AuthenticateRequest in Global.asax and a custom HTTP Module

Discussion in 'ASP .Net Security' started by Leslie, May 24, 2005.

  1. Leslie

    Leslie Guest

    I am writing a web services application, using basic authentication.
    However, I need to authenticate against user setting up in our database. So,
    I need to write my own code to authenticate users.

    I think that I could put my authentication code in AuthenticateRequest event
    in either Global.asax or in a custom HTTP module. However, I don't know what
    is the difference between them. And is there any implication if I make the
    choice of one way or the other?

    Any helps would be appreciated. Thanks.
    Leslie, May 24, 2005
    #1
    1. Advertising

  2. Leslie

    Brock Allen Guest

    > I think that I could put my authentication code in AuthenticateRequest
    > event in either Global.asax or in a custom HTTP module. However, I
    > don't know what is the difference between them. And is there any
    > implication if I make the choice of one way or the other?


    Authentication is done in your custom login page. Once you are confident
    the user has provided proper credentials you then want to call FormsAuthentication.SetAuthCookie
    or FormsAuthentication.RedirectFromLoginPage. This will issue a cookie that
    will identify the user.

    So, in short, you just need to build the login page.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
    Brock Allen, May 25, 2005
    #2
    1. Advertising

  3. Leslie

    Leslie Guest

    Thanks for helpine me here. If I understand you correctly, I think you are
    talking about form authentication. However, since I am writing a web service
    application, I can't use this approach. That is why I am thinking to use
    AuthenticateRequest from either the Blobal.asax or a custom HTTP module. But
    I am not sure about the difference of these two. Do you know?

    "Brock Allen" wrote:

    > > I think that I could put my authentication code in AuthenticateRequest
    > > event in either Global.asax or in a custom HTTP module. However, I
    > > don't know what is the difference between them. And is there any
    > > implication if I make the choice of one way or the other?

    >
    > Authentication is done in your custom login page. Once you are confident
    > the user has provided proper credentials you then want to call FormsAuthentication.SetAuthCookie
    > or FormsAuthentication.RedirectFromLoginPage. This will issue a cookie that
    > will identify the user.
    >
    > So, in short, you just need to build the login page.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    >
    >
    Leslie, May 25, 2005
    #3
  4. Hello Leslie,

    the difference of global.asax and a httpModule is packaging. the module is
    a dll (which can be potentially shared or GACed) - global.asax is always
    local to that one app.

    But if you are using WebServices - you should consider using WSE with UsernameTokens
    - i don't think you should roll your own authentication scheme!

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks for helpine me here. If I understand you correctly, I think
    > you are talking about form authentication. However, since I am
    > writing a web service application, I can't use this approach. That is
    > why I am thinking to use AuthenticateRequest from either the
    > Blobal.asax or a custom HTTP module. But I am not sure about the
    > difference of these two. Do you know?
    >
    > "Brock Allen" wrote:
    >
    >>> I think that I could put my authentication code in
    >>> AuthenticateRequest event in either Global.asax or in a custom HTTP
    >>> module. However, I don't know what is the difference between them.
    >>> And is there any implication if I make the choice of one way or the
    >>> other?
    >>>

    >> Authentication is done in your custom login page. Once you are
    >> confident the user has provided proper credentials you then want to
    >> call FormsAuthentication.SetAuthCookie or
    >> FormsAuthentication.RedirectFromLoginPage. This will issue a cookie
    >> that will identify the user.
    >>
    >> So, in short, you just need to build the login page.
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    Dominick Baier [DevelopMentor], May 26, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dhananjay Modak

    global.asax v/s http module

    Dhananjay Modak, Aug 4, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    326
    Dhananjay Modak
    Aug 4, 2003
  2. Norton

    HTTP Modules and global.asax

    Norton, Jul 31, 2004, in forum: ASP .Net
    Replies:
    2
    Views:
    518
    Shan Plourde
    Jul 31, 2004
  3. =?Utf-8?B?YmNoYXJsZXM=?=

    global.asax and global.asax.cs

    =?Utf-8?B?YmNoYXJsZXM=?=, Oct 4, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    798
    =?Utf-8?B?YmNoYXJsZXM=?=
    Oct 5, 2004
  4. =?Utf-8?B?RGF2ZQ==?=

    AuthenticateRequest event and Roles

    =?Utf-8?B?RGF2ZQ==?=, Dec 20, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    588
    Daniel TIZON
    Dec 20, 2005
  5. Mark Rae

    Global.asax / Global.asax.cs in v2

    Mark Rae, May 23, 2006, in forum: ASP .Net
    Replies:
    6
    Views:
    3,137
    Mark Rae
    May 23, 2006
Loading...

Share This Page