How to make a .html file accessible through HTTP but only through a redirect?

StackOverflow https://stackoverflow.com/questions/23689646

Pergunta

We have a file on our server that's accessible directly through the URL, but it's a security issue at this point.

Our system opens the file in a pop-up window, but you can also get directly to the page by navigating directly to its URL.

How can we prevent this and only allow access to the file through a redirect?

Foi útil?

Solução

Set a Session variable on the page that opens the popup:

Session["MainPageVisited"] = true;

And on the popup page check this value:

if (Session["MainPageVisited"] == null || !Session["MainPageVisited"]) 
{
  Response.Redirect("http://www.example.com/", true);
}

For this solution to work your html file will need to be served as an aspx. Alternatively, you could create a HTTP Module if you need it to be an actual html:

Create Module

using System;
using System.Web;
public class HelloWorldModule : IHttpModule
{
    public HelloWorldModule()
    {
    }

    public String ModuleName
    {
        get { return "HelloWorldModule"; }
    }

    // In the Init function, register for HttpApplication 
    // events by adding your handlers.
    public void Init(HttpApplication application)
    {
        application.BeginRequest += 
            (new EventHandler(this.Application_BeginRequest));
    }

    private void Application_BeginRequest(Object source, 
         EventArgs e)
    {
    // Create HttpApplication and HttpContext objects to access
    // request and response properties.
        HttpApplication application = (HttpApplication)source;
        HttpContext context = application.Context;
        string filePath = context.Request.FilePath;
        string fileExtension = 
            VirtualPathUtility.GetExtension(filePath);
        if (fileExtension.Equals(".html"))
        {
            if (Session["MainPageVisited"] == null || !Session["MainPageVisited"]) 
            {
              // Handle it
            }
        }
    }

    public void Dispose() { }
}

To register the module for IIS 6.0 and IIS 7.0 running in Classic mode

<configuration>
  <system.web>
    <httpModules>
      <add name="HelloWorldModule" type="HelloWorldModule"/>
     </httpModules>
  </system.web>
</configuration>

To register the module for IIS 7.0 running in Integrated mode

<configuration>
  <system.webServer>
    <modules>
      <add name="HelloWorldModule" type="HelloWorldModule"/>
    </modules>
  </system.webServer>
</configuration>

Note, this was created without testing but it should put you on the right track. Make sure that all requests are mapped through ASP.NET for this to work (Integrated mode or set wildcard application mappings).

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top