CODEWITHSUNDEEP
asp.net
Ulhas Tuscano
Ulhas Tuscano

Reputation: 5620

How to prevent user from direct url entering

I am using ASP.NET 4.0 Framework.I have a directory which contains 10 PDF files i.e pdf1,pdf2....pdf10. On button click i am using Response.Redirect & passing Pdf file path in order to open it in the browser. but, this enables user to view the path(url) of the PDF folder using this url he can open any other pdf directly. How can i stop him accessing PDF directly from the url

Upvotes: 2

Views: 17563

Answers (4)

Syam Sundhar S
Syam Sundhar S

Reputation: 31

Use this code in Global.asax.cs and Call [NoDirectAccess] to all controllers

    //Prevent direct URL access: Call [NoDirectAccess] to all controllers to block
    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
    public class NoDirectAccessAttribute : ActionFilterAttribute
    {
        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            if (filterContext.HttpContext.Request.UrlReferrer == null ||
                        filterContext.HttpContext.Request.Url.Host != filterContext.HttpContext.Request.UrlReferrer.Host)
            {
                filterContext.Result = new RedirectToRouteResult(new
                               RouteValueDictionary(new { controller = "Home", action = "Login", area = "" }));
            }
        }
    }

Upvotes: 1

Steve
Steve

Reputation: 2997

Use Request.ServerVariables["HTTP_REFERER"] this will tell you where the request had come from. If its not on your site then take appropriate action.

e.g.

if(Request.ServerVariables["HTTP_REFERER"].ToLower().IndexOf("mysite.com") == -1){
    // Not from my site
    Response.Redirect("NotAllowed.aspx");
}

Upvotes: 8

Matt Wilko
Matt Wilko

Reputation: 27322

There is no easy solution to this. You could devise some sort of rolling code based on the server date/time that must be part of the query string and check for the correctness of this in the page load, if you make it sufficiently complicated / long, then people will not be able to enter this manually.

Upvotes: 0

Eben Roux
Eben Roux

Reputation: 13246

You will need to add a secure layer. If you are using MVC it will probably be simpler to implement since you will do the authorisation in the controller action. However, for classic ASP you will probably need to implement a custom handler.

Upvotes: 0

Related Questions