Block direct access to a URL via webconfig

Question

Block direct access to a URL via webconfig

Asked 7 years, 3 months ago

Viewed 1,106 times

3

I have an old system in classic ASP and need to do some implementations. I have a file web.config for this application and would like to know if it is possible to block direct access to a video URL.

For example: If the user has access to the video url and paste it into the address bar, he or she would like to block or redirect it. But if a specific system page is using this URL it should be able to access without restrictions.

I tried something like:

<rule name="assets">
   <match url="^assets/videos/([a-z0-9-]*)" />
   <action type="Rewrite" url="erro.asp" />
</rule>

This way you can block direct access via url. But it also blocks video uploading on other application pages.

You want to block direct access to URL, but if using Tag video then it is released?

– Guilherme Nascimento

2017/03/29 at 17:27

2 answers

2

You can check the URL by Rerefer, like this:

<rule name="assets">
    <match url="^assets/videos/([a-z0-9-]*)" />
    <conditions>
        <add input="{HTTP_REFERER}" pattern="^https?://www\.seusite\.com/pagina-especifica/.*$" negate="true" />
    </conditions>
    <action type="Rewrite" url="erro.asp" />
</rule>

In case you change ^http://www\.seusite\.com/pagina-especifica/ for your page which will be the only one that can access the videos

Note: still it is possible to "cheat" the browser using headers "modifiers", but it is something a little harder to do.

I took a test but he wouldn’t accept my conditions. I added the following Pattern: "<add input="{HTTP_REFERER}" Pattern=" my-courses/course/([a-Z0-9-])/module/([0-9])/video-lessons/. *$" negate="true" />". But the video is locked on this page as well.

– alan

2017/03/29 at 17:51
@Alan like this pattern="^https?://meusite.com/meus-cursos/curso/([a-z0-9-]*)/modulo/([0-9]*)/vid‌eo-aulas/.*$"

– Guilherme Nascimento

2017/03/29 at 18:00
Unsuccessful. msm so it does not continue accepting the conditions! :/

– alan

2017/03/29 at 18:39
@Alan has any other rule? It has how to send the entire web.config?

– Guilherme Nascimento

2017/03/29 at 18:40
@I’ll take a look, as soon as I can test your warning ;)

– Guilherme Nascimento

2017/03/29 at 18:44
OK! Thank you! ;)

– alan

2017/03/29 at 18:45
1

Finally I did. After doing several tests I had not noticed that the bars after www and the site name were reversed. I also had to remove the ".$" of the end. In the end it was like this: "<add input="{HTTP_REFERER}" Pattern=" https?: //www.afameducacional.com.br/previa/EAD/my-courses/course/([a-Z0-9-])/module/([0-9]*)/video-lessons" negate="true" />" :)

– alan

2017/03/29 at 18:58
Perfect @Alan !

– Guilherme Nascimento

2017/03/29 at 19:00

Show 3 more comments

Browser other questions tagged asp web.config

You are not signed in. Login or sign up in order to post.

by Oralista de Sistemas • **23,115** points · Answer 1 · 2017-03-29T17:27:45+00:00

There’s no way to do what you want with just the web.config.

What you can do is an Handler that the user accesses to view the video, and condition access to a session variable.

On the page the user must access in order to view the video, you give some arbitrary value to this session variable. In Handler you check if the variable is at the required value.

You might want to give this variable a life span too, so the user will need to navigate to the page again after that time if they want to review the video.