05-16-2002, 05:10 PM
How do you keep someone from hacking straight to ASP pages in an online application? You know, not bypass the password if they know the name of the page.
Can someone provide me with some script to put at the top my ASP pages that will send anyone who trys to enter the page directly to an "Access Denied" type of page.
05-16-2002, 06:29 PM
I think this is what you are asking....
There are a few ways of doing this....
This method makes sure that the request came from your server.
' place this near the top of your page
if InStr(Request.ServerVariables("HTTP_REFERER"),"yourDomain.com")=0 then
Response.write ("<center><h1><font color='#000080'>yourDomain<br>Access Denied</font></h1></center>")
05-16-2002, 07:49 PM
I hate to sound rude and blunt but that is far from secure. All a client application has to do to bypass it is to send the correct HTTP referer header. A far better method is to use a session variable to detect if the user is logged in. I'm sure Robby would have mentioned this but I believe he misunderstood the question.
If Session("LoggedIn") = "True" Then 'user is logged in
Of course you'll need to toggle that value with your login/logout scripts.
05-16-2002, 08:31 PM
What Robby posted is similar to the way Cold Fusion handles it...
<CFIF #ParameterExists(http_referer)# IS "No">
CL, I've never used session variables, so I've a bit of a curve to climb. Is it steep?
05-17-2002, 01:21 AM
CL, Doesn't the user need Session-Cookies Enabled for Session vars to work?
05-17-2002, 02:13 PM
CL, I read tons of pages on this subject last night, and I can't seem to find a solution that "fits" all.
Yes, a hacker can submit HTTP_REFERER, so that's out.
I think that a session is fired no mater where they come from, right?
05-19-2002, 10:54 PM
One way could be to generate a random string consisting of 25 characters (from the sets of A-Z, a-Z, 0-9) upon the person's initial login to the system. Once logged in, the random string is wrote into a field in the user's account record.
The first bit of code (.inc file) on every page would be a script which compares the passed authentication code in the address bar with the code in the person's record in the database. If no match is present, then a hack attempt has been made and all access should be denied.
Considering that there are 62^25 total possibilities for the random string, there is practically zero chance that somebody could "guess" an actual authentication code.
05-19-2002, 11:54 PM
For that part of it, what I do is create a temp file, partly with the session ID, and thn I just verify the text file before allowing access. (This is just to allow writing to the database)