Authentification question

[Ivan Demkovitch]

Hi!

I'm reading thru everything I could find on "user Authentification" topic.

There is couple of options ASP.NET suggest: Forms, Passport, etc...

My application is simple portal with forums and Online store will be added
in future.
It will be hosted using hosting provider (no way to setup security, etc..)

I don't see how I can use windows authentification (forms) in my
application.

Or may be I do not understand and this is just set of objects to make my
life easier?

By design my users will be restricted to viewing of page and I will be able
to give them permissions to specific modules, so they can edit info.

I don't see anything problematic here.

I'm planning on using Session object to keep user info. Is it safe?

Please give me links to any info on this topic or share your opinion on how
it's done best. I just don't understand wat this bookstalking about.
Looks like it is all for intranets/personally owned web servers.

Thanks!

 

[Ivan Demkovitch]

Steve,

I also was looking at this, but I don't understand how this will work for my
application.

I have 1 Page web application(portal). This is Default.aspx

DB describe "Pages" as to what modules loaded and where. All modules done as
user controls.

Baiscally Pages will be: Default.aspx or Default.aspx?PageKey=1,
Default.aspx?PageKey=2 and so on.

Login Module will be loaded on specific pages and I would like to display
Greeting or UN/PW fields.

How would I make forms authentification to work for this scenario?

TIA!

 

[Ivan Demkovitch]

Steve,

Another thing. Wat if user's browser does not accept cookies. From what I
understand it has to place cookie.

How to go about it?

 

[Steve C. Orr, MCSD]

The cookie thing is no problem.
In your web.config file, in your sessionState tag, set the attribute
cookieless="true"

As for the non-standard way you're putting all your pages into a single
page, that does make things a bit more difficult.
There's likely a way to get it to work, but it won't be nearly so automatic.
Your idea of using Session state to store permissions is starting to look
better.
There's not really anything wrong with that approach. That's pretty much
how we all had to do it in ASP.Old and it worked well enough in most cases.

--
I hope this helps,
Steve C. Orr, MCSD
http://Steve.Orr.net
Hire top-notch developers at http://www.able-consulting.com

 

[Ivan Demkovitch]

Just looked at IBuySPy sample with Form's authentification (It's 1 page
sample portal)

It's funny because it looks like this Authentification used just to show how
to use it, but then every module
has code "if IsLogin==1". Looks like I need to write 1 simple class and go
with it.

Is there any real security issues that could be solved using this Forms
authentification or this is just a set of helping objects???

 

[John Saunders]

Just looked at IBuySPy sample with Form's authentification (It's 1 page
sample portal)

It's funny because it looks like this Authentification used just to show how
to use it, but then every module
has code "if IsLogin==1". Looks like I need to write 1 simple class and go
with it.

Is there any real security issues that could be solved using this Forms
authentification or this is just a set of helping objects???

I'm not sure what you mean "any real security issues that could be solved".
I have several sites using Forms Authentication. None of them have "if
isLogin == 1" in them.

 

[Ivan Demkovitch]

John,

I explained before, I have 1 Page portal. This page consists of "blocks" -
"modules"
Theese has to be controlled by security.

Thats why I'm saying that example of forms security (IBuySpy) probably
meaningless because they have same model like mine to start with.

I'm not sure what you mean "any real security issues that could be

solved".

I don't know what tricks used by hackers and thats why I thought this forms
may offer somthing I can not accomplish with Session object and my code.

TIA