ASP.NET Folder Security

Discussion in 'ASP .Net' started by Dave, Apr 10, 2006.

  1. Dave

    Dave Guest

    Hi,

    I am developing a web application which needs different levels of
    security.

    - Basic browsing with name and basic profile being stored
    - Changing account information e.g. address, password etc
    - Buying an item from the store

    I want all users to be able to do this, but I want them to have three
    different login processes so that I can control the system. I want to
    use forms authentication and would ideally have a web.config in a
    folder for each level to control the authentication process. I know
    this can't be done unless I split them into different applications.
    This will however cause problems with holding sessions across the
    applications etc.

    If you could offer any advice I would really appreciate it.

    Thanks :)
     
    Dave, Apr 10, 2006
    #1
    1. Advertising

  2. Dave

    Brian Guest

    "Dave" <> wrote in message
    news:...
    > Hi,
    >
    > I am developing a web application which needs different levels of
    > security.
    >
    > - Basic browsing with name and basic profile being stored
    > - Changing account information e.g. address, password etc
    > - Buying an item from the store
    >
    > I want all users to be able to do this, but I want them to have three
    > different login processes so that I can control the system. I want to
    > use forms authentication and would ideally have a web.config in a
    > folder for each level to control the authentication process. I know
    > this can't be done unless I split them into different applications.
    > This will however cause problems with holding sessions across the
    > applications etc.
    >
    > If you could offer any advice I would really appreciate it.
    >
    > Thanks :)


    Hey Dave -

    After going through a similar delima myself, I more or less threw out Forms
    Authentication. I'll add a minor gripe. Asp.Net is terrific if you're in a
    cookie cutter shop. It's a nightmare if you want to do anything even
    slightly out of the ordinary. All the nicities tend to work against a
    proprietary solution.

    I switched to a simple Session["User"] == null check. It looks like this:

    protected void Page_Load {
    if (Session["User"] == null)
    Response.Redirect("login.aspx?returnurl="+Request.Url);
    // or
    Response.Redirect("login.aspx?returnurl=a_very_specific_url.aspx");
    }

    These lines of code occur in every page_load of every page that will be
    authenticated. But it's only a few lines of code.

    The login page sets Session["User"] of course. And logout sets it back to
    null (or abandons the session).

    This method is very simple. It has all the benefits of form authentication
    without any of the application disadvantages. And it can intelligently
    redirect requests. That is, if a user tries to bookmark step 4 of 5, and
    return to it tomorrow, the page will still snap back to the first screen or
    whatever. This is in contrast to forms authentication which returns the
    user to whichever page made the unauthenticated request (without recourse).

    I consider the maintenance very minor, certainly much less so than virtual
    directories springing up like daisies.

    HTH,
    Brian
     
    Brian, Apr 10, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. charles
    Replies:
    0
    Views:
    351
    charles
    Feb 3, 2004
  2. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    174
    Dinis Cruz
    Oct 11, 2003
  3. i23bam
    Replies:
    6
    Views:
    358
    Joe Kaplan \(MVP - ADSI\)
    Jun 23, 2004
  4. Michael Randrup
    Replies:
    3
    Views:
    346
    Henning Krause [MVP]
    Mar 27, 2006
  5. Kursat
    Replies:
    1
    Views:
    339
    Dominick Baier
    May 7, 2007
Loading...

Share This Page