Forms based security

Discussion in 'ASP .Net Security' started by Charlie Dison, Jun 19, 2004.

  1. Hi there,
    In forms based security do I have to arrange pages into subdirectories
    in order to secure them? I want the public to access my home page and
    public content but want to restrict other content only to those for whom
    I've granted a userid. Seems like I must organize all the private content
    into one or more subdirectories. My problem is that I have some content
    that should be accessible to both and I hate to have to specify directory
    names when redirecting. Is there something that I can place in the load
    event of each page that checks to see if the user has been authenticated
    (checks for the cookie that would have been created)
    Charlie Dison, Jun 19, 2004
    #1
    1. Advertising

  2. Charlie Dison

    [MSFT] Guest

    Hi Charlie,

    To get the form authentication cookie, you may get the cookie name from:

    FormsAuthentication.FormsCookieName

    However, the cookie is encrypted, and we cannot get its actual value.

    Regarding the issue, since the content are accessible to both of
    Authenticated user and others, you can just leave the content public. Is
    this right?

    If you have private and public content on a same web form, you may consider
    following work around:

    When perform form authentication, you can add a cookie by yourself,
    indcating the user has been authenticated. And then, arrange pages based
    on this cookie value.

    Hope this help,

    Luke
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
    [MSFT], Jun 21, 2004
    #2
    1. Advertising

  3. Charlie Dison

    ranganh Guest

    Dear Charlie,

    You don't need to arrange the authenticated pages inside a folder. You can specify the pages (say if they are minimum 5 pages etc.,) using location path. in that, you can also specify to allow the users, for whom you gave an userid. the following illustration shows the same:-

    <location path="ProtectedPage1.aspx">
    <system.web>
    <authorization>
    <allow users="UserId" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    the above, would allow users with the above userid (whatever you give) and will deny all other users (anonymous and logged in).

    however, in case you want to allow users with above userid as well as their own userid (logged in), change the <deny users="?" />. this will restrict only people
    who are not logged in.

    To check whether the user is logged in, use

    if(User.Identity.IsAuthenticated)
    {

    }

    to get the User's Id, use

    User.Identity.Name

    hope it helps.

    "Charlie Dison" wrote:

    > Hi there,
    > In forms based security do I have to arrange pages into subdirectories
    > in order to secure them? I want the public to access my home page and
    > public content but want to restrict other content only to those for whom
    > I've granted a userid. Seems like I must organize all the private content
    > into one or more subdirectories. My problem is that I have some content
    > that should be accessible to both and I hate to have to specify directory
    > names when redirecting. Is there something that I can place in the load
    > event of each page that checks to see if the user has been authenticated
    > (checks for the cookie that would have been created)
    >
    >
    >
    >
    >
    ranganh, Jun 21, 2004
    #3
  4. Ok. that helps. Thanks
    "ranganh" <> wrote in message
    news:...
    > Dear Charlie,
    >
    > You don't need to arrange the authenticated pages inside a folder. You

    can specify the pages (say if they are minimum 5 pages etc.,) using location
    path. in that, you can also specify to allow the users, for whom you gave
    an userid. the following illustration shows the same:-
    >
    > <location path="ProtectedPage1.aspx">
    > <system.web>
    > <authorization>
    > <allow users="UserId" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    >
    > the above, would allow users with the above userid (whatever you give) and

    will deny all other users (anonymous and logged in).
    >
    > however, in case you want to allow users with above userid as well as

    their own userid (logged in), change the <deny users="?" />. this will
    restrict only people
    > who are not logged in.
    >
    > To check whether the user is logged in, use
    >
    > if(User.Identity.IsAuthenticated)
    > {
    >
    > }
    >
    > to get the User's Id, use
    >
    > User.Identity.Name
    >
    > hope it helps.
    >
    > "Charlie Dison" wrote:
    >
    > > Hi there,
    > > In forms based security do I have to arrange pages into

    subdirectories
    > > in order to secure them? I want the public to access my home page and
    > > public content but want to restrict other content only to those for whom
    > > I've granted a userid. Seems like I must organize all the private

    content
    > > into one or more subdirectories. My problem is that I have some content
    > > that should be accessible to both and I hate to have to specify

    directory
    > > names when redirecting. Is there something that I can place in the load
    > > event of each page that checks to see if the user has been authenticated
    > > (checks for the cookie that would have been created)
    > >
    > >
    > >
    > >
    > >

    >
    Charlie Dison, Jun 26, 2004
    #4
  5. Ok. that helps. Thanks
    "[MSFT]" <> wrote in message
    news:...
    > Hi Charlie,
    >
    > To get the form authentication cookie, you may get the cookie name from:
    >
    > FormsAuthentication.FormsCookieName
    >
    > However, the cookie is encrypted, and we cannot get its actual value.
    >
    > Regarding the issue, since the content are accessible to both of
    > Authenticated user and others, you can just leave the content public. Is
    > this right?
    >
    > If you have private and public content on a same web form, you may

    consider
    > following work around:
    >
    > When perform form authentication, you can add a cookie by yourself,
    > indcating the user has been authenticated. And then, arrange pages based
    > on this cookie value.
    >
    > Hope this help,
    >
    > Luke
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
    Charlie Dison, Jun 26, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    407
  2. Larry Smith
    Replies:
    8
    Views:
    367
    Larry Smith
    Jan 7, 2009
  3. Alex Maghen

    Forms-Based Security below Application Level

    Alex Maghen, Feb 17, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    100
    ranganh
    Feb 22, 2005
  4. Eric
    Replies:
    0
    Views:
    185
  5. Kursat
    Replies:
    1
    Views:
    299
    Dominick Baier
    May 7, 2007
Loading...

Share This Page