I am having an security issue, the user can forced browsing technique to traverse to the page which is not accessible to them. is there anyway that i can stop it. Visual Basic, .net 3.5
+1
A:
Pardon if I do not understand you clearly, but in asp.net enviornment you can use web authorization and authentication mechanisms to prevent user from seeing specified locations. To lear more about how to use it read this article, this article and see this tutorial
ŁukaszW.pl
2010-08-24 17:20:03
I am sorry if I wasnt clear, the problem is that my application is not using the asp.net authorization mechanism but i will still have a look at the tutorial.. thanks
2010-08-24 17:30:22
Yes, that is why using a decent auth system is the solution :)
David Dorward
2010-08-24 18:39:13
A:
Secure the resources that should not be accessible. Forced browsing doesn't break through any measure of security, it just guesses what content is on the server and requests it. If the server is happily serving that content, then it's not secured and the user is technically permitted to see it.
David
2010-08-24 17:20:21
Can you please suggest me some way to secure the web page that is being accessed without making a lot of changes in web app code.
2010-08-24 17:35:45
Does the page need to be restricted against all users, against specific users, or for specific users? How do you identify your users?
David
2010-08-24 17:40:48
Against specific users. N i am using role types to differentiate between users.. So for example only the user with certain role should be able to access that page n the users with other role type would be restricted
2010-08-24 18:05:37
In the code for that page just check if the current user is of the desired role. If not, redirect them. This can be automated in several ways in ASP .NET, most notably with SiteMap files and with location/authorization nodes in the web.config file. I suggest researching those.
David
2010-08-24 18:16:15