Forms Authentication

[m.owens]

Hi,

I am new to the concept of asp.net authentication so this might be
obvious. Im working on an application writtten by my predecessor,
which has login page. This is authenticated against credentials in a
database. If the user is an administrator, the user is forwarded to a
management console. If the user is a standard user then the user is
forwarded to the user console.

The problem is, when logged in there's nothing to stop the user
(logged in as a standard user) modifying the URL in the browser window
and navigating to the administrator area of the website.

Whats the best way of getting around this? Can I assign roles to the
users (in the cookie) and use the web.config file to interrogate these
credentials and allow / deny access?

Thanks in advance
Matt

 

[Steve C. Orr [MCSD, MVP, CSM, ASP Insider]]

Yes it is possible to do it just how you envisioned, and it's all built-in.
Here are the details:
http://www.dotnetbips.com/articles/8de08fdb-1150-47f5-9831-133dd25b308b.aspx

 

[Guest]

Hi,

I am new to the concept of asp.net authentication so this might be
obvious. Im working on an application writtten by my predecessor,
which has login page. This is authenticated against credentials in a
database. If the user is an administrator, the user is forwarded to a
management console. If the user is a standard user then the user is
forwarded to the user console.

The problem is, when logged in there's nothing to stop the user
(logged in as a standard user) modifying the URL in the browser window
and navigating to the administrator area of the website.

Whats the best way of getting around this? Can I assign roles to the
users (in the cookie) and use the web.config file to interrogate these
credentials and allow / deny access?

Thanks in advance
Matt

There are two standard ways to authorize users in your case: URL
authorization and roles. With URL authorization, you can allow or deny
access to a particular link by user name.

<location path="admin.aspx">
<authorization>
<allow users="admin,superadmin"/>
<deny users="*"/>
</authorization>
</location>

Role based authorization lets you assign a users to roles. You can
either use "allow roles", "deny roles" in a web.config, or configure
access in the code using the User.IsInRole() function

if (User.IsInRole("admin")) {
Response.Redirect("admin.aspx")
}

 

[Matt]

Hi Steve,

I don't think thats exactly what I meant, an example would be:

I need to restict certain areas of the website depending to certain
users depending on database credentials. For instance, suppose I have
a subscription site with 3 areas. 1 is free. 2 is silver subscription.
3 is gold subscription. Is there a way of assigning roles to a user
when they login and using the web.config file to allow / deny users
depending on their subscription? I have basic forms authentication up
and running but now I need to refine it to allow / deny cetain users.

Thanks
Matt

 

[Guest]

Hi Steve,

I don't think thats exactly what I meant, an example would be:

I need to restict certain areas of the website depending to certain
users depending on database credentials. For instance, suppose I have
a subscription site with 3 areas. 1 is free. 2 is silver subscription.
3 is gold subscription. Is there a way of assigning roles to a user
when they login and using the web.config file to allow / deny users
depending on their subscription? I have basic forms authentication up
and running but now I need to refine it to allow / deny cetain users.

Thanks
Matt

Use a role-based authorization
http://www.google.com/search?hl=en&q=asp.net+role-based+authorization

Assign each user to 1 of 3 groups: "free", "silver", and "gold"

Authorize user in the code

if (User.IsInRole("gold")) {
showGoldArea();
showSilverArea();
showFreeArea();

} else if (User.IsInRole("silver")) {
showSilverArea();
showFreeArea();

} else if (User.IsInRole("free")) {
showFreeArea();

}