|
Home > Archive > IIS ASP > June 2004 > Checking that ASP page hasn't been accessed directly.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Checking that ASP page hasn't been accessed directly.
|
|
| Laphan 2004-06-26, 10:19 am |
| Hi All
I've been looking at having my Javascript file as an ASP one to try and stop
general prying eyes, eg:
<SCRIPT LANGUAGE="javascript" SRC="js-something.asp">
</SCRIPT>
and this seems to work well apart from the fact that if the user, puts in
for example:
www.mydomain.co.uk/js-something.asp
the javascript is written to the web page for them to see.
Is it possible for the ASP side of this file to check whether it is has been
accessed directly (eg, as per the URL above) rather than simply being SRC'd
inside another ASP page?
If I can do a check for this then in my ASP code I could put that I only
write the javascript code if the page isn't being accessed directly.
Does this make sense?
Is the code still unprotected?
Thanks
Laphan
| |
| Dave Anderson 2004-06-26, 10:19 am |
| Laphan wrote:
>
> <SCRIPT LANGUAGE="javascript" SRC="js-something.asp">
> </SCRIPT>
>
> and this seems to work well apart from the fact that if the user,
> puts in for example:
>
> www.mydomain.co.uk/js-something.asp
>
> the javascript is written to the web page for them to see.
>
> Is it possible for the ASP side of this file to check whether it is
> has been accessed directly (eg, as per the URL above) rather than
> simply being SRC'd inside another ASP page?
How important is this, really?
Client-side code *must* be visible to the user agent, so there is no real
way of keeping me from viewing it. But I can think of a way to make it
difficult...
First of all, you have already made the JS file an ASP script. Good. Now tie
it to a one-time-use "random" value on the server:
Your ASP Script
========================================
===============================
Call Randomize()
Session("js-something") = Rnd()
<SCRIPT SRC="js-something.asp?r=<%=Session("js-something")%>"></SCRIPT>
js-something.asp
========================================
===============================
If Response.QueryString("r") <> Session("js-something") Then
Response.End()
End If
Session("js-something") = null
Add some expiration to the JS file, and this ought to help. Of course, it
assumes cookies are enabled. If you want to make it work for cookieless
requests, you'll need to put the random value into a DB.
--
Dave Anderson
Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
| |
| Aaron [SQL Server MVP] 2004-06-26, 10:19 am |
| You're trying to protect the JavaScript code? As http://www.aspfaq.com/2175
will demonstrate, the way to do this is to print it out and put it in your
safety deposit box.
--
http://www.aspfaq.com/
(Reverse address to reply.)
"Laphan" <news@DoNotEmailMe.co.uk> wrote in message
news:40dc734c_3@127.0.0.1...
> Hi All
>
> I've been looking at having my Javascript file as an ASP one to try and
stop
> general prying eyes, eg:
>
> <SCRIPT LANGUAGE="javascript" SRC="js-something.asp">
> </SCRIPT>
>
> and this seems to work well apart from the fact that if the user, puts in
> for example:
>
> www.mydomain.co.uk/js-something.asp
>
> the javascript is written to the web page for them to see.
>
> Is it possible for the ASP side of this file to check whether it is has
been
> accessed directly (eg, as per the URL above) rather than simply being
SRC'd
> inside another ASP page?
>
> If I can do a check for this then in my ASP code I could put that I only
> write the javascript code if the page isn't being accessed directly.
>
> Does this make sense?
>
> Is the code still unprotected?
>
> Thanks
>
> Laphan
>
>
| |
| Turkbear 2004-06-26, 10:19 am |
| On Fri, 25 Jun 2004 20:09:59 +0100, "Laphan" <news@DoNotEmailMe.co.uk> wrote:
>Hi All
>
>I've been looking at having my Javascript file as an ASP one to try and stop
>general prying eyes, eg:
>
><SCRIPT LANGUAGE="javascript" SRC="js-something.asp">
></SCRIPT>
>
>and this seems to work well apart from the fact that if the user, puts in
>for example:
>
>www.mydomain.co.uk/js-something.asp
>
>the javascript is written to the web page for them to see.
>
>Is it possible for the ASP side of this file to check whether it is has been
>accessed directly (eg, as per the URL above) rather than simply being SRC'd
>inside another ASP page?
>
>If I can do a check for this then in my ASP code I could put that I only
>write the javascript code if the page isn't being accessed directly.
>
>Does this make sense?
>
>Is the code still unprotected?
>
>Thanks
>
>Laphan
>
Make the aps code part of an HTML page and , right after the <BODY> tag, add
<SCRIPT Language="JavaScript">
if (document.referrer != "http://Thepageyouwantitobefrom") {
location.href="http://somemessagepage.asp"
}
</SCRIPT>
Probably not an absolute, but it works in our setting..
| |
| Bob Barrows [MVP] 2004-06-26, 10:19 am |
| Turkbear wrote:
> Make the aps code part of an HTML page and , right after the <BODY>
> tag, add <SCRIPT Language="JavaScript">
> if (document.referrer != "http://Thepageyouwantitobefrom") {
> location.href="http://somemessagepage.asp"
> }
> </SCRIPT>
>
> Probably not an absolute, but it works in our setting..
Only because your users don't know to look at their cache. Anyone who wants
to see the code will be able to .
Bob Barrows
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"
| |
| Aaron [SQL Server MVP] 2004-06-26, 10:19 am |
| > Probably not an absolute, but it works in our setting..
Yep, Bob is right. Show me where this technique "protects" your JavaScript
code, and I'll show you your "protected" JavaScript code.
A
|
|
|
|
|