prevent user from accessing page via manual url key in

Hello, are there any ways I can prevent user from accessing a page by typing the url? Specifically, for those pages with parameters. This is for users who have already logged in.


My scenario is that the users have different to different reports, let's say user A

mywebsite.com/report.aspx?reportid=1

but not for reportid=2


What methods can I use to prevent this other than running a whole aggregate in the page preparation to check if the user has access to this report?


At the moment I am generating guid on login and saving it to a session variable, and on the preparation of every single page compares if the values match, and generate a new one if it matches, or logs user out if it doesn't.

Wei Pien Keoh wrote:

Hello, are there any ways I can prevent user from accessing a page by typing the url? Specifically, for those pages with parameters. This is for users who have already logged in.


My scenario is that the users have different to different reports, let's say user A

mywebsite.com/report.aspx?reportid=1

but not for reportid=2


What methods can I use to prevent this other than running a whole aggregate in the page preparation to check if the user has access to this report?


At the moment I am generating guid on login and saving it to a session variable, and on the preparation of every single page compares if the values match, and generate a new one if it matches, or logs user out if it doesn't.


Hello Wei Pien,

In the preparation you can check the value of the parameter and process accordingly



That solves your problem?

EDIT: Maybe I misunderstood your question... Maybe you can keep your previous URL on a Session Variable and check it in preparation? If the preparation has been triggered and the previous URL does not match where your used should've come from, prevent the page from loading?

Hello,

You'll have to have a security pattern in place and here you can have multiple options to choose, i'll mention 2:

- Encript the screen inputs

- Set a validation like User A as only access to report 1 and validate it before give the user access to the page, meaning implement a content Access Management System 

Hi Wei Pien Keoh,

I don't think we have option to identify weather url accessed directly or accessed through redirect.


Sravan

Hello Wei,

If you can identify, per user, which reports he can access, why not simply check, first thing in the preparation, if the logged user is authorized to access the report being requested?

I'm assuming that is not a Role problem (like users with same role can access different reports).

Just store somewhere (database) if you aren't doing it yet which reports a user can access and validate in preparation...

Cheers

Thank you for the suggestions everyone! But I'm trying to avoid having to query the database again after the initial search page if possible. Encrypting and decrypting the id works, but according to another colleague of mine on another project, it has an impact on the performance. What I've come up with is a server action below, which is called on every page's preparation. In addition to this, all the pages have an extra Input parameter.


Being new to this, I am not sure if this will cause any issues. Any insights to the cons of doing this is much appreciated!

Hi Wei,

Session variables are stored in database anyway...

You are working in web, so, on every request, the information will have to come from database, or from the browser.

Also, every request is accessing an URL... So, there is no way to know if the URL is being accessed from a link or thea address bar, without passing some information through the URL.

But the browser is never safe. if you are expecting to have the session value to be set in a button input parameter, this is client side. The user can simply inspect the html and change the Report Id there. He does not have to even go to the URL directly.

So, your solution seems to not work at all in the sense it is not safe at all.

The only way to prevent the user to go to a report he can't, is to avoid completely relying on checking input parameters. 

You can set which report id he can access in a session variable, for example, and if he tries to access the report page you use this id. Don't have even to receive the id from an input. 

Or query database. There are no other "safe" options.

Cheers

There is no fullproof way to do this besides doing a query (or any other server side checking).
The client can always be manipulated and even though the chances are slim, it is still possible.

You can ask yourself:
- Who are the target users of this application?
- Will they be doing something like this to gain access to different reports?
- Is this application internal only, or can everybody with an internet connection access it?

If you are already performing a query to get data on the report, why not do a join to see if the user can access it? If you limit on 1 record it's not going to be a huge performance loss. If the aggregate is empty you know the user does not have any access or the record does not exist, either way there is no data queried and the user can be redirected to a generic list page or home page.