I have webpage for my company with user name password protected.
Now I want to open that webpage on specific computers those I allow, even internet is active on that computer.I am using asp.net 4.0 with c#.
Is there any one help me that i can allow only specific computers to open that webpage otherwise it will generate error.
Anyone Help Plz !
Create a whitelist of ip of allowed computer.
in global.asax match the ip with the ip in your list.
If ip is not in the list redirect to error page else continue.
For above method the ip need to be static. If this is not possible then follow this method.
Create a page in your website for loggingin...
give the url to only users/computer to which you want to activate.
when the authentication occurs and successfull write a cookie.
delete you newly created page.
again in your global.asax search for this cookie value .
if value is found then ok else redirect to error page.
You must set your cookie value like 180 days so that you dont need to reactivate your 2nd login page.
however if possible use 1st method only.
As you application require user name and password to open it.
As all the request goes first to gloabal file as follows
void Application_Start(object sender, EventArgs e)
{
// Code that runs on application startup
string localAddress = Context.Request.ServerVariables["LOCAL_ADDR"];
// Returns "::1" when running under the VS server, however it throws an
// exception under IIS Express, so I assume it also does so under IIS.
}
Create a list anywhere and keep the ip's list which is allowed.
If it is one of those then allow it.
Other wise deny the request.
Here is good link if you have a range define
How to check a input IP fall in a specific IP range
Related
I'm looking for a way to restrict a website served by IIS so that the website can get access to the specific folder or drive not more, let me illustrate it.
Imagine I have two websites A and B served by IIS, you can put following code in code-behind of both websites:
string windowsPath = Environment.GetFolderPath(Environment.SpecialFolder.Windows)
string path = windowsPath + #"\Microsoft.NET\Framework";
var directories = Directory.GetDirectories(path);
I need a way through IIS to restrict website A not be able to get access to the mentioned directories and only website B be able to do that. In other words I want to restrict read access.
I suppose it should have a simple solution because it's what hosting servers deal with. It's obvious that you can't put a piece of code in your website in a web hosting server and simply get access to list files name located in drive C of the hosting server.
How can I achieve that?
After researching a lot I found the solution, I thought it might be useful for ones who will stumble upon this matter later, so I documented the solution.
Note:
From IIS 7.5 on, you have more access on user who is running a website.
Every application pool you make, creates an internal user which is hidden and is known as AppPoolIdentity.
The goal:
Imagine We have two websites A and B, we also have a folder named SecurityTest located in D:\Temp, there are 6 folders inside it under the names 1 to 6, we consider to allow website A get the name of the folders inside SecurityTest while we tend to prevent website B to do that.
Step 1:
Firstly, create a website through VisualStudio, I put a server side button in the form, I consider to get name of folders in the specified path (say D:\Temp\SecurityTest), So here's the code I place in code behind to be triggered when the button is clicked:
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text = string.Empty;
string path = #"D:\Temp\SecurityTest";
var directories = Directory.GetDirectories(path);
for (int i = 0; i < directories.Length; i++)
{
string fileName = Path.GetFileName(directories[i]);
Label1.Text += fileName + "<br />";
}
}
Step 2: Now let's deal with IIS. Add two websites (or applications) to the IIS, name them A and B, the physical path for both are the same, only change port number, for instance set 81 as port number for website A and 82 for website B. Note that new application pool is created by default with the same name of your website (if you create a new application instead of new website, you should create a new application pool by yourself).
Step 3: Now in the Connections pane, click on website A, from middle pane, double click on Authentication located in the IIS category. Then click on Anonymous Authentication, after that from 'Actions' pane at the right side, click on Edit.
Now select Application pool identity and click on OK. By following these steps you chose AplicationPoolIdentity user as the user who handles website A. Follow these steps for website B.
Step 4: Go to the pathD:\Temp, right click on the folder named SecurityTest, on the Security tab, on the Group or user names category, you can see users listed who have access to the folder, these users are granted permission at the creation time by default. You might see more or less though but the point is that you should add website A ApplicationPoolIdentity user and remove all other users, so remove Users which gives access to all users, after that remove Authenticated users from the list too.
Keep in mind that you can't simply remove these users, you should Disable Inheritance first. here's the steps to achieve that:
Since you tend to allow website A to get directories, you need to add the user corresponding to the website A, now you need to follow the next step.
Step 4-1: On the same dialogue, click on Add to add new user, from here you can't find the user related to the website A since it's a hidden and internal (and virtual) user, I mean the AppPoolIdentity user for website A. You should type the name on the following pattern:
IIS APPPOOL\<app_pool_name>
So for website A I should type IIS APPPOOL\A, click on Check Names to make sure whether the user exists or not, finally press OK button.
Step 4-2: To prevent other users to get access to the webite A, click on Advanced button, click on Disable inheritance, when you encounter the warning message, select the first option (Convert) preferably, then press OK to close the dialogue.
Now in Security tab, click on Edit button to change permissions. Here you can remove users you don't need, like Authenticated Users and Users. From now on both websites A and B won't be able to get folders name.
Now get back to IIS panel and click on website A in the left Pane, then click on Browse *:81 (http) link, you can see the website A on your browser, do the same for website B to open it in the browser. When you click on button in website A you can observe a list of folders from 1 t 6 while you get following error when you click on the button to get directories on the website B.
Access to the path 'D:\Temp\SecurityTest' is denied.
That's all you need to do.
If you understand how pipeline work, you would know that we can only filter permission based by injecting module. So there are few things we can do with IIS configuration.
Asp.net application activated under IIS worker process with Application pool identity. Since Site A and Site B used different managed service account. You could remove IIS apppool\A's permission to prevent site A from reading folder.
Since read permission for application pool identity to access windows\microsoft.net is necessary when activating worker process. It is not recommended to restrict the permission
We have an application that runs as service on windows. The service periodically checks for active Internet Explorer instances using SHDocVw.ShellWindows(). With this, we are able to capture the URL in each of the IE instances.
My Question:
Is it possible to find out how the webpage in each of these IE instances were launched. For example -
Did user type in url in IE to load the webpage?
Did the user select the link from another IE tab to launch ?
Did the user launch IE instance from another desktop application like outlook etc
Thank you.
The closest thing I could find to your specific requirement was this also check out the part 2 of the same blog where some edge cases have been discussed.
The part 1 of the blog talks about a registry key named TypedURLs (path: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs) which can be found in the registry editor, the rules of updation of this key are like this:
If a link is copied and pasted from a web page to the URL address bar and the user hits enter, this will also populate the key, as this is akin to physically typing in the entire address. If an invalid address of a webpage or resource that cannot be located is entered, the key will not be populated until either the connection or the request is completed (whether it succeeded or failed). If IE’s Stop function is selected before the connection is finished or the resource is located, the key will not be populated.
It is important to note that websites visited with the browser via hyperlinks, redirects, the IE Favorites menu or the user’s home page will not populate this key. Also, when a user selects to delete their browsing history using IE’s built-in function, this key is cleared.
Hope it helps!
I recently found out that there are other domain names pointing to my website (that don't belong to me) and I was wondering how people can stop/prevent this from happening. I'm hosting this on peer1 using IIS and I'm using ASP.NET C#.
Can I use an HttpModule or some other code to reject domain names that aren't mine?
Is there a better way?
You should activate name-based virtual hosting and only show your real website for the desired domain names. For all other names, you can display a suitable error message.
Details: Your webserver is contacted by its IP address. There is nothing you can do to stop that. Anyone can say, "connect to that IP address". For instance, anyone can register new domain names to point to your server's IP address. However, inside the request, there is a field Host with a name like www.example.com.
Upon receiving the request, your server may choose to inspect the Host field and deliver different content depending on that value. In the simplest case, the server ignores the field entirely and always prints out the same content. But in a more sophisticated set-up, so called "name-based (virtual) hosting", the server chooses the content depending on the hostname.
This is how shared webhosts work: There's a single server, but depending on the requested hostname it spits out a different website for each name.
Therefore, if you want to tie your server content to your hostname, you have to tell your server to produce your website only for your desired name, and to produce a different (error) website for all other cases.
In Apache this is trivial to configure, just check their documentation; for IIS I wouldn't know but I imagine it's equally simple.
If your hosting environment is IIS and you have admin access to it. Set your default website to show an error page and then create a new site with the host header matching your domain to point to your website.
This is my solution. It really works fast and solved my problem.
Insert this code in your .htacces
RewriteCond %{HTTP_HOST} !^www.higueyrd.com$
RewriteRule ^/?(.*) http://www.higueyrd.com/$1 [QSA,R=301,L]
Just put your domain.
In IIS there is a setting called bindings that allows you to select which hostnames your website will respond to. This feature allows an instance of IIS to host mulitple websites on a single IP address.
If you want your site to only work for http://example.com/ and http://www.example.com/, you should set the bindings to only work for "example.com" and "www.example.com".
The exception here is if you are using SSL. If you are, IIS cannot determine the hostname and you will most likely have to use a dedicated IP address for your site. In that scenario, user608576's solution will work. Although, I would put that code in your Global.asax file:
<%# Application Language="C#" %>
<script runat="server">
void Application_BeginRequest(Object sender, EventArgs args)
{
HttpRequest request = HttpContext.Current.Request;
HttpResponse response = HttpContext.Current.Response;
if( (request.Url.Host != "example.com") && (request.Url.Host != "www.example.com") )
{
response.Clear();
response.Write("Unauthorized domain name: " + request.Url.Host);
response.End();
}
}
</script>
As a temporary fix you can do this . May be on home page load or BeginRequest .
if(!Request.Url.Host.ToLower().contains("mysite.com")){
Response.Redirect("error.html");
}
If i remember right when i last check my sites cpanel i saw a feature that stopped redirections to my domain if checked. I´m using Hostso as my host so check their test cpanel for it.
Hope it helps alittle atleast :)
Fredrik wirth
if you want to handle in code then do it in Global.asax in BeginRequest as below
void Application_BeginRequest(object sender, EventArgs e)
{
if (!context.Request.Url.Host.ToLower().Equals("www.mydomain.com"))
{
context.Rewritepath("/invalidpage.aspx");
}
}
The other simple way is to specify a host headers in IIS for your website.
http://technet.microsoft.com/en-us/library/cc753195(v=ws.10).aspx
Note: I am writing through my mobile so consider spelling mistakes
Let's say I have a website www.mysite.com and I want it to be a multilingual site. Following are the things I wanna achieve :-
1. When a user visits my website, I want to fetch the user's country's ISO code. Let's say the ISO is "FR".
Now I want the user to be redirected to www.mysite.fr
In case the ISO address can't be fetched, the user will be redirected to www.mysite.com
Now I have used the dll from this site http://ipaddressextensions.codeplex.com/ and used their method which is something like
iso3066code(). BUT I am not able to fetch ISO code based on a user's IP address. What is the best method to fetch the ISO code anyway??
2. I have a differenet master page for different countries. Like for France there is France.master, for Germany there is Germany.master, etc.
What I want is that firstly the ISO Code of the user should be fetched, then the user should be redirected to the site corresponding to the ISO
AND want the corresponding master to load.
Here's a scenario:-
A user from France opens my website by typing "www.mysite.com". Now I want to show the user my site's contents in French so I want him to be redirected to
"www.mysite.fr" AND want the France.master to load for all the pages. What I am doing is check the "Top level domain name" entered by user which is "com" in this case, then I fetch the ISO code
then if ISO exists, user is redirected to "www.mysite.fr"
IN CASE, ISO cant be fetched , "www.mysite.com" will only be opened for the user.
3. How do I redirect the user?? Response.Redirect("http://www.mysite.fr") is failing and giving errors like :-
"Page is not redirecting properly" I tried changing it to Response.Redirect("http://www.mysite.fr", false)
and Response.Redirect("http://www.mysite.fr", true). This didn't work.
4. www.mysite.com and www.mysite.fr aren't two different websites.Just that when is it www.mysite.com, English content will be shown on the website.
When it is "www.mysite.fr", French content can be seen inside the website.
What I did was :-
In the Global.asax file :-
I tried fetching ISO code using that dll above from the site ipaddressextensions. Then I created this Application("UserISO") variable in Global.asax file.((Is this a good approach?))
I needed to make it because I wanted to use this global variable within my Global file itself..In some user defined method.
Then I am setting master page name in a cookie and using this cookie to change master page dynamically for every content page in the Page_PreInit() event.
and lastly I am redirecting the user with " Response.Redirect("http://www.mysite.fr", false)". This response.redirect doesnt work!
Now, AM I on the right path?? I am super confused over how to actually make it work! :(
How do multilingual site redirect their users? Where can I learn about all this ? I have tried and tried and tried but this just won't work!
Lastly, there are not really any domain names set for the site as of now. Running it using the IP address set in the IIS.
So how do I test my site. How do I really go about it. Am I following the correct approach at all??
Please direct me to the right path. ANY help will be greatly appreciated. Thanks!
Belgium has 3 official languages, you can't find my language by just looking at the ip address or the domain.
The best way to find the language of a visitor is to check the language of his browser. You can find it in Request.Userlanguages.
Don't do this. It's really frustrating when you try to assume what language the user speaks. You're bound to get it wrong for someone eventually. Put some small flag icons or the language name choices on your main page in a highly visible place, and let your visitors chose what site/language they want to browse in.
Facebook's main sign in page is a great example of this.
Edit: The best you could probably do is to use the HTTP1.1 Header Accept-Language as a hint, but even then I think you should push back on this requirement of your project.
You get redirect error because the .fr site is probably the same site as .com, but session cookies are only valid for a certain domain which means that Session_OnStart() is invoked on the redirect as well. One way to circumvent this is to override the redirect/ip-lookup somehow, maybe send in a querystring or a specific landing page that you can identify:
www.site.fr/?overrideredirect=true
www.site.fr/redirected.aspx -> which then redirects back to / after Session_OnStart
In order to choose the right master page, you could probably identify which host that was requested and from that override master page in your global.asax, perhaps in the BeginRequest event.
I have a fairly complex web app that was built (by a contractor) to use integrated authentication. As part of the authentication process, a GetNetworkID() function is used that looks like this:
private string GetNetworkID()
{
return HttpContext.Current.User.Identity.Name.Split(new char[] { '\\' })[1];
}
When I run this on my development box, the HttpContext.Current.User.Identity.Name value is
myNetwork\\myUserID, so the above funciton returns my User ID, as intended, and the authenticaiton process works just fine.
But when I run this on my web server, I get an Index was outside the bounds of the array error thrown by the return statement in the GetNetworkID() function.
I'm a bit lost on how to troubleshoot this and how to figure out if it's an IIS configuration issue (my web server is a Windows Server 2008 box running IIS 7), or something else.
If I hard-code my User ID as the return value for the GetNetworkID() function, it works on the web server, but I don't have any great ideas about how to debug on the web server to determine what the HttpContext.Current.User.Identity.Name return value is that's causing the array index error.
Any suggestions?
IIS runs as the IIS Service Account, so Current.User.Identity is likely going to be the name of the IIS Account.
For completeness sake, you should check for '\' either with a Find() or by calling split, and checking the length of the resultant array. If the length is 1, that means the id isn't in the form of domain\username.
In general, if you want to debug, you can write any value to the HTTP Response stream like so:
Response.Write(HttpContext.Current.User.Identity.Name)
Another method is to setup an ASP page variable, and set the page variable to the value you'd like to inspect. You can display the variable value either through ASP code, or through Javascript.
You might be missing an IIS setting.
Try in IIS:
Website (right click) | Properties | Directory Security (tab)
Click "Edit..."
Then select "Integrated Windows Authentication"
I think the user that logs into your web applciation on the other server, is not a valid login. And hence a result is not returned on User.Identity.Name.
Like you said, it works when you hardcoded the username.
This means, the user creditials of the PC you are using to login is not permitted on your site. This therefore must be different to the credentials you are hardcoding.
Best bet is to debug on web server (it isn't hard - all you want to return is the User.Identity.Name and you can get the username and deduce logic from there), and verify the contents in your web.config file.
As Alan pointed out (and I upvoted him for it) you probably want to add a check on what form the User.Identity.Name takes. An updated routine could for example look like this:
private string GetNetworkID()
{
var name = HttpContext.Current.User.Identity.Name;
return name.InStr("\\") > -1 ? name.Split("\\")[1] : name;
}
This will return the second part of the login name if a \ is present, and the full string if not.