0

My website is hosted on a shared Windows server so I can't create Windows scheduled tasks. But I can create some CRON jobs that can call scripts/pages llike MVC actions. But I don't want them to be called by anyone.

How can I forbid the call the action URL to everyone exept to my server ?

UPDATE : I guess that combining Erik Funkenbusch and Allen King answers could do the trick (testing if Request.IsLocal + passing a "password" parameter).

bob
  • 774
  • 1
  • 7
  • 16

3 Answers3

0

For convenience, just make your functions private or use action filtering.

Hiệp Lê
  • 636
  • 4
  • 8
0

What you want is to create a special route for your special urls.. preferably in their own controller or area so you can simply put everything that needs to be secured in one place and use one route.

One simple way is to create a custom AuthorizeAttribute that just tests the Request.IsLocal property, then you decorate the method or controller with that attribute. Do something like this:

Custom Attributes on ActionResult

But use Request.IsLocal instead.

Another way is to use a RouteConstraint for custom Url's, but that can be a bit more complex to implement.

Community
  • 1
  • 1
Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • I did not think of Request.IsLocal. It could do the trick. But as I said, I'm on a shared server. Other websites on the same server will be able to pass through the Request.IsLocal test ? – bob Aug 07 '14 at 15:23
  • Request.IsLocal checkes if the request from 127.0.0.x. So I guess any site hosted on the same server would pass the test. – Allen King Aug 07 '14 at 15:26
  • @bob - My guess is that your cron service is not coming from your site, so there would be no way to differentiate it from a request from a different site on the same computer. – Erik Funkenbusch Aug 07 '14 at 15:34
  • @ErikFunkenbusch - I could differentiate the request by testing the "password" parameter only known by me – bob Aug 07 '14 at 15:37
  • @bob - Except that if the cronfile is not secure, anyone with access to the server can look at it and see the password – Erik Funkenbusch Aug 07 '14 at 15:37
0

One dirty trick could be to pass a parameter and compare with something fixed. Outside callers wouldn't know the value.

Something like this (VB):

function myAction(byval key as string, .....) as actionresult
    if key <> "<something only i know>" then return nothing  'this could the very first line

    ' this something only you know can be stored in Web.config and read using AppSettings
    ' so you don't need to hardcode anything in the code
end function

Easiest possible solution.

If you don't want to use a hardcoded key in the code or in Web.config, you can also generate a random number when session starts and cache that random number. Pass that random number in the key and in the first line, instead of checking for a hardcoded value, read from the cache (could be httpSession ) in myAction and compare. This way there is no danger of key leak to public. just so someone doesn't run a counter to call the function, you can prefix the generated random number with some text such as "XTT-".

Allen King
  • 2,372
  • 4
  • 34
  • 52