Forms Authentication and dynamic folders

[Jason James]

Hi all,

I am writing an ASP app that requires the users
to authenticate (using forms authentication as this
will be an internet app). Once authenticated they
have access to there own folder that will have
been created ahead of time. The folder will
only be available to anyone authorised to view it.
Other users of the app will have access only to their
own folders. There is also a public section of the site
that all users can view.
..
All user folders as contained below a main folder which
is configured to have forms authentication and
authorization is required to view it. The ASP
account creates the sub folders which also creates
users names and passwords for the users.

Does anyone have any resources or suggestions
as to how I can use forms authentication, tickets,
roles, cookies, or anything else to restrict access
to only those users with the correct username and
password. I already have a single login form but
I'm not entirely sure about how to handle this
complex authentication and redirection problem?

Many thanks,

Jason.

 

[dkode]

hey,

this could be a little bit tricky. At first glance I would say write
your own httpmodule ISAPI handler, this way you can intercept requests
before they are processed and perform your on conditionals as to where
the user should go, this might be overkill though. Thats how I would
have done it in .NET 1.1, someone else might have a better way to do
this with the new forms authentication scheme in .net 2.0

 

[Jason James]

Yeah,

That does sound like a very difficult solution to my problem. I
wouldn't even know where to begin with that.

Could I dynamically write to the web.config file and add
locations for each newly created folder; or create a web.config
file for each folder? I think that this would only handle the
authorization element of my security! Would I then have to
write to the application web.config file to add each user?

I've been doing some digging about today and that seems like
it's the only way to move this forward.

Many thanks,

Jason.

 

[MikeS]

or create a web.config file for each folder?

You could plunk down a web config with only an authorization tag right
in the directory when you create it.

Watch that changing these files on the fly seems to me to cause the
application to restart.
Even though the authorization section does not have
restartOnExternalChanges set and even when using a configSource for
one. Your mileage may differ.

 

[MikeS]

cause the application to restart

So maybe it is better to create a role per user, create the directories
web.config with an allow role and add the user(s) to the role.