Zee99 Zee99 - 1 year ago 49
ASP.NET (C#) Question

How to ensure a url is called from my application and not manually from browser

I have an application that contains a button, on click of this button, it will open a browser window using a URL with querystring parameters (the url of a page that i am coding).

Is there a way to ensure that the URL is coming from my application and only from my application - and not just anyone typing the URL manually in a webbrowser?

If not, what is the best way to ensure that a specific URL is coming from a specific application - and not just manually entered in the address bar or a web browser-

Im using asp.net.

Answer Source

You can check if the request was made from one of the pages of your application using:


That's the simple way.

The secure way is to put a cookie on the client containing a value encrypted using a secure key or hashed using a secure salt. If the cookie is set to expire when the page is closed it should be impossible for someone to forge.

Here's an example:

On the pages that would redirect to the page you are trying to protect:

  HttpCookie cookie = new HttpCookie("SecureCheck");
  //don't set the cookie's expiration so it's deleted when the browser is closed
  cookie.Value = System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(Session.SessionID, "SHA1");

On the page you are trying to protect:

  //check to see if the cookie is there and it has the correct value
  if (string.IsNullOrEmpty(Request.Cookies["SecureCheck"]) || System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(Session.SessionID, "SHA1") != Request.Cookies["SecureCheck"])
    throw Exception("Invalid request. Please access this page only from the application.");
  //if we got this far the exception was not thrown and we are safe to continue
  //insert whatever code here