I am using ASP.NET 4.0 Framework.I have a directory which contains 10 PDF files i.e pdf1,pdf2....pdf10. On button click i am using Response.Redi开发者_Python百科rect & passing Pdf file path in order to open it in the browser. but, this enables user to view the path(url) of the PDF folder using this url he can open any other pdf directly. How can i stop him accessing PDF directly from the url
Use Request.ServerVariables["HTTP_REFERER"]
this will tell you where the request had come from. If its not on your site then take appropriate action.
e.g.
if(Request.ServerVariables["HTTP_REFERER"].ToLower().IndexOf("mysite.com") == -1){
// Not from my site
Response.Redirect("NotAllowed.aspx");
}
This link may help you to stop him accessing PDF directly from the url.
Use this code in Global.asax.cs and Call [NoDirectAccess] to all controllers
//Prevent direct URL access: Call [NoDirectAccess] to all controllers to block
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class NoDirectAccessAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (filterContext.HttpContext.Request.UrlReferrer == null ||
filterContext.HttpContext.Request.Url.Host != filterContext.HttpContext.Request.UrlReferrer.Host)
{
filterContext.Result = new RedirectToRouteResult(new
RouteValueDictionary(new { controller = "Home", action = "Login", area = "" }));
}
}
}
You will need to add a secure layer. If you are using MVC it will probably be simpler to implement since you will do the authorisation in the controller action. However, for classic ASP you will probably need to implement a custom handler.
There is no easy solution to this. You could devise some sort of rolling code based on the server date/time that must be part of the query string and check for the correctness of this in the page load, if you make it sufficiently complicated / long, then people will not be able to enter this manually.
精彩评论