URL篡改 - 防止未经授权的页面。 [英] URL tampering - prevent unauthorized page.
本文介绍了URL篡改 - 防止未经授权的页面。的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
如何防止用户更改网址中的文件名。?
例如,
用户用户只能访问http://10.120.10.67/Login.aspx(默认情况下)。
但是,他不应该访问非授权页面的其他页面。
如何限制aspx页面。
我尝试过:
用户只能访问http://10.120.10.67/Login.aspx(默认情况下)。
Hi,
How to prevent when the user changing the file name in the URL.?
For example,
User user shall be access only http://10.120.10.67/Login.aspx (by default).
But, he should not access other page which is not authorized page.
How to restrict in aspx page.
What I have tried:
User user shall be access only http://10.120.10.67/Login.aspx (by default).
推荐答案
整个想法都是错误的。安全性未阻止用户更改任何URL。它不在你的控制之下;根据定义,用户可以输入任何可思考的URL并使用该URL发送任何HTTP请求,甚至是根据您的任何页面无法发送的请求 - 您应该始终认为任何HTTP请求都是可能的,没有任何限制。
当您的代码(在您的情况下,ASP.NET代码)处理HTTP请求时,安全性开始。然后,您必须检测用户未经过身份验证并生成适当的页面内容,例如,页面重定向到您的登录页面。这只是身份验证的基础之一。如果用户通过身份验证,其他页面的内容可能取决于用户的记录。
您可以从这里开始:ASP.NET身份验证。
另请参阅: HttpRequest.IsAuthenticated Property(System.Web)。
-SA
The whole idea is wrong. Security is not done be preventing the user to change any URL. It's not under your control; the user, by definition, can enter any thinkable URL and send any HTTP request with that URL, even the request which cannot be sent based on any of your pages — and you should always assume that any HTTP request is possible, without any limitations.
The security starts when your code behind (in your case, ASP.NET code) handles an HTTP request. Then you have to detect that the user is not authenticated and generate appropriate page content, for example, the page redirecting to your Login page. This is just one of the fundamentals of authentication. If the user is authenticated, the content of other pages may depend on the user's record.
You can start here: ASP.NET Authentication.
See also: HttpRequest.IsAuthenticated Property (System.Web).
—SA
Dim roles As String()= Session(Accesstype)
HttpContext.Current.User =新的GenericPrincipal(HttpContext.Current.User.Identity,角色)
如果不是(Me.Page.User.IsInRole(ADM))那么
Response.Redirect( UnAuthorizedAccess.aspx)
结束如果
Dim roles As String() = Session(Accesstype)
HttpContext.Current.User = New GenericPrincipal(HttpContext.Current.User.Identity, roles)
If Not (Me.Page.User.IsInRole("ADM")) Then
Response.Redirect("UnAuthorizedAccess.aspx")
End If
这篇关于URL篡改 - 防止未经授权的页面。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
