I am litte confused, i want to protect one page in classic asp from being accessed by Get Method.
Is it possible that someone can post data from another server to my page?
If Yes, how to detect that and allow only post from my server.
Thanks for help.
If you are currently using Request("ParameterName") to retrieve parameters then you should change to Request.Form("ParameterName") which will only get the parameter if it was POSTed.
Alternatively you can lookup the method used to access the page from the Request.ServerVariables collection and end the script if it is not POST. Here's an example:
If Request.ServerVariables("REQUEST_METHOD") <> "POST" Then Response.End
I noticed that you also said that you want to accept posts only from your server. The above changes will still allow another webpage to be set up to POST to your page. If you want to ensure that only your web page can post then you will need to add some more protection. Here's one way of doing it.
1) When you render your form create a random numbers and create a session variable named by the random number with a value to check for later.
Randomize
strVarName = Int((999999 - 100000 + 1) * Rnd() + 100000)
Session(strVarName) = "Authorised"
2) In your form add a hidden field with the value of the random number.
<input type="hidden" name="varname" value="<%= strVarName %>" />
3) In the script that processes the posted form get the value of the hidden field.
strVarName = Request.Form("varname")
4) Check that the session variable is set and has a value of True.
If Session(strVarName) <> "Authorised" Then
'Failed! Either show the user an error message or stop processing
Response.End
End If
5) Remove the session variable so that the same form cannot be resubmitted.
Session.Items.Remove(strVarName)
You don't need the random number but using it means that the same user can have multiple forms open in different windows/tabs and each one will work.
Related
In my ASP.NET MVC project, user can save a form on screen which makes HTTP POST request to server.
How can I prevent client to send automated HTTP POST's to server. Is there any builtin way on IIS or web.config to block unusal request rates?
For example a setting like, "based on Session ID, request count in 1 minute cannot exceed 30" could be helpful.
Captcha control is not a good option for me. Because there are many save options on screen, setting captcha for each of them will be useless.
Not quite what you asked for, but you can use session variables to limit a form from being posted unless the form is first requested, and protect against being submitted multiple times.
On your form page, generate a random number:
Random rnd = new Random();
int key = rnd.Next(100000, 999999);
Create a session variable with this number as the name, something like this:
Session["key_"+ key.ToString()] = true;
In your form add a hidden field with this number:
<input name="key" type="hidden" value="#key" />
Upon form post get the hidden field value and check that the session variable exists. Then remove the session variable so the form cannot be resubmitted:
int key = 0;
int.TryParse(Request.Form["key"] ?? string.Empty, out key);
if (Session["key_" + key.ToString()] == null)
{
//invalid post, take some action
//best to return the user to the form and give them another chance
//in case it was legitimate, eg. session timed out
}
else
{
Session.Contents.Remove("key_" + key.ToString());
}
You can use a mvc attribute called AntiForgeryToken on your post action method, It generates a encrypted value and a salt used to verify if your post is authentic.
See this link
https://msdn.microsoft.com/en-us/library/dd470175(v=vs.118).aspx
I have a page "Demo.aspx". I need to set some parameters using post method and redirect the page to "DemoTest.aspx".
Is there any way to set parameters in post method in asp.net? I don't want to set "Querystring" due to security propose.
Also I need server side code for this. I am not able to use "Javascript" or "Jquery" for the same.
Here is some more description for the same.
Right now I am using Response.Redirect("www.ABC.Com/DemoTest.aspx?P1=2"). So the page is simply redirect to the given URL.
Now I don't want to pass that "P1" in "Querystring". Instead of query string I want to use Post method.
Please note that redirection page is not in my own application. So I cant maintain session or "Viewstate".
Thanks in advance.
Use a session variable and response.redirect to the next page.
Session["MyVariable"] = "someThing";
Response.Redirect("DemoTest.aspx");
The value stored in Session variables will be accessible across application.
you can store in session like this :
Session["id"] = "anyID";
To get values On another page you need to write
string id = Convert.ToString(Session["Id"]);
However
By default, in .NET pages post() do the things automatically.
You will need to do sumthing like this:
Server.Transfer("DemoTest.aspx", True)
I am kind of new to ASP.NET.
I wonder is there any way to restrict user can only enter from a specify page?
Like, I have a Page A to let them enter some information, then when submit, I will use Response.Redirect to Page B. But I don't want the user can go into Page B directly from URL....
If I use Session, then if the user didn't close the browser to end the session, the another user can just go into Page B directly...
Because the computer that access to these pages is using by the public, so I want to see if there is anyway to make sure they only do one way process? Can't go back to previous or jump to another page.
Thanks in Advance.
If you control the other page, start a session and set a session variable to a value that can be reversed that only your server could (or should) create, much like serial keys. For example 72150166 because the sum of every second number equals the sum of every other number (7 + 1 + 0 + 6 = 2 + 5 + 1 + 6) but you could choose an algorithm as complex or as simple as you want. When the user navigates to the second page, check the session variable. This is not invincible security, but it is better than checking the referrer (especially since some browsers do not set it) and I imagine security based on coming from a certain page doesn't have to be that strict.
Edit: You should also add it to a database and link it with the particular user's IP so someone else can't use the same key.
You can use Request.UrlReferrer property in the Page Load of PageB to see which page is the request coming from. If the request is not coming from PageA then redirect the user to PageA.
Check this link for more information: http://msdn.microsoft.com/en-us/library/system.web.httprequest.urlreferrer.aspx
Note: UrlReferrer is dependent on a request header and someone can set the header to mimic the request coming from PageA.
You could have the page that redirects send some sort of specifically generated hash/key in the query string that expires quickly and/or once viewed. This should be a lot more solid on the security side.
You will still need some way to store this key or value producing the hash so you can validate it on the receiving end- I would think your DB.
I want find a platform/language agnostic solution to ensuring the origin of a FORM POST is from an expected source. I.e. Page1.aspx posting to Page2.php within the same web site.
Specifically what I am attempting to do here is to prevent request forgery.
Use a hidden field in your form, which contains a token your app generated. Store the token in the user session. When the form is submitted, your app will check that the value of the hidden field is identical to the value stored in the user session.
If it is identical, then you know the submitted form comes from where it is expected to come.
Old Thread, but might still be useful.
If you do not have session info set (best option) then you can include a hidden field with an encrypted timestamp then compare it (after de-crypt) to the current time on the process end to make sure it is relatively close and thus as recent as you deem necessary.
You could include into the form a hidden field which would be the SHA1Hash("some-secret" + Remote_IP + PerSessionSecret).
The PerSessionSecret is something you autogenerate in the beginning of the session. "some-secret" is a global secret value - which will help a little bit in case the randomly generated PerSessionSecret turns out not to be very random enough.
Then do the same calculation upon the form submission and you know it's most probably submitted from the same client that it was sent to. (Of course, if you have multiple clients behind the single address, like a proxy or a NAT, you can not distinguish between them reliably).
I would line to add a test condition in an asp.net form such that:
1) From page1.aspx I manually add a query string parameter so that I can trigger the rest of the process in test mode like so: page1.aspx?test=true . This flag must be added in the query string.
2) When I click on a asp.net button in page1.aspx, I am redirected to page2.aspx in test mode
because of teh attached querystring
It seems that I have to work around the postback model of asp.net this is not very straight forward.
Any idea how I can achieve the above behavior?
Thanks
It sounds like you're using a form that posts, but you want to stay in "test" mode. That is, you're not using HTTP-GET so it's not realistic to pass QS variables around.
What I'd do is stash a variable in your Session to set the user's session test mode. So adding &test=true would trigger a Session["TestMode"] = true; before you move to the next page.
Try this (in server-side code)
Response.Redirect("Page2.aspx?Test=" + Request.QueryString["Test"]);