ASP - Anyone?

azzeretti

Hey,
I am no programmer, but I have to set up a site on IIS that I need to restrict access to. For different reasons I can't use an authentication page so I was trying to allow access to it from a referral URL. The trouble is the referal URL is dynamic. Can anyone point in the right direction here? Anyone know if there is a ServerVarible for a referral IP?

thanks

seamus

From a quick google, you should be able to get the value of the referrer from
Request.ServerVariables("HTTP_REFERER")

Yes, referrer is spelt wrong, that's an historical mistake, but correct usage. I have little to no knowledge of ASP (Always plan on learning it, but it seems so illogical compared to PHP), so can't help you otherwise.

Be aware that the referral url can easily be spoofed, so if you're using that as a method of authentication, it's false security.

azzeretti

Seamus,
Thanks for the reply. I have spent a while looking at Google, the problem is that my referral URL is dynamic i.e instead of

If refURL = http://myaddress.com
then enter

I will need a way to code
If refURL like http://myaddress%
then enter

The address the users will be coming from will also concatinate a dynamic session id to the end of the string, making the referral address different everytime!

seamus

I'm not sure how regular expressions work in ASP, but it's probably what you want to use to verify that the referrer url begins with "http://myaddress.com".

Seth Brundle

Im not what exactly you are after but try this...

<% option explicit%>
<% dim referrer, domain, allowedDomains, allow
referrer = Request.ServerVariables("HTTP_REFERER")
allowedDomains = Array("localhost", "127.0.0.1") 'put any allowed referrers in here
allow = false
for each domain in allowedDomains
    if instr(referrer, domain) then allow = true
next

if allow = true then 
   response.redirect("enterpage.asp")
else
   response.write("access denied!")
end if
%>

rsynnott

Does IIS not have a URL rewriter? :eek:

seamus

Just a very minor modification of kbannon's code, this ensures that the referrer isn't spoofed by simply inserting the word "localhost" (for e.g.) into the referrer url, instead it checks that referrer starts with "http://localhost" or whatever your specify. Whether it's of any use is another matter, there's nothing to stop someone spoofing your domain in the referrer url.

It may take some messing to get it to work.

<% option explicit%>
<% dim referrer, domain, allowedDomains, allow
referrer = Request.ServerVariables("HTTP_REFERER")
allowedDomains = Array("localhost", "127.0.0.1") 'put any allowed referrers in here
allow = false
for each domain in allowedDomains
    if StrComp(domain, Left(referrer, Len(domain))) = 0 then allow = true
next

if allow = true then 
   response.redirect("enterpage.asp")
else
   response.write("access denied!")
end if
%>

rsynnott

Bear in mind that some "personal internet security" apps filter out referrers (just 'cause w3c can't spell doesn't mean I won't), on their hyper-paranoid modes. It might be an idea to have a note on the page to disable such things if the user is having trouble. And note that referrers are easily spoofable.

str8_away

azzeretti wrote:

Seamus,
Thanks for the reply. I have spent a while looking at Google, the problem is that my referral URL is dynamic i.e instead of

If refURL = http://myaddress.com
then enter

I will need a way to code
If refURL like http://myaddress%
then enter

The address the users will be coming from will also concatinate a dynamic session id to the end of the string, making the referral address different everytime!

If you are sure tha part of URL is going to be "http://myaddress" then you could use "left" or "mid" string function.

First you get the referrer URL then compair it to your string

referrer = Request.ServerVariables("HTTP_REFERER")
if strcomp(left(referrer,16 ), "http://myaddress", vbTextCompare) then
  'Do what you like to do
end if