[RESOLVED] [2008] Getting Reffer Question (asp.net 3.5)

[max_carpenter]

Good Afternoon,

I am not sure of the best way to do this or how so you may have suggestions as well as help. We have basically created an asp.net application that needs to be protected but we don't want yet another logon for it.

We have put a link to the asp.net application with in the Microsoft Exchange Outlook Web Access site to go straight to the application so once they have logged on to our OWA website they can open the web application straight up but in order to protect it we need to prevent it opening from direct link or any other location. My initial thought was when the web application is opened up to check the reffer link and if it was the correct one allow access and if not redirect them to the Outlook Web Access logon page.

Is there a better way if not how would we be able to go about this. I have done some research online and I have found this bit of code I am not actually doing this myself its for my collegue and I never used any code like this so don't even know if it will work:

newWindow = window.open("","")
if (newWindow!= null)
newWindow.document.write("Some HTML")
//newWindow.focus() This line added by me, untested

(note when it says this line added by me thats not me thats the person else where on the net I got the example from.

Regards,
Max

[mendhak]

The REFERER would work but you need a more robust solution. If your ASP.NET application is in the same domain as the the OWA, then you can read the cookies that OWA creates upon login and that can serve as a partial security measure.

Assuming though that the OWA uses the user's domain credentials, then you should probably place Windows Authentication on the virtual directory of the ASP.NET application and have the user login with their credentials.

[max_carpenter]

Thanks for your reply,

What we are hosting on this second app is not top security its just better of being protected and I described what you said to my collegue and he believes its alot of work for what we need he has now managed to get it working instead of either solution he has used a Session ID thats being set from OWA and passed over to the Other app which reads the Session ID and if its not a certain value pushes the user back to the OWA login screen.

Thanks for you comment it was intresting and I will certainly save that for future reference if something like this crops up again.

Regards,
Max

[mendhak]

No problem, I'll see you then