gregor Primar
Gregor Primar

Reputation: 6805

This will do the job inside Global.asax:

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var ip = HttpContext.Current.Request.UserHostAddress;

        //TODO: handle correct list
        List<string> validIps = new List<string> { "::1" };

        if (!validIps.Contains(ip))
        {
            HttpContext.Current.Response.StatusCode = 403;
            HttpContext.Current.Response.StatusDescription = "Forbidden";
            HttpContext.Current.Response.End();
        }
    }

Upvotes: 2

KH S
KH S

Reputation: 444

I would do that at the place where I check the user. For example on the login page. You can simply do something like that:

string sUserHostaddress = Request.UserHostAddress;

Then you can compare your Seesion["ipaddress"] (you can populate that session variable the same way) with sUserHostAddress.

Not sure what you mean with imitating session_id? I wouldn't rely on cookies to manage authenticated state. I think the important aspect is that your login is secure. Password encrypted. I would always check a session cookie against the actual used SessionID and if they don't match I get suspicious (can write code to do something about that).

You might run into a problem if the user uses a proxy which changes the IP address during a sesion. Saw something like that in my log files.

Hope this helps.

Upvotes: 1

Related Questions