I have a weird situation where we utilizing ColdFusion as well as .NET. Both web applications pass control onto each other depending on where the user is going. Data is passed from CF to .NET via session variables.
We have an area of the site that deals with Users management. The page is designed so that within the page_load a series of Session Variables are checked and used to draw the user/add/edit/role screen. A private company did a security vulnerability check
and found that if one logged into the application as a superuser and closed their browser. A lower level user came right behind them and directly browsed to the URL for the user management screen. That lower level user could in fact view all users at an
administrator level. To fix this I wrote additional code to check for the Request.UrlReferrer and if this was either null or "" then it would send them back to the login page.
I also wrote code to check the "existence" of the session variables being set and if they weren't it would assume someone is trying to browse to that page w/o going thru the normal process and send them to the login screen.
My questions are the following.
1. In normal situation (assuming secure server etc) is there a way .NET session state can be injected. My understanding is these Session variables are server-side.
2. Is checking for Request.UrlReferrer a reliable method, can this value be somehow spoofed? If this value is null they are not coming from a page within the web app, but from a direct link. Is there any other way the contents of this can be set to something?
I'm assuming if someone made an external website and linked to this site, it would not pick up that external site as Request.UrlReferrer???
3. Is there some better way to do all of this. Forms Authentication is enabled and I would've just used <deny users = "?">. However, there's a coldfusion page that is populating the session variables in one instance so it dosen't go thru the normal forms
authentication process.
2. Is checking for Request.UrlReferrer a reliable method, can this value be somehow spoofed? If this value is null they are not coming from a page within the web app, but from a direct link. Is there any other way the contents of this can be set to something?
I'm assuming if someone made an external website and linked to this site, it would not pick up that external site as Request.UrlReferrer???
As far as I think,Request.UrlReferrer is unreliable and weak because the urlreferrer can easily be modified and some of the security suites actually remove it from the request.
steppinthrax
3. Is there some better way to do all of this. Forms Authentication is enabled and I would've just used <deny users = "?">. However, there's a coldfusion page that is populating the session variables in one instance so it dosen't go thru the normal forms
authentication process.
As far as I think,I suggest you could use FormsAuthentication to prevent direct access.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
Member
5 Points
133 Posts
Using Request.UrlReferrer to prevent "direct access"
Jun 24, 2020 12:46 AM|steppinthrax|LINK
I have a weird situation where we utilizing ColdFusion as well as .NET. Both web applications pass control onto each other depending on where the user is going. Data is passed from CF to .NET via session variables.
We have an area of the site that deals with Users management. The page is designed so that within the page_load a series of Session Variables are checked and used to draw the user/add/edit/role screen. A private company did a security vulnerability check and found that if one logged into the application as a superuser and closed their browser. A lower level user came right behind them and directly browsed to the URL for the user management screen. That lower level user could in fact view all users at an administrator level. To fix this I wrote additional code to check for the Request.UrlReferrer and if this was either null or "" then it would send them back to the login page.
I also wrote code to check the "existence" of the session variables being set and if they weren't it would assume someone is trying to browse to that page w/o going thru the normal process and send them to the login screen.
My questions are the following.
1. In normal situation (assuming secure server etc) is there a way .NET session state can be injected. My understanding is these Session variables are server-side.
2. Is checking for Request.UrlReferrer a reliable method, can this value be somehow spoofed? If this value is null they are not coming from a page within the web app, but from a direct link. Is there any other way the contents of this can be set to something? I'm assuming if someone made an external website and linked to this site, it would not pick up that external site as Request.UrlReferrer???
3. Is there some better way to do all of this. Forms Authentication is enabled and I would've just used <deny users = "?">. However, there's a coldfusion page that is populating the session variables in one instance so it dosen't go thru the normal forms authentication process.
Contributor
3730 Points
1427 Posts
Re: Using Request.UrlReferrer to prevent "direct access"
Jun 24, 2020 07:09 AM|yij sun|LINK
Hi steppinthrax,
As far as I think,Request.UrlReferrer is unreliable and weak because the urlreferrer can easily be modified and some of the security suites actually remove it from the request.
As far as I think,I suggest you could use FormsAuthentication to prevent direct access.
More details,you could refer to below article:
https://forums.asp.net/t/1682914.aspx?Prevent+direct+access+to+page+by+typing+URL
Best regards,
Yijing Sun