J
Jules Hoppenbrouwers
I'd like to poll for some best practices about ASP.NET application
security.
Here's what it's about:
I wanna develop an ASP.NET web application with VS.NET 2003. This
application consists of some pages which are available for anonymous
users and some that are NOT available for anonymous users (i.e. need
authentication).
To achieve this I set the web.config <authentication>-tag to <forms
....> and <deny users="?"> in the <authorization>-tag. This will
redirect every unkown user to my login-form. To allow anonymous users
browse to the other pages (which don't need authentication) I made a
second project. Here the <authorization>-tag in the web.config stated
<allow users="*">
But, since my application is not really big I thought this is too much
work (i.e. creating two projects); since I only need authentication
for half of my ASP.NET pages. Maybee there is another way. I was
thinking of making a new login-form where I set an attribute in the
session state. Then in every page which needs authentication, I check
if this attribute is set in the page_load. If not so, redirect the
user to the login-form. To logout the user can either close the
browser of I redirect them to a form where the can sign-out (which
will delete the session attribute).
Please share your thoughts about this. Maybe their are even (!) better
idea's.
Kind regards,
Jules Hoppenbrouwers
< Don't reply by email. Use this forum instead.>
security.
Here's what it's about:
I wanna develop an ASP.NET web application with VS.NET 2003. This
application consists of some pages which are available for anonymous
users and some that are NOT available for anonymous users (i.e. need
authentication).
To achieve this I set the web.config <authentication>-tag to <forms
....> and <deny users="?"> in the <authorization>-tag. This will
redirect every unkown user to my login-form. To allow anonymous users
browse to the other pages (which don't need authentication) I made a
second project. Here the <authorization>-tag in the web.config stated
<allow users="*">
But, since my application is not really big I thought this is too much
work (i.e. creating two projects); since I only need authentication
for half of my ASP.NET pages. Maybee there is another way. I was
thinking of making a new login-form where I set an attribute in the
session state. Then in every page which needs authentication, I check
if this attribute is set in the page_load. If not so, redirect the
user to the login-form. To logout the user can either close the
browser of I redirect them to a form where the can sign-out (which
will delete the session attribute).
Please share your thoughts about this. Maybe their are even (!) better
idea's.
Kind regards,
Jules Hoppenbrouwers
< Don't reply by email. Use this forum instead.>