Saturday, October 03, 2009 11:38 AM Tanzim Saqib

Quickly Secure Your Site Using HttpModule

You have a top secret site hosted on the web and you want to demo it to certain people only. There may be several ways to do it. I wanted to do it under 5 minutes. I created a HttpModule to redirect to a login page. That page will validate against an XML file, which is basically list of username/password like below:

<?xml version="1.0" encoding="utf-8" ?>
<allowed>
  <user name="saqib" password="dontknow" />
  <user name="tanzim" password="nopassword" />
</allowed>

 

A HttpModule is pluggable version of Global.asax. The reason why I am calling this because it can be just installed in web.config like the following and has capability to interact with the ASP.NET events like the Global.asax. 

<httpModules>
  <add type="RedsideSecurity" name="RedsideSecurity" />
</httpModules>
 
 

HttpModules have full control over HTTP requests, so the HttpModule I created can intercept the requests can authorize depending on the cookie present in the browser. On Init of the module, I registered a delegate to the BeginRequest event, meaning during the journey through ASP.NET pipeline, this delegate is going to be invoked upon beginning of the request. I checked cookies and if it is not valid, showed link to SecureLogin.aspx page which will display the user/password inputs.

public void Init(HttpApplication context)
{
    context.BeginRequest += (sender, args) =>
    {
        var path = context.Request.Path.ToLowerInvariant();
 
        if (path != "/securelogin.aspx")
        {
            var cookie = context.Request.Cookies.Get(RED_SIDE_COOKIE_NAME);
            if (cookie == null 
                || cookie.Value == string.Empty 
                || Convert.ToDateTime(cookie.Value) > DateTime.Now.AddMinutes(COOKIE_TIMEOUT_MINUTES))
            {
                context.Response.Write("<span style=\"color: red; font-weight: bold;\""
                    + ">Sir, your ID please.</span> <a href=\"securelogin.aspx\">Login</a>");
                context.Response.End();
            }
        }
    };
}

Code for SecureLogin.aspx is easy as well. Try matching the credential supplied by user from the XML file, set cookie if authorized and redirect to default.aspx.

protected void btnLogin_Click(object sender, EventArgs e)
{
    if (Page.IsValid)
    {
        var cookie = 
            new HttpCookie(RedsideSecurity.RED_SIDE_COOKIE_NAME, DateTime.Now.ToString());
        
        cookie.Expires = DateTime.Now.AddMinutes(RedsideSecurity.COOKIE_TIMEOUT_MINUTES);
        Response.Cookies.Set(cookie);
        Response.Redirect("default.aspx");
    }
}
 
protected void CustomValidator1_ServerValidate(object source, ServerValidateEventArgs args)
{
    var path = Server.MapPath("~/App_Data/RedsideSecurity.xml");
    var allowedUsers = XElement.Load(path);
 
    var user = (from u in allowedUsers.Elements("user")
                where u.FirstAttribute.Value == txtUsername.Text 
                && u.LastAttribute.Value == txtPassword.Text
                select u).FirstOrDefault();
 
    args.IsValid = user != null;
}
Filed under:

Comments

# Quickly Secure Your Site Using HttpModule - Tanzim Saqib on .NET discovery

Saturday, October 03, 2009 2:44 PM by Quickly Secure Your Site Using HttpModule - Tanzim Saqib on .NET discovery

Pingback from  Quickly Secure Your Site Using HttpModule - Tanzim Saqib on .NET discovery

# Quickly Secure Your Site Using HttpModule | I love .NET!

Saturday, October 03, 2009 3:58 PM by Quickly Secure Your Site Using HttpModule | I love .NET!

Pingback from  Quickly Secure Your Site Using HttpModule | I love .NET!

# re: Quickly Secure Your Site Using HttpModule

Saturday, October 03, 2009 4:06 PM by Øyvind Sean Kinsey

Why use this method instead of .nets built in forms authentication combined with user credentials stored in web.config?

msdn.microsoft.com/.../e01fc50a.aspx

# re: Quickly Secure Your Site Using HttpModule

Saturday, October 03, 2009 10:31 PM by Raj Kaimal

If you wish to protect all the contents of a directory and not just the asp.net web app, you will need to enable wildcard mapping so that all requests are routed through ASP.NET. This is required for IIS 6 and IIS 7 in classic pipeline mode.

It is not required, however, for IIS 7 integrated pipeline.

ref: learn.iis.net/.../wildcard-script-mapping-and-iis-7-integrated-pipeline

# re: Quickly Secure Your Site Using HttpModule

Saturday, October 03, 2009 10:47 PM by Tanzim Saqib

Sean, because the web app already implemented FormsAuthentication for its own purpose. My objective was to protect it from the world so that I can demo it to certain people only.

Raj, correct.

# re: Quickly Secure Your Site Using HttpModule

Sunday, October 04, 2009 12:07 PM by Samboy LIms

I like the way various new C# or .NET  features are used in your example.

Being a newbie,   I hope you can give a sample working code I can download and study.   Thanks in advance.

# re: Quickly Secure Your Site Using HttpModule

Sunday, February 07, 2010 8:34 PM by Praveen

tx much

Leave a Comment

(required) 
(required) 
(optional)
(required)