Forms Authetication to Protect Single File Using

Discussion in 'ASP .Net Security' started by rodrigo, Aug 20, 2003.

  1. rodrigo

    rodrigo Guest

    I want to protect a single file (openvideo.aspx). I already setup the
    folder as an application in IIS.
    The authentication seems to work fine and the permissions works as it

    The problem comes after the user gets authenticated. I need to store
    each user info in database after it gets authenticated at any time,
    not only the first time.
    I am using persistent cookie. It seems that register.aspx it's being
    bypassed or skipped after authentication and I can't force the
    register.aspx (loginUrl) to be checked after authentication.

    I tryed using Request.IsAuthenticated but it always returns false.
    From my little understanting of .net framework, I thinks something is
    happening behind that is taking control of cookie authentication and
    using session instead.

    <authentication mode="Forms" >
    <forms loginUrl="register.aspx" name=".AUTH1" protection="None"
    path="/" timeout="20" >

    <location path="openvideo.aspx">
    <deny users="?" />


    rodrigo, Aug 20, 2003
    1. Advertisements

  2. rodrigo

    rodrigo Guest

    Let me clarify better my situation.

    login page = register.aspx
    protected page = openvideo.aspx

    (First time access. No cookies yet)

    1. Try to access openvideo.aspx
    2. Asp.Net checks web.config permissions
    3. It is protected, then redirects to register.aspx
    4. User informs name and password and submit back to register.aspx
    5. register.aspx validates user in database and redirects to
    authorizes openvideo.asp page
    6. Cookie is persistent
    7. Close the brower and try to access openvideo.aspx
    8. Asp.Net checks web.config permissions. It is protected, but this
    time do not redirect to register.aspx since it is authenticated.
    9. Asp.Net just lets the user see the file content.
    10. Clean cookies
    11. Things repeat like first step

    With this situation I can't force tracking of info at all times even
    after authentication.

    The point is I need track user info (querystring, time, etc) each time
    he access openvideo.aspx because register.aspx does not ge hit after

    You suggestion to get rid of persistent cookie would make
    register.aspx pop up at all times and it would be annoying for the
    user. I want it to be authenticated, but always force authentication
    to pass by register.aspx.

    Some people will say, what's the point if you can track info directly
    in the destination or protected file. Well in this case I know I can
    track this type of info in openvideo.aspx since it gets hit all the
    times, but it does not protect the media files from direct browser
    access. If you know the path to the media you can access it easily.

    Right now that is not my major concern. Later, I'll need to use a
    handler to handle the media by file extension (ex. wmv, mpeg, etc)
    without intermediate pages. And if you want to track something at all
    events it will have to pass by register.aspx.

    Maybe I confused you more, sorry about that and thanks for you

    rodrigo, Aug 21, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    Roger Upole
    Dec 20, 2006
  2. =?Utf-8?B?ZGF2aWQ=?=
    Aug 17, 2007
  3. Andy

    ASP.NET windows authetication

    Andy, Dec 1, 2004, in forum: ASP .Net Security
    Paul Clement
    Dec 14, 2004
  4. ajit

    SQL Authetication in windows service

    ajit, Feb 4, 2005, in forum: ASP .Net Security
    Dave Smith
    Nov 9, 2005
  5. PRA Group

    Forms Authetication and Redirects

    PRA Group, Apr 6, 2006, in forum: ASP .Net Security
    PRA Group
    Apr 6, 2006