Rank: Newbie
Groups: Member
Joined: 11/24/2010
Posts: 2
|
Hi, Anyone can access http://mywebsite.com/eo_web.ashx?somefilenamexxx using the treeview without logging into the website. We have a web scanner and found that it can be accessed outside of being logged in. Is there any way to prevent access without logging in? EO version 8.0. Thanks, Craig.
|
Rank: Administration
Groups: Administration
Joined: 5/27/2007
Posts: 24,194
|
Hi,
You can use whatever method you use to secure your other pages to secure eo_web.ashx. We do not recommend you to do so however for two reasons:
1. eo_web.ashx is used by us to render our JavaScript files and image files. So there is nothing sensitive in it;
2. Once you restrct access to eo_web.ashx, our control will not work unless you login. That may cause problem for you. For example, if you use our Menu on your login page, then that Menu will not work after you restrict access to eo_web.ashx because at that point the user is not logged in yet;
Thanks!
|
Rank: Newbie
Groups: Member
Joined: 11/24/2010
Posts: 2
|
Thanks for responding. The website is fully secured and the only access is through the login page. Also I'm using my own login process. Therefore the only component being used is the treeview and only used after authenication. On a handler I created, I check authenication first, before proceeding.
Since the component is actually in the .dll and the .ashx contains
<%@ WebHandler Class="EO.Web.Runtime" %> only,
I don't think I can add any authenication to it.
I'm being pro-active, in case our IT security people think this should not be accessed from the outside.
|