-1

I have a web control panel with links to sensitive informations (like credit card number). When the user clicks (who got logged in before) on one of these link, I need to check his credntials.

How can I make sure on the server side when he requests ("/sensitive-informations.aspx") that he just entered his credentials ?

EDIT : the main problem here is the "he just entered his credentials" , I need to make sure that he comes DIRECTLY from the login page.

remi bourgarel
  • 9,231
  • 4
  • 40
  • 73

2 Answers2

1

There are a few ways to do this. For instance, after the user enters his credentials, save them in the Session object.

Then, in the Page_Load of sensitive-informations.aspx make sure the Session object exists.

To better illustrate this:

In your login.aspx.cs page:

protected btnLoginClick(...)
{
   // CHECK USERNAME and PASSWORD
   if (UserIsAuthenticated)
   {
      Session["UserName"] = user;
   }
}

Then in your sensitive-informations.aspx.cs

protected page_load(...)
{
    // If UserName doesn't exist in Session, don't allow access to page
    if (Session["UserName"] == null)
    {
       Response.Redirect("INVALID_USER.aspx");
    }

}

Edit:

Based on OPs comments, if you want to know which page you came from, you can either use: Page.PreviousPage like this:

    protected void Page_Load(object sender, EventArgs e)
    {
        var x = this.Page.PreviousPage;

Or use Request.UrlReferrer like this:

    protected void Page_Load(object sender, EventArgs e)
    {
        var x = Request.UrlReferrer;

In both cases make sure x isn't null first...

Blachshma
  • 17,097
  • 4
  • 58
  • 72
  • I know how to restrict access to a page, but what I need to make sure is that the user comes directly from the login page. – remi bourgarel Feb 19 '13 at 10:02
  • as I said to Andy , we first though about this solution but some antivirus software take off the referer and we can'thave a few user (even 0.1%) unable to see this page. – remi bourgarel Feb 19 '13 at 10:18
  • @remibourgarel If you use `Server.Transfer` after he enters the credentials, you will always have the Page.PreviousPage – Blachshma Feb 19 '13 at 10:21
  • The problem with your solution is that I have to change the behavior of my login page and I can't change my login page "Response.Redirect(originUrl)" because that'll put my whole system under the "/login.aspx" url (Server.Transfer happens on the server side, not the browser) – remi bourgarel Feb 19 '13 at 13:38
  • Either you're not explaining yourself clearly or you're not sure *what* you want exactly... You yourself said that any Response.Redirect / href link etc. will *not work* due to some Antivirus program running. So you don't really have any other choice but to use `Server.Transfer` since you're saying you can't use anything which is based on the client side... The only other tip I can give you is to store in the Session *which page the user last requested* and then you can know from where he came to that page... – Blachshma Feb 19 '13 at 13:48
  • Response.Redirect is not the problem, the problem with your solution is trusting the referer – remi bourgarel Feb 19 '13 at 15:09
0

You can check the UrlReferrer in the Page_Load event of sensitive-informations.aspx:

if (Request.UrlReferrer != null)
{
     if (Request.UrlReferrer.AbsolutePath.ToLower().Contains("you-login-page"))
     {
        //User came from the login page
     }
}

UPDATE Based on your comment, you should check the LastLoginDate property of the MembershipUser class

This will give you the, well, last login date of the current user. You can compare that with the current date/time to make sure that the user "just entered their credentials". Couple this with the checking where the user came from (either with Request.UrlReferrer or Page.PreviousPage).

Andy Refuerzo
  • 3,312
  • 1
  • 31
  • 38
  • We first though it but some antivirus software take off the referer and we can'thave a few user (even 0.1%) unable to see this page. – remi bourgarel Feb 19 '13 at 10:17