How do you restrict access to directory below parent dir with anon access?

Hi,

This seems like an easy question. Has me stumped!!

If I have a web site and I would like allow anon access, how can I
restrict it so that the client can't access a directory below the
parent directly, but has to go to the root index.htm say and then can
navigate to where ever from any links? Is this possible?

I have a further question, but this one is the starter.

Thanks so much

Re: How do you restrict access to directory below parent dir with anon access?

Hi,

Simply speaking, no, this is not possible. when your browser makes a
request, the server doesn't know if the request was made from a "typed url",
a "html anchor tag" or whaterver.
Now, you can achieve this behavior implementing some server side
processing trought any kind of server extension (like ASP, ASP.NET, ISAPI
filters/extensions and others). One commonly used way to do this is trough
the "referer" http header, but keep in mind that this is *extremly easy* to
bypass it and should not be consider a secure method to protect a server
resource. Another aproach would be implement some ASP/ASP.NET and use the
session state to control it.
If you still considering go for the referer solution check out David's
blog entry
http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_dir ect_access_to_resources_using_Referer_based_authentication.a spx
or google for "ISAPI referer filter".


Cheers,

Eric.

wrote in message
news:1154542088.487659.130870@s13g2000cwa.googlegroups.com.. .
> Hi,
>
> This seems like an easy question. Has me stumped!!
>
> If I have a web site and I would like allow anon access, how can I
> restrict it so that the client can't access a directory below the
> parent directly, but has to go to the root index.htm say and then can
> navigate to where ever from any links? Is this possible?
>
> I have a further question, but this one is the starter.
>
> Thanks so much
>

Re: How do you restrict access to directory below parent dir with anon access?

Can you please describe the end-goal that you are trying to achieve.

There is no valid authentication protocol which predicates access to one URL
based on visiting another URL. By its very nature, such a protocol is easy
to forge. You need to decide if it works for you.

http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_dir ect_access_to_resources_using_Referer_based_authentication.a spx

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

wrote in message
news:1154542088.487659.130870@s13g2000cwa.googlegroups.com.. .
> Hi,
>
> This seems like an easy question. Has me stumped!!
>
> If I have a web site and I would like allow anon access, how can I
> restrict it so that the client can't access a directory below the
> parent directly, but has to go to the root index.htm say and then can
> navigate to where ever from any links? Is this possible?
>
> I have a further question, but this one is the starter.
>
> Thanks so much
>

Re: How do you restrict access to directory below parent dir with anon access?

Dear David,

Thanks for your reply. My real problem is that I have an asp.net
program and I want to the signed in user to be able to link to my
purely html site, using response.redirect I guess.

I don't want the general public to have access to the html site but I
want access to the html site via my link in the asp.net app only. But
seems like I can't stop people from accessing the html site and allow
access via my asp.net app. Any help is greatly appreciated. I've
tried using virtual directories to no help.

Thanks

David Wang [Msft] wrote:
> Can you please describe the end-goal that you are trying to achieve.
>
> There is no valid authentication protocol which predicates access to one URL
> based on visiting another URL. By its very nature, such a protocol is easy
> to forge. You need to decide if it works for you.
>
> http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_dir ect_access_to_resources_using_Referer_based_authentication.a spx
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>

Re: How do you restrict access to directory below parent dir with anon access?

shahed wrote on 3 Aug 2006 05:53:00 -0700:

> Dear David,
>
> Thanks for your reply. My real problem is that I have an asp.net
> program and I want to the signed in user to be able to link to my
> purely html site, using response.redirect I guess.
>
> I don't want the general public to have access to the html site but I
> want access to the html site via my link in the asp.net app only. But
> seems like I can't stop people from accessing the html site and allow
> access via my asp.net app. Any help is greatly appreciated. I've
> tried using virtual directories to no help.

Convert the HTML site to ASP.Net (rename all the files to .aspx and set up a
redirection in IIS for all .htm pages to the .aspx ones), and have each one
check for a session variable set in the parent application (I'm still an ASP
programmer, not ASP.Net, so I don't know if it handles #include, but you
should be able to create a single file with the checking code in it and
include it in the top of all the pages) - if the variable is not there
redirect to the parent application, if it is allow the page to be displayed.

Dan

Re: How do you restrict access to directory below parent dir with anon access?

Hi Shahed,

I'm not sure if I got the exact picture of your problem. Correct me if
I'm wrong:

1-You have a set of static HTML pages (let's name it R1) hosted on IIS
server.
2-You have another set of ASP.NET pages (for now on R2) hosted on IIS
server, either the same or other one managed by you.
3-Access to resources R1 should be allowed only if the visitor first has
accessed a resource from R2.
4-Any type of direct access (typing the url in broser, bookmarking it,
etc..) to resources in R1 should be denied (status 403 Forbidded ?).

Also from what you described the "authentication" algorithm may be
described as:

1-The client acces a resource R2 which create/receive a token T1 that
should be present in further requests for resource R1.
2-Upon access, resource R1 will validate the token T1. If it's ok access
is granted, otherwise denied.
3-The token T1 should expire after a certain condition (numer of access,
time elapsed, end of session).

The main problems here are:

1-the restricted resources R1 are static and therfore cannot verify
anything by themselves. We need to delegate this to someone else.
2-The proccess used to create/store token T1 cannot be easly forged,
predicted or spoofed by unauthorized clients.

Fortunely IIS can be "extended" to perform this task. Since you already
has some code in .NET framework I'll sugest a solution in this scope:

To store the authentication token T you can use a non persistent cookie
or a custom HTTP header. The cookie is preferable as it will go away as soon
as the browser window's close.
To avoid forgery the token MUST be dynamic generated (ie a HASH of
something + timestamp, a GUID). You can use the ASP.net cookie session as
suggested by Daniel.
The application holding R1 must manage tokens. The list of valid tokens
could be keept in memory or in disk (a database, a text file). I'll suggesta
text file to begin since it's easy to be "debugged" by you (it only requires
Notepad :))
The server hosting R1 must manage the expiration of valid tokens. If you
use session cookies, this will be handled by ASP.Net.
The server hosting the restricted resources R2 needs to be extended to
validate token T1. You can write a custom HTTPHandler associate it to some
unused extension (ie .abc, .shd ). set it to NOT check if the file exists.
The handlers will receive the request, validate the token T and if it's ok,
it will return a file with the same name requested in URL but replacing the
fake extension (.shd) with real on (.html)

This is a guideline for a generic and reusable solution. Some details
will came up as you implement it, and will probably better answered in
newsgroups related to .net programming. Also look into google and MSDN for
hints on "HttpHandler" or "IHttpHandler". A search on IIS request pipeline
came in hand to help you understand how IIS handles request and where/how
you can extend it.

Cheers,

Eric.

"shahed" wrote in message
news:1154609580.571110.324790@m73g2000cwd.googlegroups.com.. .
> Dear David,
>
> Thanks for your reply. My real problem is that I have an asp.net
> program and I want to the signed in user to be able to link to my
> purely html site, using response.redirect I guess.
>
> I don't want the general public to have access to the html site but I
> want access to the html site via my link in the asp.net app only. But
> seems like I can't stop people from accessing the html site and allow
> access via my asp.net app. Any help is greatly appreciated. I've
> tried using virtual directories to no help.
>
> Thanks
>
> David Wang [Msft] wrote:
>> Can you please describe the end-goal that you are trying to achieve.
>>
>> There is no valid authentication protocol which predicates access to one
>> URL
>> based on visiting another URL. By its very nature, such a protocol is
>> easy
>> to forge. You need to decide if it works for you.
>>
>> http://blogs.msdn.com/david.wang/archive/2005/07/11/Deny_dir ect_access_to_resources_using_Referer_based_authentication.a spx
>>
>> --
>> //David
>> IIS
>> http://blogs.msdn.com/David.Wang
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> //
>>
>