search
Username

Password

Remember me
Forgot password?
- en
- ru
- pt
- es
- JP
- ZH

How to use FastReport reports in a PHP application. Part 3
October 14, 2019
This is the final part of the article about using FastReport.Net in conjunction with a
read more
How to use FastReport reports in PHP application. Part 1.
October 13, 2019
FastReport.Net was created specially for the .net platform. Accordingly, web reports work with ASP.Net and
read more
How to use FastReport reports in a PHP application. Part 2.
October 13, 2019
In the first part of the article, we created an ASP.Net Core application in which
read more
Interactive web report in MVC
August 14, 2017
In this article we will look at how to create interactive web reports. These reports
read more
How to make PDF on Raspberry PI with .NET Core
May 26, 2020
Raspberry PI is a miniature single-board computer with ARM processor. This microcomputer is often used
read more

How to make a web report authentication

October 13, 2019

Every time we generate a web report, ajax request leads to the execution of handlers: WebResource.axd and FastReport.Export.axd. Files with the axd extension are used in ASP.Net applications to get resources from dll libraries: images, javascript and styles.

As a result, we get an HTML report file. But, since the report is generated and located in the IIS cache, then, knowing the generated report ID (which is generated upon request), a malefactor can easily get it. And this is a potential security issue if the report contains confidential data. The way out of this situation can be user authentication. That is, if the report is called by a specific user, then only he can get a copy of it.

We could check the http request for user authentication, but this is not a way out. A malefactor can always spoof a request. The best solution would be session authentication. Until recently, FastReport.Net did not provide such functionality. But in version 2019.3.13 there appeared an event for ajax authentication of report resources loaded via asp handler in WebReport.

The WebReport.CustomAuth event is executed before the report is displayed. At this point, you can check the user in the session. Here is an example of using a new event:

public ActionResult Index()
 {
 Session["User"] = "Father Brown";
...
 webReport.CustomAuth += WebReport_CustomAuth;
...
 }
...
 private void WebReport_CustomAuth(object sender, CustomAuthEventArgs e)
 {
 e.AuthPassed = (e.Context.Session["User"] as string) == "Father Brown";
 }
...

As you can see, first, before creating the report, we set the username in the Http session, subscribe to the event. In the event handler, we perform a user check. If the report is requested by another user, then his name in the session will be different and the report will not be displayed. This example shows user authentication, but you can implement your own version.

Thus, we can significantly improve data security by implementing report authentication.

Dmitriy Fedyashov

FastReport ASP.NET MVC Core