Authentication in ASP.NET: best practice?

Discussion in 'ASP .Net Security' started by Jules Hoppenbrouwers, Sep 9, 2003.

  1. I'd like to poll for some best practices about ASP.NET application
    security.

    Here's what it's about:
    I wanna develop an ASP.NET web application with VS.NET 2003. This
    application consists of some pages which are available for anonymous
    users and some that are NOT available for anonymous users (i.e. need
    authentication).

    To achieve this I set the web.config <authentication>-tag to <forms
    ....> and <deny users="?"> in the <authorization>-tag. This will
    redirect every unkown user to my login-form. To allow anonymous users
    browse to the other pages (which don't need authentication) I made a
    second project. Here the <authorization>-tag in the web.config stated
    <allow users="*">

    But, since my application is not really big I thought this is too much
    work (i.e. creating two projects); since I only need authentication
    for half of my ASP.NET pages. Maybee there is another way. I was
    thinking of making a new login-form where I set an attribute in the
    session state. Then in every page which needs authentication, I check
    if this attribute is set in the page_load. If not so, redirect the
    user to the login-form. To logout the user can either close the
    browser of I redirect them to a form where the can sign-out (which
    will delete the session attribute).

    Please share your thoughts about this. Maybe their are even (!) better
    idea's.

    Kind regards,

    Jules Hoppenbrouwers

    < Don't reply by email. Use this forum instead.>
    Jules Hoppenbrouwers, Sep 9, 2003
    #1
    1. Advertising

  2. Jules Hoppenbrouwers

    Nick Hertl Guest

    I don't believe that your web.config must be global to the project. Try
    creating a subdirectory for your project and put a second web.config in
    there. Some settings cannot be overridden and it doesn't make sense to put
    them in both locations, but the authentication and authorization stuff is
    ok I think.

    You will want the root to allow anonymous access, but then for any of the
    pages that are restricted and in your second folder, the web.config will
    notice that you marked that one as needing authentication and redicect to
    the login.aspx page you specified unless they are already logged in.

    I've done this before but don't have the project in front of me anymore to
    send you my config files, but give that a try.

    -----------

    This posting is provided "AS IS" with no warranties, and
    confers no rights.

    Please do not send e-mail directly to this alias. This
    alias is for newsgroup purposes only.

    Thanks
    Nick

    >I'd like to poll for some best practices about ASP.NET application
    >security.
    >
    >Here's what it's about:
    >I wanna develop an ASP.NET web application with VS.NET 2003. This
    >application consists of some pages which are available for anonymous
    >users and some that are NOT available for anonymous users (i.e. need
    >authentication).
    >
    >To achieve this I set the web.config <authentication>-tag to <forms
    >...> and <deny users="?"> in the <authorization>-tag. This will
    >redirect every unkown user to my login-form. To allow anonymous users
    >browse to the other pages (which don't need authentication) I made a
    >second project. Here the <authorization>-tag in the web.config stated
    ><allow users="*">
    >
    >But, since my application is not really big I thought this is too much
    >work (i.e. creating two projects); since I only need authentication
    >for half of my ASP.NET pages. Maybee there is another way. I was
    >thinking of making a new login-form where I set an attribute in the
    >session state. Then in every page which needs authentication, I check
    >if this attribute is set in the page_load. If not so, redirect the
    >user to the login-form. To logout the user can either close the
    >browser of I redirect them to a form where the can sign-out (which
    >will delete the session attribute).
    >
    >Please share your thoughts about this. Maybe their are even (!) better
    >idea's.
    >
    >Kind regards,
    >
    >Jules Hoppenbrouwers
    >
    >< Don't reply by email. Use this forum instead.>
    >
    Nick Hertl, Nov 15, 2003
    #2
    1. Advertising

  3. Jules Hoppenbrouwers

    Nick Hertl Guest

    Shoot... it looks like I've deleted those files. But just try creating new
    web.config files in the subdirectories with the settings that you want to
    override. It will tell you about it and throw an error if it doesn't like
    your configuration. And if it doesn't complain, try logging in and see
    what all you can access. I remember I figured this one out by brail with
    some help from my trusty ASP.NET unleashed book by Walther.

    This posting is provided "AS IS" with no warranties, and
    confers no rights.

    Please do not send e-mail directly to this alias. This
    alias is for newsgroup purposes only.

    Thanks
    Nick

    --------------------
    >I don't believe that your web.config must be global to the project. Try
    >creating a subdirectory for your project and put a second web.config in
    >there. Some settings cannot be overridden and it doesn't make sense to

    put
    >them in both locations, but the authentication and authorization stuff is
    >ok I think.
    >
    >You will want the root to allow anonymous access, but then for any of the
    >pages that are restricted and in your second folder, the web.config will
    >notice that you marked that one as needing authentication and redicect to
    >the login.aspx page you specified unless they are already logged in.
    >
    >I've done this before but don't have the project in front of me anymore to
    >send you my config files, but give that a try.
    >
    >-----------
    >
    >This posting is provided "AS IS" with no warranties, and
    >confers no rights.
    >
    >Please do not send e-mail directly to this alias. This
    >alias is for newsgroup purposes only.
    >
    >Thanks
    >Nick
    >
    >>I'd like to poll for some best practices about ASP.NET application
    >>security.
    >>
    >>Here's what it's about:
    >>I wanna develop an ASP.NET web application with VS.NET 2003. This
    >>application consists of some pages which are available for anonymous
    >>users and some that are NOT available for anonymous users (i.e. need
    >>authentication).
    >>
    >>To achieve this I set the web.config <authentication>-tag to <forms
    >>...> and <deny users="?"> in the <authorization>-tag. This will
    >>redirect every unkown user to my login-form. To allow anonymous users
    >>browse to the other pages (which don't need authentication) I made a
    >>second project. Here the <authorization>-tag in the web.config stated
    >><allow users="*">
    >>
    >>But, since my application is not really big I thought this is too much
    >>work (i.e. creating two projects); since I only need authentication
    >>for half of my ASP.NET pages. Maybee there is another way. I was
    >>thinking of making a new login-form where I set an attribute in the
    >>session state. Then in every page which needs authentication, I check
    >>if this attribute is set in the page_load. If not so, redirect the
    >>user to the login-form. To logout the user can either close the
    >>browser of I redirect them to a form where the can sign-out (which
    >>will delete the session attribute).
    >>
    >>Please share your thoughts about this. Maybe their are even (!) better
    >>idea's.
    >>
    >>Kind regards,
    >>
    >>Jules Hoppenbrouwers
    >>
    >>< Don't reply by email. Use this forum instead.>
    >>

    >
    >
    Nick Hertl, Nov 19, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Zenobia
    Replies:
    1
    Views:
    370
    Teemu Keiski
    Jul 5, 2004
  2. Phil Johnson
    Replies:
    2
    Views:
    732
    Phil Johnson
    Mar 12, 2008
  3. mikemad
    Replies:
    1
    Views:
    255
    mikemad
    Jan 27, 2005
  4. Replies:
    0
    Views:
    177
  5. oldyork90
    Replies:
    1
    Views:
    154
    Jeremy J Starcher
    Sep 10, 2008
Loading...

Share This Page