I've got a classic ASP page making an XMLHTTP request to my ASP.net (c#) page, "doSomething.ashx". They are both hosted on the same server.
How can I guarantee that the request came from the local server, to stop malicious users visiting the doSomething.ashx page and making false requests?
Edit:
Stupid me forgot I could pass username + pw through, but will:
HttpContext.Current.Request.IsLocal
Work just as well? Or could this suffer from creative hackers?
On
You will need to add some token that is unique to that request/session. If it's just authenticated, you can guarantee that it came from someone with details but can still be "faked" from that user.
You can either check all "known" tokens with an expiry, or use a session based system and check it's valid in the request handler.
If using just tokens. you will need to generate them on the server when sending out the page that makes the request, and then checked when handling the request itself.
In the HttpRequest object, there is a property:
This boolean is true if the request has come from the same machine!
MSDN Docs:
The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.