5

I have a group of IP addresses.

After deploying my application, I want to only be able to access my application from a particular IP address.

How can I achieve this using the Global.asax (not through IIS)?

Nathan
  • 6,095
  • 2
  • 35
  • 61
Nithin Viswanathan
  • 3,245
  • 7
  • 39
  • 84

3 Answers3

2

This is a good starting point for you

(especially as it's separated nicely into a HttpModule for subsequent re-use)

Nathan
  • 6,095
  • 2
  • 35
  • 61
0

In the Session start - event handler:

say you have an array of blocked IP's i.e. Code (text):

Dim bArr() As String = {"198.122.xxx.xx", "xxx.xxx.xx.xxx" etc.}

Code (text):

Dim strIP = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
If strIP="" Then strIP = Request.ServerVariables("REMOTE_ADDR")

For i As integer = 0 To bArr.UperBound
  If strIP = bArr(i) Then
     Response.Redirect("Permissionsdenied.html")
  End If
Next
Varun
  • 373
  • 1
  • 2
  • 11
  • 1
    you don't mean session start... you want to check for every request, not just the first one in a session. – Nathan Apr 18 '13 at 10:45
  • 1
    Session_Start() – This event raised for each time a new session begins, This is a good place to put code that is session-specific. – Varun Apr 18 '13 at 10:52
  • You're right, that is where session-specific code should go, but this code shouldn't be session specific: If I open a new browser and request page A from your website, then your code will fire... with the same browser, I then make the same request - and guess what... it will succeed the second time (which isn't what is desired) – Nathan Apr 18 '13 at 12:37
  • @Nathan: what happen if I add Session.Abandon(); in if condition – Varun Apr 18 '13 at 13:56
  • That would also provide the desired functionality, but with two drawbacks: A) you would introduce extra work for your server by making it set up and then tear down a session for every blocked request (especially if the session state mode is anything other than in-process). B) in the future if someone disabled session state for the site, this code would no longer be called and the person that made the config change would not realise. BeginRequest is the best place to put this, and as long as you cache the list of IPs in memory, it will not be much of a performance hit. – Nathan Apr 18 '13 at 14:02
0

I would start in this way, in the begin request event handler in your Global class, I would determine the client IP address following this answer: https://stackoverflow.com/a/9567439/559144

then if the connecting ip is not in the allowed list, I would redirect to another page like an access denied page, a login page or the company / google home page.

Community
  • 1
  • 1
Davide Piras
  • 43,984
  • 10
  • 98
  • 147