ASP AddressBar

[buddu]

Hi
I have been trying to find a good solution But i could't get

My problem is I have developed the one Application using Asp.
It has softmenu page for all forms (main menu page ).It the user
go to the form by the way of softmenu it will work fine. But the thig is
once he know about the file names he can directly enter the name in Address bar
then the form will work with errors.
How to control this. the User never ever Get a chance to enter into the form
through entring the file name. I hope some had a solution
Please help me.

[JoshT]

A malicious user can request known or random resources from your server - there's really not much you can do about it.

[raymo]

Not much? How about checking for referrer or session? I suggest the former;

Code:

If Request.ServerVariables("HTTP_REFERER") = "your page" Then
spit out page / code
Else
Response.Write "Access Denied"
End If

[JoshT]

Originally posted by raymo
Not much? How about checking for referrer or session? I suggest the former;

Code:

If Request.ServerVariables("HTTP_REFERER") = "your page" Then
spit out page / code
Else
Response.Write "Access Denied"
End If

This is trivial to get around...

[raymo]

True, but it's a good start. However what malicious user would want to enter the filename directly when they will be denied (assuming your page already has authentication code.. )?

[buddu]

I have used

Code:

window.location.href="page.asp";

in many of my pages, which redirects to the same page.

So in this case,
Request.ServerVariables("HTTP_REFERER") returns nothing.
So I can't use Request.ServerVariables("HTTP_REFERER") either.
Please help.

[raymo]

I don't understand what you're trying to accomplish.
Why do you have a redirect to the same page?

[buddu]

In my ASP file has some Calculation. So I need to Refresh the
Page to Get the values from Database OnClick of Calculate button.

In this case i will be getting the

--> Response.Write "Access Denied" Statemnet.

How to do this?

[raymo]

Okey, please post all relevent code so we can help you.

[buddu]

--------------frmMain.asp-----------------
<%@ Language=VBScript %>
<HTML>
<HEAD>
<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
<SCRIPT LANGUAGE=javascript>
<!--
function GoForm(fileName)
{
document.frmMain.action=fileName
document.frmMain.submit();
}
//-->
</SCRIPT>

</HEAD>
<BODY>
<form name="frmMain">
<Input type=button name="form1" Onclick=GoForm('frmPostings.asp')>
<Input type=button name="form2" Onclick=GoForm('frmForm2.asp')>
<Input type=button name="form3" Onclick=GoForm('frmForm3.asp')>
<Input type=button name="form4" Onclick=GoForm('frmForm4.asp')>

</form>
</BODY>
</HTML>


--------------frmPostings.asp-----------------
<%@ Language=VBScript %>
<%
Set Conn=server.CreateObject("Adodb.Connection")
Conn.Open Session("ConStr")

If Request.Form("OnLoadStatus")="Sorting"
Sql="Select * from MyTable Order By "& Request.Form("cboSort")
Else
Sql="Select * from MyTable"
End if

Set Rs=server.CreateObject("Adodb.Recordset")
rs.Open Sql,conn

OnLoadSt=Request.Form("onLoadStatus")
' Here i will get Status of Form Inserting or Editing
%>
<HTML>
<HEAD>
<META NAME="GENERATOR" Content="Microsoft Visual Studio 6.0">
<SCRIPT LANGUAGE=javascript>
MyLoadSt="<%=OnLoadSt%>"

<!--
function goClick()
{
document.frmPost.OnLoadStatus="Sorting";
document.frmPost.action="frmPostings.asp"
document.frmPost.submit();
}
//-->
</SCRIPT>

</HEAD>
<BODY OnLoad="DefaultStatus()">
<form name="frmPost">
<%
Response.Write "<Table>"
Do while Not Rs.eof
Response.Write "<tr>"
Response.Write "<td>"& rs.Fields(0) "&</td>"
Response.Write "<td>"& rs.Fields(1) "&</td>"
Response.Write "<td>"& rs.Fields(2) "&</td>"
.....
Response.Write "</tr>"
Loop
Response.Write "</Table>"
%>

<select name="cboSort" size="1">
<option value="ID">Id </option>
<option value="Name">Name</option>
<option value="CardNo">CardNo</option>
</select>
<input type="Button" name="btnGo" value="Go" OnClick="goClick()">
<input type="Hidden" name="OnLoadStatus">

</form>
</BODY>
</HTML>