Fog Creek Software
Discussion Board




Blocking users from viewing website

What's the best way using classic ASP to block someone from viewing your website?

I know how to get a person's IP address by using:
Request.ServerVariables("REMOTE_HOST")

But IP addresses change -- especially those who use dial-up connections.... (But I read somewhere that an ISP issues IP addresses with the first two blocks of numbers always remaining the same. True? )

Any suggestions would be a great help. Thanks.

Chi Lambda
Sunday, January 25, 2004

It is better to block IPs in firewall, web server or application server to reduce overhead, which new custom code may add.

Evgeny Gesin /Javadesk.com/
Sunday, January 25, 2004

IPs do change for most people. Atleast where I live you have to pay extra if you want your own IP so its not a reliabale method.

One way the works with non techie surfers is to put a cookie on their computers, but thats very easy to get around for those with only some basic knowlege.

Eric DeBois
Sunday, January 25, 2004

Blocking by IP-address is common-enough, although it blocks legitimate users too.  Others within 'range' of your blocked IP address will also be blocked.

Sometimes users can appear to have the same IP address too, e.g. they are behind a NAT proxy (as is common in network environments and many cheap dialup ISPs)

i like i
Sunday, January 25, 2004

The only reliable way would be to have the user fill in a form, send it by snail-mail, do some background to make sure they are who they say they are, and generate an account that they need to use to log on and have access to your web server.

Mmm....

FredF
Sunday, January 25, 2004

You can do a whois lookup on the IP block to determine who owns the IP address/block and ehcne to which country it is registered. There are four whois servers because there are four IP address registries. Try ARIN first. Then RIPE, LACNIC and APNIC.

That's assuming you want to do it by country/company. As someone else mentioned, it's better to do this at the network level rather than the application level to reduce overhead.

Anon
Sunday, January 25, 2004

A certain CxO asked me to do this constantly - "How can we block our competitors from viewing our site?"

The only really accurate technical solution is with rdns as the poster above says, but that sure is a (resource )expensive way to go.

There is another solution, one which works 100% of the time, cannot be defeated, and is essentially, foolproof:

DONT PUT STUFF YOU WANT TO KEEP PRIVATE ON A PUBLIC WEB SITE!

It's a technology with great methods for keeping things private (http auth)- why fight the obvious?  It's not a technical problem.

Ted
Sunday, January 25, 2004

Ted,

Maybe you underestimated the level of his ignorance, maybe he was talking about the intranet at your offices?

the artist formerly known as prince
Sunday, January 25, 2004

My boss or the poster? 

My boss was talking about our regular ol' corporate web site.  I eventually wrote a treatise which contained a phrase like : "We don't want to appear nervous about our competition looking at our site " (or something like that), and he did a 180 on that idea immediately.

Ted
Sunday, January 25, 2004

Chi Lambda -

Ted's hit the crux of the matter -- if you are trying to prevent people from selected groups from accessing information via your website, the only sure way to do it is to not put the info on the website, or anywhere that's reachable from the website.

Your post doesn't spell out the actual operational situation giving rise to your need to limit access, so I'm making an assumption that somebody in your organization has asked you (again, as in Ted's post) how to keep competitors (or any arbitrary target group) from accessing info on your otherwise public website, and this is the basis for your post. My response is based on this assumption. If my assumption's wrong, then it'd be helpful for you to tell us more about the underlying problem. As it is, this really looks to me like somebody in your organizaiton is trying to solve the wrong problem.

Anyway, proceding with assumption firmly in hand, there's no way to do what you asked that's meaningfully effective. Big deal, so you could implement one or more ways to prevent a machine from your competitors' domains from accessing your website. That doesn't do anything to prevent people who work for your competitors from accessing your website from their home/personal machines and capturing whatever info they might want from your public site. Or, when they find themsevles blocked, of using their friends' machines that might not have been blocked. This whole approach is effectively like trying to build a big 'deny' list, and there are too many ways to get around it, let alone dealing with all the folks you'd want to give access to that you'd be blocking out unintentionally.

Fredf's solution makes more sense, i.e. effectively constructing an 'accept' list, but the effectiveness of that approach is completely dependent upon the quality of whatever vetting process you apply to the requests for access. And if your intent is to have the "benign public" (i.e. people not in your list of forbidden groups) able to generally access your site (another assumption on my part), then you'd have let the general public into your accept list. Again, not practical to do while still limiting access.

So, we get back to the most practical solution to this assumed situation -- don't put stuff you don't want seen on a public website. Ever. Period.

anonQAguy
Sunday, January 25, 2004

Did it occur to you anonQAguy that your post is a total waste of space?  Why not think of something original instead of summarizing what every else says.  No wonder you work QA.


Sunday, January 25, 2004

I am not naive to how public the World Wide Web is. But I (custom) built a weblog for my wife and she happens to mention that she's Jewish over there. And now she's getting some anti-semitic remarks in her comments and I would simply like to do my best to block this person.

Chi Lambda
Monday, January 26, 2004

Easiest to delete the comments. You can ask them to register before they post a comment though they will reregister if they are pissed off. At least you get an email address to send your revenge hate mail to.

Stephen Jones
Monday, January 26, 2004

*  Recent Topics

*  Fog Creek Home