How to block IP address or IP classes in ASP.NET - asp.net

I need to block one IP address or class in asp.net
Can anyone help me with the code? And how to implement?
Thanks

You can get the IP address of the client using the HttpRequest.UserHostAddress property (an instance can be accessed using this.Request from any page or using static property HttpContext.Current).
As far as I know, there is no standard method that would compare the IP address with a specified range, so you'll need to implement this bit yourself.
You'll probably want to check this for every request, which can be done either in the OnInit method of every page (that you want to block) or in the BeginRequest event of the application (typically in Global.asax).
If you detect a blocked address, you can output an empty (placeholder) page using Server.Transfer method (Response.End would be another alternative, but that simply cuts the page - returning an empty page, while Server.Transfer allows you to output some message to the client).

If what you mean by "block" is "don't let them harass my server", this is not an asp.net issue, you need a firewall (software or hardware).
If what you mean by "block" is "don't show my pages":
' pseudocode, I haven't checked the exact syntax
Sub Page_Load()
If HttpRequest.UserHostAddress = "123.123.123.1" then
Response.Redirect "404.htm" ' send them elsewhere
end if
End Sub

you mention you are not familiarized with the ASP.NET, so, maybe this excelent article from Rick can help you as it as a full article on how to block IP's and even have an admin area to manage them...
http://www.west-wind.com/WebLog/posts/59731.aspx

Related

Loosing session variable data from one page to the other in VB.NET

I am a bit new to VB.NET. I have a page that sets 2 session variables and does a redirect to second page. The second pages is at least using one of the session variables. I can tell because on the second page, if the session variable is not correct the user is redirected to an access denied page. The second page also uses the session variable in question. It will read it an fill a gridview based on the value of the variable. I set the variable like so
Session("ID") = Convert.ToInt32(a_value)
and on the second page I retrieve the variable like this
a_page_variable = Session("ID")
What I find strange is that when I run this code in visual studio it works as expected but when I deploy and run it, I get 0 from my session variable instead of the true value of "a_value". I have tried a few things like making sure the data types match up from page to page and trying different ways to retrieve the variable such as
Session("userID")
and
CType(Session.Item("userID"), Int32)
I've also tried to see what is coming in to the second page by using
Response.Write
I also tried to use SQL Profiler to see what kind of call is being made to fill the gridview but I haven't had any luck. The gridview gives me an empty dataset and the Profiler does not detect a call being made from the application. I thought working with session variables was pretty straight forward but obviously, I am missing something.
Thanks for your help,
Billy
One possibility (and the only one that could be guessed at with how little information we have) could be the response.redirect causing the application to terminate due to an exception.
When redirecting, you want to always pass a false, and then call complete request.
Response.Redirect(urlstring, False)
Response.CompleteRequest()
not following these steps can cause exceptions, which may drop session.
Additionally, resolve virtual paths, as some browsers (mobile especially) can see those redirects as new requests entirely, thus generating new session tokens.
Dim urlstring As String
urlstring = Page.ResolveUrl("~/default.aspx")
that said, there are a number of possible causes for this situation.
Application Pool restarts
App Domain restarted
Code changing value unexpectedly
AV tinkering with files
deployed to web farm
With the description provided above, we just don't have enough information to really troubleshoot.
Thank you ADyson, Stephen Wrighton and everyone else who took a stab at helping me figure this out. I was able to find out what was going on by adding code that wrote to a log file on the server. Found the logging code here. I found that I never reached the code that set the session variable and that is the reason it never populated on the second page. I was trying to get the logon name for the user by using Environment.UserName which will return the user name of the person who is currently logged on to the operating system. But what I really wanted to do was get the logon name of the user that was visiting my site. For this I used User.Identity.Name. This works great when you need to know which user from an Active Directory domain is visiting your site.

Restrict page access only can enter from a specified page?

I am kind of new to ASP.NET.
I wonder is there any way to restrict user can only enter from a specify page?
Like, I have a Page A to let them enter some information, then when submit, I will use Response.Redirect to Page B. But I don't want the user can go into Page B directly from URL....
If I use Session, then if the user didn't close the browser to end the session, the another user can just go into Page B directly...
Because the computer that access to these pages is using by the public, so I want to see if there is anyway to make sure they only do one way process? Can't go back to previous or jump to another page.
Thanks in Advance.
If you control the other page, start a session and set a session variable to a value that can be reversed that only your server could (or should) create, much like serial keys. For example 72150166 because the sum of every second number equals the sum of every other number (7 + 1 + 0 + 6 = 2 + 5 + 1 + 6) but you could choose an algorithm as complex or as simple as you want. When the user navigates to the second page, check the session variable. This is not invincible security, but it is better than checking the referrer (especially since some browsers do not set it) and I imagine security based on coming from a certain page doesn't have to be that strict.
Edit: You should also add it to a database and link it with the particular user's IP so someone else can't use the same key.
You can use Request.UrlReferrer property in the Page Load of PageB to see which page is the request coming from. If the request is not coming from PageA then redirect the user to PageA.
Check this link for more information: http://msdn.microsoft.com/en-us/library/system.web.httprequest.urlreferrer.aspx
Note: UrlReferrer is dependent on a request header and someone can set the header to mimic the request coming from PageA.
You could have the page that redirects send some sort of specifically generated hash/key in the query string that expires quickly and/or once viewed. This should be a lot more solid on the security side.
You will still need some way to store this key or value producing the hash so you can validate it on the receiving end- I would think your DB.

Paypal post problem

document.aspnetForm.action = "https://www.paypal.com/cgi-bin/webscr";
I use master page and paypal payment page but giving error "document.aspnetform is not defined"
I can't tell from your question whether you are doing this on the client using JavaScript or on the server in C#. I guess the former as you are using document all lower case. Either way check your capitalisation - Javascript is case sensitive so you may need document.AspNetForm or something similar as your identifier. Just make sure it matches up to whatever the title of the form is in the source code.

Page transfer in ASP.NET

In Response.redirect ("Page.aspx",bool end response), How do I transfer the page and come back to to the same execution point?
I mean to say how can I use the bool value for my programming purpose.
Please let me know
If i understand "come back to the same execution point" correctly, you might consider using Server.Execute instead.
From MSDN
Executes the handler for a specified resource in the context of the
current request and returns execution to the page that invoked it.
I think you can create a session variable and stock the "starting point"(url) in the variable.
After that you can get the "starting point" from anywhere and go back to this page..
(If it is want you want to do..)
You could to start run all your operation in another thread and then only do response.redirect("someurl"), i.e.
reponse.redirect("some.aspx");
myoperation();
myoperation1();
replace this code on
ThreadPool.QueueUserWorkItem(delegate
{
myoperation();
myoperation1();
});
Response.Redirect("some.aspx");
To answer your specific questions:
you cannot use the bool parameter for your own purposes - it is there to signal whether to end the response back to the client (msdn link)
when you redirect or transfer to a page you still need to go through the page life cycle, you cannot just start at some arbitrary bit of code on the page. As already mentioned in the answer from InSane, use the Execute method instead.

Using endResponse in a Response.Redirect

While performing a response.redirect in an ASP.NET page, I received the error:
error: cannot obtain value
for two of the variables being passed in (one value being retrieved from the querystring, the other from viewstate)
I've never seen this error before, so I did some investigating and found recommendations to use the "False" value for "endResponse"
e.g. Response.Redirect("mypage.aspx", False)
This worked.
My question is: what are the side-effects of using "False" for the "endResponse" value in a response.redirect?
i.e. are there any effects on the server's cache? Does the page remain resident in memory for a period? Will it affect different users viewing the same page? etc.
Thanks!
From this other question and this blog post, the recommended pattern is-
Response.Redirect(url, false);
Context.ApplicationInstance.CompleteRequest();
This avoids the expensive ThreadAbortException/Response.End. Some code will be executed after the CompleteRequest(), but ASP.Net will close the request as soon as it is convenient.
Edit- I think this answer gives the best overview. Note that if you use the pattern above, code after the redirect will still be executed.
An MSDN blog post that might answer your question:
The drawback to using [Response.Redirect(url, false)] is that the page will continue to process on the server and be sent to the client. If you are doing a redirect in Page_Init (or like) and call Response.Redirect(url, false) the page will only redirect once the current page is done executing. This means that any server side processing you are performing on that page WILL get executed.
Response.Redirect(..., true) results in a ThreadAbortException.
depending on your exception handling setup you might get your log filled with error messages one for each redirect.

Resources