Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Forms based security

Reply
Thread Tools

Forms based security

 
 
Charlie Dison
Guest
Posts: n/a
 
      06-19-2004
Hi there,
In forms based security do I have to arrange pages into subdirectories
in order to secure them? I want the public to access my home page and
public content but want to restrict other content only to those for whom
I've granted a userid. Seems like I must organize all the private content
into one or more subdirectories. My problem is that I have some content
that should be accessible to both and I hate to have to specify directory
names when redirecting. Is there something that I can place in the load
event of each page that checks to see if the user has been authenticated
(checks for the cookie that would have been created)




 
Reply With Quote
 
 
 
 
[MSFT]
Guest
Posts: n/a
 
      06-21-2004
Hi Charlie,

To get the form authentication cookie, you may get the cookie name from:

FormsAuthentication.FormsCookieName

However, the cookie is encrypted, and we cannot get its actual value.

Regarding the issue, since the content are accessible to both of
Authenticated user and others, you can just leave the content public. Is
this right?

If you have private and public content on a same web form, you may consider
following work around:

When perform form authentication, you can add a cookie by yourself,
indcating the user has been authenticated. And then, arrange pages based
on this cookie value.

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
 
 
 
ranganh
Guest
Posts: n/a
 
      06-21-2004
Dear Charlie,

You don't need to arrange the authenticated pages inside a folder. You can specify the pages (say if they are minimum 5 pages etc.,) using location path. in that, you can also specify to allow the users, for whom you gave an userid. the following illustration shows the same:-

<location path="ProtectedPage1.aspx">
<system.web>
<authorization>
<allow users="UserId" />
<deny users="*" />
</authorization>
</system.web>
</location>

the above, would allow users with the above userid (whatever you give) and will deny all other users (anonymous and logged in).

however, in case you want to allow users with above userid as well as their own userid (logged in), change the <deny users="?" />. this will restrict only people
who are not logged in.

To check whether the user is logged in, use

if(User.Identity.IsAuthenticated)
{

}

to get the User's Id, use

User.Identity.Name

hope it helps.

"Charlie Dison" wrote:

> Hi there,
> In forms based security do I have to arrange pages into subdirectories
> in order to secure them? I want the public to access my home page and
> public content but want to restrict other content only to those for whom
> I've granted a userid. Seems like I must organize all the private content
> into one or more subdirectories. My problem is that I have some content
> that should be accessible to both and I hate to have to specify directory
> names when redirecting. Is there something that I can place in the load
> event of each page that checks to see if the user has been authenticated
> (checks for the cookie that would have been created)
>
>
>
>
>

 
Reply With Quote
 
Charlie Dison
Guest
Posts: n/a
 
      06-26-2004
Ok. that helps. Thanks
"ranganh" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Dear Charlie,
>
> You don't need to arrange the authenticated pages inside a folder. You

can specify the pages (say if they are minimum 5 pages etc.,) using location
path. in that, you can also specify to allow the users, for whom you gave
an userid. the following illustration shows the same:-
>
> <location path="ProtectedPage1.aspx">
> <system.web>
> <authorization>
> <allow users="UserId" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
> the above, would allow users with the above userid (whatever you give) and

will deny all other users (anonymous and logged in).
>
> however, in case you want to allow users with above userid as well as

their own userid (logged in), change the <deny users="?" />. this will
restrict only people
> who are not logged in.
>
> To check whether the user is logged in, use
>
> if(User.Identity.IsAuthenticated)
> {
>
> }
>
> to get the User's Id, use
>
> User.Identity.Name
>
> hope it helps.
>
> "Charlie Dison" wrote:
>
> > Hi there,
> > In forms based security do I have to arrange pages into

subdirectories
> > in order to secure them? I want the public to access my home page and
> > public content but want to restrict other content only to those for whom
> > I've granted a userid. Seems like I must organize all the private

content
> > into one or more subdirectories. My problem is that I have some content
> > that should be accessible to both and I hate to have to specify

directory
> > names when redirecting. Is there something that I can place in the load
> > event of each page that checks to see if the user has been authenticated
> > (checks for the cookie that would have been created)
> >
> >
> >
> >
> >

>



 
Reply With Quote
 
Charlie Dison
Guest
Posts: n/a
 
      06-26-2004
Ok. that helps. Thanks
"[MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Charlie,
>
> To get the form authentication cookie, you may get the cookie name from:
>
> FormsAuthentication.FormsCookieName
>
> However, the cookie is encrypted, and we cannot get its actual value.
>
> Regarding the issue, since the content are accessible to both of
> Authenticated user and others, you can just leave the content public. Is
> this right?
>
> If you have private and public content on a same web form, you may

consider
> following work around:
>
> When perform form authentication, you can add a cookie by yourself,
> indcating the user has been authenticated. And then, arrange pages based
> on this cookie value.
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
Forms Authentication / Role based security djhexx@gmail.com ASP .Net 1 08-10-2007 05:06 PM
AzMan Role Based Security vs. ASP.NET Role Based Security Kursat ASP .Net Security 1 05-07-2007 01:33 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms authentication - Multiple login forms based on directory acc Keltex ASP .Net Security 1 01-24-2006 03:06 PM



Advertisments