Re: ASP.net { or any web application } security



Well - you could generate one-time IDs that are only valid for a short period of time - you could append these to links as a query string.

An HttpModule could check the appended IDs for validity...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

Hi all,

I'm wondering how can i prevent this scenario:

I have asp.net application , not using any kind of asp.net secuirty
models [ neither Windows Nor Forms Auth]. Client can save a complete
copy of the web site locally, he can change any Javascript funciton ,
then chnage the Action attribute in the form tag to point to the same
page again, & it will submit .

My question is: i want to access my website only within my web site
links or
requests, i don't want to accept the previous scenario, also i don't
want to
accept any custom http request come out of my internal web site.
i can't depend on HTTP Reffer , because it's easily can be change
through
http sniffing tools or Packets editor tools.
any Advice ???

Bashar



.



Relevant Pages

  • RE: Remote Web Workplace
    ... The RWW web page is a virtual directory off of the Default Web Site. ... Make sure your request is being redirected from http to https. ... the SBSFLT ...
    (microsoft.public.windows.server.sbs)
  • RE: Mobile Sync Over the Air - Error 3012
    ... Microsoft-Server-ActiveSync ... | HTTP Keep Alive is checked on the Default Web Site and set to 120 secs. ... I wanted to inform you that I have replied to your thread in <NEWSGROUP> ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant see one specific web site?
    ... I have one web site that I cannot get to. ... That site does redirects. ... in fact it is doing that using HTTP responses. ... also with an HTTP response ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: HTTP vs HTTPS for OWA
    ... In IIS administrator you can open the properties of the Default Web Site, add a custom error page for 403.4 with an absolute redirect to URL http://www.company.com. ... You can also create an HTTP redirect of the Default Web Site to /owa. ... > changed how OWA is reacting externally. ...
    (microsoft.public.exchange.connectivity)
  • Re: Change the default OWA URL after E2K3 installed
    ... Default Web Site, so changes to the DWS do not affect RPC over HTTP. ... Please do not send email directly to this alias. ...
    (microsoft.public.exchange.setup)