Can any of you help to resolve the below issue related to security purpose which need to developed in ASP.NET MVC4
I need to capture the Domain name of client website when they request to my website pro grammatically.
Basically my website is developed for specific user only and they domain name already got save in Data Base so i need to give authentication to those domain only which got save in my DB.
I have tried various combination of code which is not working for me like
Request.url
Request.host
Request.absolutepath
Request.servervariable
They all gives me current request domain name which is my domain name,
so please help me out to get resolved this issue
Thanks in advance!
I think you are looking for HttpRequest.UrlReferrer
Beware that there a methods to spoof the URL referrer!
So if the IP address of the caller who is allowed access is fixed, it might be better to configure IIS to only accept requests from this IP. IIS 8.0 Dynamic IP Address Restrictions
I have implemented a "User Registration" functionality using "CreateUserWizard" control in ASP.NET C#. When user is registered successfully, he receives an email. I used template file which reflects username and password along with redirected URL. As below:
http://myinternaldomain.xyz.com?changepassword.aspx?uname=abc&pwd=blahblah
Now, my issue is - the application should be accessible from outside domain firewall too. and external URL is something like http://myexternaldomain.xyz.com?changepassword.aspx?uname=abc&pwd=blahblah
Now, I have one template file and two URLs.
I am trying to develop a workaround to create another template file containing my external domain URL. But as of now there is no luck.
Can anybody advise is there any way to provide such template file so that both users (either internal or external) will get to see email with the respective URL?
Anyway you need one "universal" domain, because even if you can detect if current request was local or remote (outside domain firewall) and use one of two your templates later your url will be incorrect if user will change his/her location. So I would use myexternaldomain.xyz.com and just resolve it to your local webserver IP from your local network. If you have domain firewall then you probably have local DNS server. Or maybe there is way you can setup firewall rule so your traffic for myexternaldomain.xyz.com will be transferred to your local server, I'm not sure. Both tasks are administration-related though.
My domain is WWW.Bank.com which is configured to Bank folder.
I want to access same folder by demo.Bank.com/user.Bank.com/anything.Bank.com i.e I don't want to create new sub folder in my root.
If I give URL like demo.Bank.com then internal pages should be demo.Bank.com/folder 1/home.asp x likewise..
Please help. If anyone have any dummy code then please share.
This goes beyond ASP.NET in the core of the DNS.
You need to have control of the DNS zone of your 'bank.com' domain. If your DNS provider has a web-service for adding, deleting and updating DNS A and CNAME records, you could do that, but that's very unusual thing to do. Then again, you need to bind each domain name in the IIS website if you do not have a dedicated IP for such purposes.
Blogging websites are a good example for this, they usually host blogs on blogname.blogsite.com, such as alice.blogsite.com or bob.blogsite.com and as they usually have huge amount of different blogs, they resort to a single DNS record to take care of all of them.
That's called wildcard DNS and is what you need. Add one DNS record called *.yourdomain.com and point it to a dedicated IP address. That will work for any subdomain name combination, even the ones you don't want and where no content will exist (you're still going to be able to handle 404's). Then, on the server, add that IP address as a secondary network address. In the IIS bind your website to that IP address without Host Header (domain name) constraint, so it would receive all requests for that IP, regardless of domain name.
Finally, in your ASP.net code fetch Request.Url.Host and you're going to get your subdomain as it was typed by the user.
(You can also go with a single IP address, but then no other websites must exist on the server.)
I've developed a RestService through C# that gets the petition in this way:
{server}/user/{action}
{server}/auth/{action}
...
I don't want people to access directly to the webservice, instead it's just the web server who has to access. I have successfully achieved this denying every IP except the webserver, but I realized now that there's a part of the site that should actually have public access.
EDIT: What I've done to deny every petition is the use of the feature "IPv4 Address and Domain Restrictions" from IIS, denying access to unspecified clients in the settings and finally adding just one allow entry to the ip I of the web server
So, what I want is to keep the actual behaviour, except for the case of pages like:
{server}/admin/{action}
How can I achieve this?
Thanks!
Background: I have a asp.net webapplication project that should contain a public and a member area. Now I want to implement a SSL decription to secure communication between the client and the server. (In the university we have an unsecured wireless network and you can use a wlan sniffer to read username/password. I do not want to have this security problem for my application, so I thought of a ssl decription)
The application is running on a IIS 7.5. Is it possible to have one webapp that has unsecured pages (like the public area) and a secured area (like the member area, which requires a login)? If yes, how can I relealise the communication between these too areas?
Example:
My webapp is hosted on http://foo.abc.
I have pages like http://foo.abc/default.aspx and http://foo.abc/foo.aspx.
In the same project there is a page like /member/default.aspx which is protected by a login on the page http://foo.abc/login.aspx.
So I would need to implement SSL for the page /login.aspx and all pages in /member/
How can I do that? I just found out how to create SSL certificates in IIS 7.5 and how to add such a binding to a webapp. How how can I tell my webapp which page should be called with https and not with http. What is the best practise there?
From here How to use HTTPS in an ASP.Net Application
After you get SSL setup/installed, you
want to do some sort of redirect on
the login page to https://. Then
whatever page the user is sent to
after validation, it can just be
http://.
Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
If Request.IsSecureConnection = False And _
Not Request.Url.Host.Contains("localhost") Then
Response.Redirect(Request.Url.AbsoluteUri.Replace("http://", "https://"))
End If End Sub
This may be easier to implement on a
master page or just all the pages you
require https. By checking for
"localhost" you will avoid getting an
error in your testing environment
(Unless your test server has another
name than check for that:
"mytestservername").
I don't work with .net, but we do have websites that have similar setup, where some pages are unencrypted and served using http, and a bunch of pages are served with https instead. Here are some stuff we've done... hope they are helpful.
You need to have someway pass the configuration to your code, so it knows the base URI of both the http or https portion. E.g. if your server is foo.bar, you need your code to know that the secure pages are at https://foo.bar:xxx/..., and unsecure pages at http://foo.bar/...
You can configure your server with some redirects to make your life easier. E.g. if in your server configs, in the port 80 area, you redirect /xxx to the port 443 /xxx, then in your http pages, you can just use releative URL like /xxx, and not have to include the base URI. Vice versa, you can setup in port 443 config redirecting /yyy to port 80 /yyy, then in your https pages, you can just use relative URL like /yyy
Posting between http and https pages: you can't redirect post, so you have to use the base URI for the http or https pages in your form element. I.e. in your http pages, if you post to https, you have to specify the https base URI in the action attribute of the form element -- this is the reason for point 1 above.
Obviously both your http and https code should check cookies to determine if a user's logged in, but you want to, in the https pages, check for secure cookies -- those cookies that browser will only send in a https connection. Your plain-text cookies can get sniffed.
AJAX --- this is tricky. You cannot do cross-domain AJAX due to Javascript's security model. So, this means if you are in http, you cannot do AJAX to https, or vice versa; port changes are considered different domains by the browser. There are work-arounds, like using hidden iframes, etc, but those solutions are fairly complex and often have security holes.
Just a word of caution, you shouldn't really use a Self-Signed certificate on a production site. You ideally should get one from a trusted CA (certificate authority). The big names are Verisign and Thwate, but there are other, cheaper CA's out there.
If you use a self-signed certificate on a live site, your users will get an ugly warning message asking if they wish to proceed.
In terms of redirecting users to https areas, I usually just forward the pages I want secured (for example, if a user navigates to http://domain.com/login.aspx, I'll immediately redirect the request to https://domain.com/login.aspx (Response.Redirect(...)), then take them out of the SSL secured area once they are successfully authenticated.