0

In my ASP .Net Application (Not MVC, Just ASP .Net) I have several web forms and need to restrict users from directly accessing to several web pages.

But in the application links from other pages and according to the functionality of application, should be able to redirect(Response.Redirect or Form submission in post or get way) to those pages but strictly not directly entering url in to browser and access them.

I have tried the following in those page load events (In which needs to restrict direct access) and working really fine. 

if (Request.UrlReferrer == null)
{
     Response.Redirect("~/Index.aspx", true);
}

But the problem I've got is I am relatively new to ASP .Net and wonder if this is the best way to do this.

1). Mainly I searched but needs to know if I can get this done using the web.config file. If so would be grateful if someone can explain how the web.config file should be to get this done...

2). Also I want to redirect user if he enter wrong URL within the site hosted domain name... For that I did the following in the web.config but wonder if this is correct. Thanks...

<customErrors mode="On" defaultRedirect="~/Index.aspx">
    <error statusCode="404" redirect="~/Index.aspx" />
</customErrors>
Improve this question
1
  • Generally you would redirect to a specific "page not found" or "404 error" page rather than back to the index - this would most likely confuse the user and is considered a "dark practice". See codinghorror.com/blog/2007/03/…. With reference to the redirection issue, how secure should this be? There is nothing stopping a user using JavaScript to redirect themselves from a public page to a supposedly "secure" one if all that is being checked is the presence of the referral. Maybe you should consider tokens? Commented Nov 26, 2013 at 18:02

1 Answer 1

Reset to default
2

You can add this to your web.config file to restrict specific users:

<authorization>
<allow users="user1, user2"/>
<deny users="?"/>
</authorization>

<location path="AccessDenied.aspx">
 <system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

On your C#, you can use Response.Redirect

protected void Application_EndRequest(Object sender, EventArgs e)
{
    if (HttpContext.Current.Response.Status.StartsWith("401"))
    {
        HttpContext.Current.Response.ClearContent();
        Response.Redirect("AccessDenied.aspx");
    }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.