how do i know the frame my page is in?

  • Thread starter Thread starter dik mus
  • Start date Start date
D

dik mus

I hope this is the right newsgoup for this question.
I give it a try,

I show my asp.net page in a frame from a page of another
application.
Everything works fine, but now (for security reasons) I
want that my .net page can ONLY be viewed as a part of
the main page.

If the page is accessed directly I want to redirect
to "access denied" page.

Is it possible to write code to find out if a page is
viewed as a part of another page?

Thanks Dik
 
one other way to solve this would be that the framed page would requre a
querystring key to be sent to it.
You could make up this key in the page that it is framed in.

cheers,
mort
 
Dik,

On the server side, it's impossible to know for sure what's happening on the
client since pretty much any mechanism f or passing this information back to
the server can be spoofed. How important are your "security reasons" for
wanting this behaviour? If it's largely a matter of convenience, then the
query string parameter approach suggested by Mort should be fine. However,
if there are real security concerns with potentially serious implications
involved, you might want to consider something a little more robust. If
this is the case, is the "other application" under your control or, if not,
can you request that some minor changes be made to it?

Nicole
 
Thanks for your answers,

The sequrity does not have to be very strong. It is just
a intranet, and i am not expecting any hackers.

The source application is DNN2.04. Withe the sequrity
settings there it is easy to restrict some users to see a
tabs or not. In these tabs, i show in a frame my pages.
My asp.net pages are created with codecharge, and they
take can read all kind of parameters.

Sending a query string could be an option, but i guess
would not know how to make such a string so that users
could not see it in the url.
 
You can't check it from the server, but you can put some client script
in your page that checks for a frameset and redirects to an error page
if it doesn't find it. Something like:

function checkForFrames()
{
if (parent.frames.length == 0)
{
// not in a frameset
window.location = "error.htm";
}

}

-Jason
 
You could use User.IsInRole() to control who gets what access. Set up AD
security groups to pattern your access requirements and either display or
don't display sections of the page based on membership in the groups or,
even better, dynamically create the controls based on group membership.

Dale
 
I like to make it as simple as possible, and because the sequrity settings
for a tab are already set by a admin role (and not exactly known
beforehand), i like a page to just reflect the settings of that tab. I guess
i can figure out in code who has a access to the tab, but i am not looking
for extra work. So i figured, i put one header on all my pages (i hav a lot
of pages), and in that header i just check if the page is part of the dnn
tab. In this way i need only a few lines of code to "secure" a lot of pages
in the appropriate way.

To make it a little more secure, i think i also pass a parameter that codes
the current date, in my application it checkes if that code indeed
represents the current date. In this way, a working url string showed in
another frame would only work for one day.
 
Dear mort,

Is there a way to make a query string, that can not be just copied with the
url?

Thanks dik
 
Back
Top