Can a web user can be logged on as an account other than IUSR_?

Discussion in 'ASP General' started by steves@bmtech.co.uk, Mar 21, 2005.

  1. Guest

    Hello,

    We are developing a web application written in classic ASP, which will
    end up running on Windows 2000 server.

    The site has a public side (the login page and related images), and a
    private side (a series of ASP scripts which check session variables to
    make sure the current user has logged in before delivering their
    content).

    As part of the private side of the site, there are a number of images
    and other documents (PDFs, Powerpoint presentations, CSS files etc.).
    Although securing these is not vital, it would be nice if people who
    hadn't logged in couldn't access them.

    Although we can restrict non-authenticated users from accessing the ASP
    scripts (with an If ... End If wrapper around the content), I can't see
    an easy way of preventing access to non-ASP files.

    Is there any way of using ASP so that a user (for the duration of their
    session) uses an account other than IUSR_MachineName? If we could do
    this, then the web folders containing the semi-private content could be
    set up so that IUSR_Machinename doesn't have access.

    Alternatively, does anyone have any suggestions on how to restrict
    access to certain parts of a website using IIS/ASP.

    Thanks,

    Steve.
     
    , Mar 21, 2005
    #1
    1. Advertising

  2. Thomas Guest

    just disable anonymous access (in iis management console) for the folder
    containing the private files.

    that should do the job: anyonmous surfers will be presented with a login
    box, while already authenticated ones can browse the files. of course this
    only works when using windows authentication.

    an interesting (and free) component in this case might be IISPassword
    (http://www.troxo.com/products/iispassword/), which enables you to use a
    unix-like .htaccess security system.

    - thomas

    <> wrote in message
    news:...
    > Hello,
    >
    > We are developing a web application written in classic ASP, which will
    > end up running on Windows 2000 server.
    >
    > The site has a public side (the login page and related images), and a
    > private side (a series of ASP scripts which check session variables to
    > make sure the current user has logged in before delivering their
    > content).
    >
    > As part of the private side of the site, there are a number of images
    > and other documents (PDFs, Powerpoint presentations, CSS files etc.).
    > Although securing these is not vital, it would be nice if people who
    > hadn't logged in couldn't access them.
    >
    > Although we can restrict non-authenticated users from accessing the ASP
    > scripts (with an If ... End If wrapper around the content), I can't see
    > an easy way of preventing access to non-ASP files.
    >
    > Is there any way of using ASP so that a user (for the duration of their
    > session) uses an account other than IUSR_MachineName? If we could do
    > this, then the web folders containing the semi-private content could be
    > set up so that IUSR_Machinename doesn't have access.
    >
    > Alternatively, does anyone have any suggestions on how to restrict
    > access to certain parts of a website using IIS/ASP.
    >
    > Thanks,
    >
    > Steve.
    >
     
    Thomas, Mar 21, 2005
    #2
    1. Advertising

  3. Steve Guest

    Hello,

    Thanks for your reply.

    We are not using Windows authentication (this will be a website with
    some 800 or so users), so we are using a method where by the user logs
    in using a form with their username and password (not a windows user
    account password), which is then checked in a database and a session
    cookie created.

    What I really want is a piece of code that will automatically (and
    without intervention) login a website visitor in to the server under a
    second account (eg. authenticated_webuser) once they have successfully
    been validated by my code.

    We had thought of simply redirecting logged in users to
    http://user:/myscript.asp once they had successfully
    logged in, where user and pass are a standard username and password for
    all visitors who have logged in. However, http://user:pass no longer
    seems to be supported (and was it ever supported in browsers other than
    IE?). Never the less, it's a good illustration of what I'm trying to
    achieve.

    Thanks for the IISPassword tip. I looked at it, but I really need
    something that can integrate security with session cookies.

    Steve.
     
    Steve, Mar 21, 2005
    #3
  4. <> wrote in message
    news:...
    > Hello,
    >
    > We are developing a web application written in classic ASP, which will
    > end up running on Windows 2000 server.
    >
    > The site has a public side (the login page and related images), and a
    > private side (a series of ASP scripts which check session variables to
    > make sure the current user has logged in before delivering their
    > content).
    >
    > As part of the private side of the site, there are a number of images
    > and other documents (PDFs, Powerpoint presentations, CSS files etc.).
    > Although securing these is not vital, it would be nice if people who
    > hadn't logged in couldn't access them.
    >
    > Although we can restrict non-authenticated users from accessing the ASP
    > scripts (with an If ... End If wrapper around the content), I can't see
    > an easy way of preventing access to non-ASP files.


    Place the non ASP files outside of the web root path and use an ASP with
    ADODB.Stream and Response.BinaryWrite to send them to the users after you
    have verified their username and password. Use this example but send the
    appropriate mime-type:
    http://www.aspfaq.com/show.asp?id=2161

    --
    Tom Kaminski IIS MVP
    http://www.microsoft.com/windowsserver2003/community/centers/iis/
    http://mvp.support.microsoft.com/
    http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
     
    Tom Kaminski [MVP], Mar 21, 2005
    #4
  5. Joe Iano Guest

    It can be done with an ISAPI filter:
    http://www.flicks.com/prod.htm#authnx

    "Steve" <> wrote in message
    news:...
    Hello,

    Thanks for your reply.

    We are not using Windows authentication (this will be a website with
    some 800 or so users), so we are using a method where by the user logs
    in using a form with their username and password (not a windows user
    account password), which is then checked in a database and a session
    cookie created.

    What I really want is a piece of code that will automatically (and
    without intervention) login a website visitor in to the server under a
    second account (eg. authenticated_webuser) once they have successfully
    been validated by my code.

    We had thought of simply redirecting logged in users to
    http://user:/myscript.asp once they had successfully
    logged in, where user and pass are a standard username and password for
    all visitors who have logged in. However, http://user:pass no longer
    seems to be supported (and was it ever supported in browsers other than
    IE?). Never the less, it's a good illustration of what I'm trying to
    achieve.

    Thanks for the IISPassword tip. I looked at it, but I really need
    something that can integrate security with session cookies.

    Steve.
     
    Joe Iano, Mar 21, 2005
    #5
  6. Steve Guest

    Thanks for your replies everyone.

    I found another method which seems to work well too...

    http://www.isapirewrite.com/

    This is an ISAPI filter (the lite version of which is freeware) which
    lets you rewrite URLs before they are passed to IIS.

    So you can get it to dynamically change requests for:

    mysite.com/private/images/foo.jpg

    to

    mysite.com/deliverfile.asp?file=images/foo.jpg

    (for example)

    I did a quick test, and it seems to work well. The config file allows
    the use of regular expressions, so its pretty powerful. Posting here
    in case it's of use to others.

    Steve.
     
    Steve, Mar 21, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UEs5?=
    Replies:
    11
    Views:
    5,726
  2. keithb
    Replies:
    0
    Views:
    649
    keithb
    Feb 16, 2006
  3. nilapenn
    Replies:
    3
    Views:
    670
    Joe Kaplan \(MVP - ADSI\)
    Feb 14, 2005
  4. R.A.M.

    2.0: newbie: anonymous access and IUSR_ account

    R.A.M., Nov 8, 2006, in forum: ASP .Net Security
    Replies:
    4
    Views:
    238
    Master Programmer
    Nov 16, 2006
  5. Dan Sikorsky
    Replies:
    4
    Views:
    173
    Mark Schupp
    Aug 15, 2003
Loading...

Share This Page