Accessing https page - c#

I am currently adding an aspx page to my web site (.net) where my clients can insert credit card details.
I would like to give access for that page from several pages only (lets call them a.aspx and b.aspx) and if someone tries to access this page from c.aspx he won't be able to do so.
Is there a way to limit the redirect to a page for few pages only?
I've tried to check at the page event what is the source of the call, with the "sender" object, however I am not sure it the right way to go.
Hope the question is clear enough.

What you need to know to do this is the referer.
The referer is, briefly, the page that brought you to the page you are currently at.
I believe this should get the referrer for ASP.net
Request.Server["HTTP_REFERER"]
Then you can just check and see if the referer matches your desired origins. However, I'm not sure about the ease/prevalence of referer spoofing, or if it even exists.

Yes there is - have a look at the HttpWebRequest.Referer property.
Using this you can see from which page the request to c.aspx is made - if it's not a.aspx or b.aspx you can redirect the user away.

As menitoned previously you need to check the current UrlReferrer, here is an example in vb.net
Protected Sub Page_Load(sender As Object, e As EventArgs) Handles Me.Load
Dim bRedirect As Boolean = True
Try
If Not IsNothing(Page.Request.UrlReferrer) Then
Dim sReferer As String = Page.Request.UrlReferrer.ToString()
If sReferer.Contains("/a.aspx") Or sReferer.Contains("/b.aspx") Then
bRedirect = False
End If
Catch ex As Exception
' Raise exception, decide whether or not to redirect
End Try
If bRedirect Then
Response.Redirect("~/x.aspx", True)
End If
End Sub

Related

How to get the previous url in C#?

How to get the previous url in a MasterPage in C# ?
I'm trying to find the page which is redirected from.
Thanks in advance.
You can get information of the previous url with the UrlReferrer property. This works in MVC and Web forms.
Request.UrlReferrer.AbsoluteUri
Note that in the first page the property Request.UrlReferrer will be null. Also, it will be null if a redirection occurs (e.g. when a user logs into the web page).
This property is based on the HTTP_REFERER variable, so you could use this one instead.
Request.ServerVariables["HTTP_REFERER"]
Since the HTTP_REFERER is a variable sent by the client it might be altered or removed by the request. Also, the variable is not set when the referre url starts with https.
This article mentions a few points why the Request.UrlReferrer can be null.
Usually you use a query string parameter to achieve this: current?previousUrl=/some/11.
This will allow you to access this value from the server-side code using Context.Request.QueryString["previousUrl"] in your master page code-behind.
string urlName = Request.UrlReferrer.ToString();

ASP.NET invalid script resource request instead of redirect

Several bots/crawlers are scanning our websites, and I'm wondering if there is something I can change that when a page cannot be found (for example: www.mysite.com/scriptresource.axd)
it will be redirected to a page instead of displaying the error:
Message:
This is an invalid script resource request.
I've configured the global.asax that I will receive mail on errors, but I'm receiving tons of those emails that a bot has been trying to access a non-existing page. e.g. ScriptResource.axd
Please take note of the following:
You need to login before you can do anything on the website, but the bot will cause this error somehow.
If you're logged in and try to reach a non existing page you end up
with a manual 404 (RemoteOnly) error.
In the Global.asax I've added a check on Session_start for IP's that they will be redirected to Google. However, they can still cause this error.
What do I miss?
If I understand you perfectly, you can do such as below:
Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
Dim ctx As HttpContext = HttpContext.Current
Dim file_ext As String = ctx.Request.CurrentExecutionFilePathExtension
If file_ext = ".axd" Then
ctx.Response.Redirect("http://bing.com")
Else
' email error detail
End If
End Sub

How to get Error code on custom error page

I have a common custom error page for my asp.net website because it's common it is shown on every error I want to found the last error code which was occurred and redirected to my that custom error page so that I can show right message according to the error which was occurred.
Note : solution have to be session based, I don't want any user to show error which was occurred on any other user's system of course.
Do you use IIS or Apache?
For Apache
Configuring Apache to serve customized error pages is extremely easy; there is a section of the httpd.conf file devoted to this. It takes just one directive per error to achieve. If you open the conf file and scroll right down to almost the very bottom of section two, you’ll see the section you need to edit.
By default, these directives are commented out, but all you need to do is un-comment each directive and then change the path to point to your own error page.
ErrorDocument 404 /errordocs/404error.html
For IIS
IIS 6: Edit Website or virtual Directory then Userdefinded Error.
There you can edit all error files and change to a user defined asp.net file.
IIS 7:
Detailed Error Message see:
http://blogs.msdn.com/b/rakkimk/archive/2007/05/25/iis7-how-to-enable-the-detailed-error-messages-for-the-website-while-browsed-from-for-the-client-browsers.aspx
Not good idea what you try to do. You must capture the errors on the code that they occur inside the page, and show the message on that page - stay on page - and if this is possible give the user the opportunity to correct it. If your error gets out of your try/catch and out of control then log it and fix it.
The only error that you can show to your user is the "non found page".
You can get the last error as Exception LastOneError = Server.GetLastError();
And there you can read more about errors: How do I make a "generic error" page in my ASP.NET application so that it handles errors triggered when serving that page itself?
and How to tell if an error captured by my global.asax was displayed on the screen of the user
What I would suggest is extending the UI.Page class and using that class for all your pages.
In that class (I know vb not c# but same principle and easy to convert) use the following code:
Public Class _PageBase
Inherits System.Web.UI.Page
#Region "Page Functions"
Private Sub Page_Error(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Error
Session("error_StackTrace") = Server.GetLastError.StackTrace.ToString
Session("error_Message") = Server.GetLastError.Message.ToString
Session("error_Page") = Request.Url.ToString
Session("error_Source") = Server.GetLastError.Source.ToString
Server.ClearError()
Response.Redirect("~/errors/Error.aspx")
End Sub
#End Region
End Class
This will fire on all pages using that base class, and pass the last 'server' error (which will be the error the user caused), store all the details in session and pass it over to your error page. Then you can do as you wish.

Better place to detecting mobile browser and redirect to mobile site

Can anybody suggest me which is the better place to verify mobile browser and redirect to mobile site.
I am thinking of using DetectMobileBrowsers to verify mobile browsers.
And I am thinking of doing this in Application_Start or Session_Start. Please suggest me which is the better place to do the same.
This is my Session_Start block
Protected Sub Session_Start(ByVal sender As Object, ByVal e As EventArgs)
' Fires when the session is started
'Dim request As HttpRequest = HttpContext.Current.Request
'If request.Browser.IsMobileDevice Then
' Response.Redirect("http://localhost:26270/Default.aspx")
'End If
Response.Redirect("http://google.com")
End Sub
Thanks
Instead of using Response.Redirect("http://m.yoursite.com") it is better to use 2 line wich will temporarily redirect you to the mobile version. It's better to use:
Response.Status="302 Moved Temporarily"
Response.AddHeader "Location","http://m.yoursite.com"
You should probably have it in Session_Start as the device will remain the same once a session is established which will be called the triggered when a user accesses the site for the first time.
just google and read about it..
FYI, Application_Start is called once for the lifetime of the application domain and Session_Start event is raised each time a new session is created.
Reading about application life cycle will help you better understand all these events.
Consider Application_BeginRequest. Be sure to check the request Url is the page you are requesting, so that you are not running the check for each static file that is requested.
void Application_BeginRequest(object sender, EventArgs e)
{
var u = Request.ServerVariables("HTTP_USER_AGENT");
var uri = Request.Url.AbsoluteUri.ToLower();
if (url.Contains(".aspx"))
{
//put DetectMobileBrowsersCode Here
if (b.IsMatch(u) || v.IsMatch(Left(u, 4)))
{
Response.Redirect("http://m.yoursite.com");
}
}
}

My UrlRewrite IHttpModule remove my second QueryString

I have a custom url rewriter function that works fine. But when i are going to use a second querystring on my url, that remove the second querystring.
my friendly url: /gallery/view-ablum/?q=1
i the code: Page.aspx?id=22&q=1 , when i have past RewritePath(...) the remove &q=1 from my real page. I don't now who to fix this, i can't figure it out.
context.RewritePath(ci.PageUrl + ta + "&q=" + q, false);
Is there a IsPostBack for IHttpModule?
for the question, "Is there a IsPostBack for IHttpModule"
bool isPostBack = !string.IsNullOrEmpty(context.Request.Form["__VIEWSTATE"])
..or introduce your own hidden field when not using viewstate (which is probably safer anyway)
Is there a IsPostBack for IHttpModule?
Will depend on which event the module is subscribing to. Earlier HttpApplication events will occur before IsPostBack is determined.
But IsPostBack is WebForm specific (e.g. not used in ASP.NET MVC) is may not be available outside the Page class.
Well i get this error code when i debugg : CurrentNotification 'context.CurrentNotification' threw an exception of type 'System.PlatformNotSupportedException' System.Web.RequestNotification {System.PlatformNotSupportedException}
and i found this
- Base ( "For this operation requires IIS integrated pipeline mode.") System.SystemException (System.PlatformNotSupportedException)

Categories