How to not allow external calls to .aspx page?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a .aspx page that creates proprietary images (return type is image). Normally, calls to this .aspx page come from our own pages. I don't want someone to just type the URL for the .aspx image page (with modified query parameters)...I only want the .aspx page to work if it was called (embedded) from our own page.

How can this be done? Can it be done without session variables? Is there an HTTP header or server variable that can be checked?
 
There is an HTTP Requestor or some such thing in the Request object
that should be able to determine if the request came from where you
want it to. If not, show a picture of something that they can get in
trouble for viewing, but you cant get in trouble for showing :)
 
You could check the http_refererer servervariable to see where the request
came from, and if it's invalid, show an alternative image (i.e. access
forbidden). I've implemented something similar in the past with limited
success. The http_referer seemed to intermittently stop working for me,
causing the "access forbidden" image to show even when the image was being
viewed in the correct page. However, this may have had something to do with
my company's firewall settings...

Regards,

Mun

--
Munsifali Rashid
http://www.munsplace.com/



Amil said:
I have a .aspx page that creates proprietary images (return type is
Click to expand...
image). Normally, calls to this .aspx page come from our own pages. I
don't want someone to just type the URL for the .aspx image page (with
modified query parameters)...I only want the .aspx page to work if it was
called (embedded) from our own page.
How can this be done? Can it be done without session variables? Is there
Click to expand...
an HTTP header or server variable that can be checked?
 
Here is what I ended up doing...


I use the Request.UrlReferrer.AbsolutePath to make sure the request came
from my own server. Normally, this path starts with something like
http://www.mydomain.com/.... I think you can also use the Host member to
verify the host requesting it came from itself.

Amil

Amil said:
I have a .aspx page that creates proprietary images (return type is
Click to expand...
image). Normally, calls to this .aspx page come from our own pages. I
don't want someone to just type the URL for the .aspx image page (with
modified query parameters)...I only want the .aspx page to work if it was
called (embedded) from our own page.
How can this be done? Can it be done without session variables? Is there
Click to expand...
an HTTP header or server variable that can be checked?
 
Back
Top