0

One of our ASP web apps has a button, that generates a expiring link to a form. We have noticed that anyone with said link can view the form. I am researching a way to have the end-user be checked for authorization when the link is opened up. Ask them for their username/password before they can view the link.

my sub that generates the link:

Protected Sub ButtonLink_Click(sender As Object, e As EventArgs)

    Dim strSQL As String = ""
    Dim wapguid As String = ""
    Dim cmd As New SqlCommand

    wapguid = System.Guid.NewGuid().ToString("N")

    strSQL = "INSERT INTO [WapCustomerAccess] (wapid, wapguid, expires, generatedBy) values (@wapid, @wapguid, @expires, @generatedBy)"

    cmd.CommandType = CommandType.Text
    cmd.CommandText = strSQL

    cmd.Parameters.AddWithValue("@wapid", WAPID)
    cmd.Parameters.AddWithValue("@1", wapguid)
    cmd.Parameters.AddWithValue("@generatedBy", Session.Item("UserFullName"))
    cmd.Parameters.AddWithValue("@expires", Date.Now.AddDays(31).ToString)

    Dim strConnString As String = System.Configuration.ConfigurationManager.ConnectionStrings("cnnCFHSWAP").ConnectionString
    Dim con As New SqlConnection(strConnString)
    cmd.Connection = con

    Try
      con.Open()
      cmd.ExecuteNonQuery()
    Catch ex As Exception
    Response.Write(ex.Message & "<br />")
    Finally
      con.Close()
      con.Dispose()
    End Try

    Dim t As New TextBox()
    t.Text = "http://wap-test.cfhs.local/secure/waplink.aspx?SSL=true&hash=" & WAPID & "&guid=" & wapguid & "&expires=45&suid=05A2FF&salt=x00FF&enc=true"
    t.ID = "txtLink"
    t.Width = 800
    t.ReadOnly = True
    t.BackColor = Drawing.Color.SeaShell

    PanelLink.Visible = True
    PanelLink.Controls.AddAt(0, t)
    PanelLink.Controls.Add(New LiteralControl("<br />"))

End Sub
Chris
  • 71
  • 1
  • 1
  • 14
  • When i go to a page but need to log in i get a url like this: `https://mywebsite.com/log-in.aspx?ReturnUrl=%2fadmin%2f`. Try something like that. Send to the login page with the query string you create for that user. (?) – wazz Aug 23 '19 at 05:59

1 Answers1

0

You will need to restrict access to waplink.aspx in the app that is referred to in your generated links. Depending on that app, you will find suitable tutorials for setting up authentication/authorization, like [1].

[1] https://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config

user7217806
  • 2,014
  • 2
  • 10
  • 12
  • 1
    ah ok, I see. I am now trying to figure out how to restrict access to folder (called "private") that contains waplink.aspx require all users to enter in their username and password to open. I tried to do so in Web.config with location path="private", which did not work. – Chris Aug 28 '19 at 20:48
  • Is general authorization already set up in the app? Did you try the tips [here](https://stackoverflow.com/questions/3776847/how-to-restrict-folder-access-in-asp-net)? – user7217806 Aug 28 '19 at 21:35