5

I've got a classic ASP page making an XMLHTTP request to my ASP.net (c#) page, "doSomething.ashx". They are both hosted on the same server.

How can I guarantee that the request came from the local server, to stop malicious users visiting the doSomething.ashx page and making false requests?

Edit:

Stupid me forgot I could pass username + pw through, but will:

HttpContext.Current.Request.IsLocal

Work just as well? Or could this suffer from creative hackers?

Tom Gullen
  • 61,249
  • 84
  • 283
  • 456
  • 1
    Have you thought of adding some authentication to the request? Either via HTTP or using a uid/pwd combination in your request? – Lazarus Jan 26 '11 at 12:03

3 Answers3

10

In the HttpRequest object, there is a property:

context.Request.IsLocal

This boolean is true if the request has come from the same machine!

MSDN Docs:

The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.

jcvandan
  • 14,124
  • 18
  • 66
  • 103
  • +1. THis works unless someone really borks your IP stack. It ONLY works reliable for localhost, though. There is no way to make a http request from another computer faking 127.0.0 (tcp negotiation would fail). – TomTom Jan 26 '11 at 12:13
  • So theoretically you don't need authentication with this method? – Tom Gullen Jan 26 '11 at 12:19
  • If you are doing an XMLHTTP request it's going to be done using the client browser and the user IP. This will fail as the IP is not local. Use a session token instead. – Pedro Laguna Jan 26 '11 at 13:40
2

You will need to add some token that is unique to that request/session. If it's just authenticated, you can guarantee that it came from someone with details but can still be "faked" from that user.

You can either check all "known" tokens with an expiry, or use a session based system and check it's valid in the request handler.

If using just tokens. you will need to generate them on the server when sending out the page that makes the request, and then checked when handling the request itself.

Deanna
  • 23,876
  • 7
  • 71
  • 156
1

Simple, you authenticate the request.

Noon Silk
  • 54,084
  • 6
  • 88
  • 105
  • I honestly don't know, but I wouldn't rely on it. My guess is that would check the IP address; but it's probably best not to do that. Or at least, consider doing that only in combination with some true authentication. It'll help you in the future anyway, and, will be descriptive of what you are trying to achieve. – Noon Silk Jan 26 '11 at 12:09