2 security questions

Discussion in 'ASP .Net' started by John, Nov 19, 2004.

  1. John

    John Guest

    First off, I am very new to ASP.NET, please excuse my ignorance if I am
    asking the obvious.



    All forms authentication examples I have seen so far either use
    userid/password info in the web.config file or validate it against the
    database. If the user is authenticated, an authentication ticket is
    created, encrypted, and stored in a cookie. Then every page decrypts the
    ticket, checks the roles to confirm it should have access to this page.



    This brings to mind 2 questions:



    Q1. Instead of validating on every page, why not simply place the ticket
    validation in an HTTPModule and redirect to the requested page or the login
    page? Then any web-app, could basically; add the DB tables, Login page, and
    new HTTPModule for instant security functionality. This is so simple, I
    have to wonder if I've completely missed something, or it's a current
    functionality in ASP.NET, and I just haven't seen it yet.



    Q2. I want to make user, role, and permission maintenance available to the
    administrator online. This would require a very simple object model and a
    few simple pages. This is the type of thing that is pretty generic and
    common. I don't want to reinvent the wheel, so does anybody know where I
    could find these pages/objects?



    Thanks in advance.



    Regards,

    John
    John, Nov 19, 2004
    #1
    1. Advertising

  2. > Q1. Instead of validating on every page, why not simply place the ticket
    > validation in an HTTPModule and redirect to the requested page or the login
    > page? Then any web-app, could basically; add the DB tables, Login page, and
    > new HTTPModule for instant security functionality. This is so simple, I
    > have to wonder if I've completely missed something, or it's a current
    > functionality in ASP.NET, and I just haven't seen it yet.


    Erm, this is *precisely* how the Forms Authentication piece of ASP.NET
    works. See the class System.Web.Security.FormsAuthenticationModule, and
    note how in the machine.config there's the registration of this HTTP Module:

    <httpModules>
    ...
    <add name="FormsAuthentication"
    type="System.Web.Security.FormsAuthenticationModule"/>
    ...
    </httpModules>


    > Q2. I want to make user, role, and permission maintenance available to the
    > administrator online. This would require a very simple object model and a
    > few simple pages. This is the type of thing that is pretty generic and
    > common. I don't want to reinvent the wheel, so does anybody know where I
    > could find these pages/objects?


    There's an article Darren Neimke [http://weblogs.asp.net/dneimke/] and I
    wrote on this topic:
    http://aspnet.4guysfromrolla.com/articles/082703-1.aspx

    It doesn't provide a complete, pre-built solution, but it does have
    plenty of code snippets that should move you in the right direction.

    hth

    --

    Scott Mitchell

    http://www.4GuysFromRolla.com

    * When you think ASP.NET, think 4GuysFromRolla.com!
    Scott Mitchell [MVP], Nov 20, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    339
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,400
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    319
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    128
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    287
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page