How do I find out from within an HttpModule what domain made a particular request?
Say I only want to allow site1.com and site2.com to use images from my server, how do I check that it is them making the request?
Is there a better way to do it at all? Is a "proper" way even possible then?
joshcomley
2009-06-04 22:22:38
A:
There's no way to do this in every case. Consider that UrlReferrer may not be set. Also, consider that you could be called by a client that does not have a DNS address.
Instead, you should consider configuring IIS to authenticate using user certificates. If you've only got a small number of sites calling you, generate a certificate, register it with IIS and map to the user you want, then give the certificates to those two machines to be installed on them.
John Saunders
2009-06-05 01:53:56
I'm only interested in allowing servers to access the files, no other clients. What servers don't have a DNS address? If I embed an image in a page on www.site1.com/mypage.html is there truly no way to guarantee that when someone loads that page I cannot know that it is coming from there?
joshcomley
2009-06-05 07:50:04
Aside from authentication, no. The Referrer is not guaranteed to be set, or to be what you expect it to be.
John Saunders
2009-06-05 09:20:50