1

I have a solution where one page requests the html from another page to build a PDF for download. How can I restrict direct browsing to the pdf-page when login Session variables are not accesible? Basically, I want pdf.aspx to only be accessible by the server.

private void DownloadPDF(string param)
{
byte[] bytes = PDFCreator.CreateFromURL("pdf.aspx?parameter=" + param);
//download bytes
}
Skalis
  • 197
  • 2
  • 13

3 Answers3

2

In your web.config restrict access to all users for the pdf.aspx page, like this:

<location path="pdf.aspx">
    <system.web>
        <authorization>
            <deny users="*"/> // deny all users
        </authorization>
    </system.web>
</location>
Karl Anderson
  • 34,606
  • 12
  • 65
  • 80
0

If you're not using Authorization you can keep user's from finding the page via search engines etc with this: http://www.robotstxt.org/faq/prevent.html

And I typically just use a redirect:

if (condition) { Response.Redirect("http://www.microsoft.com/gohere/look.htm"); }
id.ot
  • 3,071
  • 1
  • 32
  • 47
  • Thx, but it would not protect the page from users that know the url :) – Skalis Dec 11 '13 at 15:54
  • The redirect will take care of that. – id.ot Dec 11 '13 at 15:55
  • But I don't have access to any conditions(?) as I don't have access to any Session variables. – Skalis Dec 11 '13 at 15:57
  • the "condition" is conditional. Omit the condition if necessary, e.g., `Response.Redirect("http://www.microsoft.com/gohere/look.htm");` in your code-behind (.aspx.cs). – id.ot Dec 11 '13 at 15:59
  • Also, You can access session variables from any page or control using `Session["loginId"]` and from any class (e.g. from inside a class library), `using System.Web.HttpContext.Current.Session["loginId"]`. (taken from this stackO question (http://stackoverflow.com/questions/621549/how-to-access-session-variables-from-any-class-in-asp-net)). – id.ot Dec 11 '13 at 16:01
  • System.Web.HttpContext.Current.Session["mySessionVar"] from pdf.aspx returns null :( Probably has something to do with the 3rd party PDF-component. – Skalis Dec 11 '13 at 16:08
  • hmmm, that's odd. Not to be dismissive but that sounds like starting another StackOverflow question might help with that. – id.ot Dec 11 '13 at 16:47
0

Well first I'm not sure why the pdf creator must be another page, It could be a class that return the bytes of the pdf and could be invoked depending if the user is logged in :

private void DownloadPDF(string param)
{
  if(!System.Web.HttpContext.Current.User.Identity.IsAuthenticated) return;
  //Call the class to create the pdf and download       
  //download bytes
}

But the way you can deny the access putting this in your web.config

<location path="Pdf.aspx">
      <system.web>
        <authorization>
          <deny users="*"/>
        </authorization>
      </system.web>
    </location>

But you can't access with the Response.Redirect you must use Server.Transfer. I hope this help you

Cesar Loachamin
  • 2,740
  • 4
  • 25
  • 33