0

I am hosting several IFrames on a 3rd party web site. The 3rd party site is the middle man to allow user access to a web site that is primarily for internal use by another company.

What I would like to do is verify the user's IP Address against a range of valid IP's for the 3rd party (middle man) web site. If it falls in the range allow the user to access the IFrame, if not - ACCESS DENIED!

Anyways, there are a ton of examples online to get the Request.UserHostAddress, but this brings back my IP Address.

My question is: how do I get the user's IP Address whom is accessing the IFrame to assure the request is coming from the 3rd party site?

So far I have tried ServerVariables and UserHostAddress. They both return ::1. I am running the site that hosts the IFrames locally and accessing those through the 3rd party site which is hosted on a server.

UPDATE

I have finally gotten around to updating everyone. Trying to do this by code is not a viable solution. But, I believe there is a solution for this through authenticating the IP Address with IIS. In code without implementing a very hacky solution we will only be able to obtain the user's IP Address.

However, by using IIS you can verify the 3rd party's address. This post from SO demonstrates how to do it. The post does not fit my case, but it does show you how to authenticate IP ranges.

Direct different IP's to different pages on IIS7

If I am successful I will specify that this is a solution for my problem.

Community
  • 1
  • 1
snowYetis
  • 1,517
  • 16
  • 28
  • It is impossible to determine with 100% accuracy that an iFrame http request is coming from specific 3rd party site. These variables can be spoofed. – Brad M Jul 31 '13 at 15:28
  • When you say that it brings back your IP address isn't this what it should be doing when you test it? Or do you mean that even when you test it from other systems that it is always returning the same IP address? And if so what is that IP address? It could be a load balancer or proxy or something similar that is adding its own information... – Chris Jul 31 '13 at 15:30
  • 1
    Can you not use XframeOptions? https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options . This way you can ensure it's coming from the third party site? – Elixir Jul 31 '13 at 15:33
  • @Brad M Yes, they can be spoofed, but a requirement is a requirement. Do you have a better way of securing an IFrame? IFrames are no good to start with, but this is the only option in my case. – snowYetis Jul 31 '13 at 15:34
  • @Chris Hmm. Well I expect it to bring back my IP when I run it locally. However, when I have the IFrames running from my localhost and I go into the 3rd party site and access those IFrames I should get the 3rd party's IP Address, correct? – snowYetis Jul 31 '13 at 15:35
  • @Elixir Nice. Definitely something to consider. I still would like to figure this out. – snowYetis Jul 31 '13 at 15:38
  • Great! I'll keep seeing if I can find something which does what you want. I'm looking into alternatives as well. Also looking at this as a possible option. http://www.therealtimeweb.com/index.cfm/2012/10/18/iis7-restrict-by-ip – Elixir Jul 31 '13 at 15:48
  • Ok cool. I think this might be what you're looking for (untested) http://forums.asp.net/t/1767015.aspx/1 – Elixir Jul 31 '13 at 15:52
  • @Elixir I actually found that post before posting this question. When I use that code I receive ::1 for REMOTE_ADDR. I believe ::1 is the my root address. (127.0.0.1 (or whatever root is) – snowYetis Jul 31 '13 at 16:38
  • @Elixir: not come across X-Frame-Options before. That's pretty cool. – Chris Jul 31 '13 at 17:37

1 Answers1

3

I think you have the wrong idea of what should be happening.

As I understand it the situation is this:

You have Site A which has Iframes that have content from Site B in them. When you go to Site B directly the IP address you get is for your computer. What you are expecting is that when you go to Site A that the IP address that Site B receives will be that of Site A. This is incorrect.

When you view Site A you will download the page that will contain the IFrame HTML which will tell it what content to put in that frame by having a src="url" type syntax. At this point your browser (ie on your computer) will request the content from Site B and in doing so Site B will receive the IP of your computer again.

One thing that does what you want is the Referrer header (https://en.wikipedia.org/wiki/HTTP_referer). This is a way for a request to say what page told you to access that page. For example if you click to a link on Page C to Page D then Page D may receive a referer header saying that Page C referred it. The important part of that is that it may send it. It is often considered a security risk (especially between domains) so may not be sent in all cases or may be stripped by security tools and most importantly can be faked so it is not suitable for security purposes.

In general it is not easy to determine when serving a page that it is being embedded in a specific page's iframe.

The only way I can think of offhand to do this is when generating the iframe and its src target is to embed some kind of cryptographically signed token in that Site B can trust has been put there by site A. The token would of course have to have some kind of expiry to it and similar things to prevent a malicious user getting unfettered access once they have a token and some way to prevent replay attacks, etc.

In general the best bet would be to just use security on your Site B (eg username and password) and if somebody unintended gets to see it they don't have password details so they don't get anywhere.

Chris
  • 27,210
  • 6
  • 71
  • 92