Guaranteeing request came from local server

I've got a classic ASP page making an XMLHTTP request to my ASP.net (c#) page, "doSomething.ashx". They are both hosted on the same server.

How can I guarantee that the request came from the local server, to stop malicious users visiting the doSomething.ashx page and making false requests?

Edit:

Stupid me forgot I could pass username + pw through, but will:

HttpContext.Current.Request.IsLocal

W开发者_如何转开发ork just as well? Or could this suffer from creative hackers?

---

In the HttpRequest object, there is a property:

context.Request.IsLocal

This boolean is true if the request has come from the same machine!

MSDN Docs:

The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.

---

You will need to add some token that is unique to that request/session. If it's just authenticated, you can guarantee that it came from someone with details but can still be "faked" from that user.

You can either check all "known" tokens with an expiry, or use a session based system and check it's valid in the request handler.

If using just tokens. you will need to generate them on the server when sending out the page that makes the request, and then checked when handling the request itself.

---

Simple, you authenticate the request.