Forms based security

C

Charlie Dison

Hi there,
In forms based security do I have to arrange pages into subdirectories
in order to secure them? I want the public to access my home page and
public content but want to restrict other content only to those for whom
I've granted a userid. Seems like I must organize all the private content
into one or more subdirectories. My problem is that I have some content
that should be accessible to both and I hate to have to specify directory
names when redirecting. Is there something that I can place in the load
event of each page that checks to see if the user has been authenticated
(checks for the cookie that would have been created)
 
M

[MSFT]

Hi Charlie,

To get the form authentication cookie, you may get the cookie name from:

FormsAuthentication.FormsCookieName

However, the cookie is encrypted, and we cannot get its actual value.

Regarding the issue, since the content are accessible to both of
Authenticated user and others, you can just leave the content public. Is
this right?

If you have private and public content on a same web form, you may consider
following work around:

When perform form authentication, you can add a cookie by yourself,
indcating the user has been authenticated. And then, arrange pages based
on this cookie value.

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
R

ranganh

Dear Charlie,

You don't need to arrange the authenticated pages inside a folder. You can specify the pages (say if they are minimum 5 pages etc.,) using location path. in that, you can also specify to allow the users, for whom you gave an userid. the following illustration shows the same:-

<location path="ProtectedPage1.aspx">
<system.web>
<authorization>
<allow users="UserId" />
<deny users="*" />
</authorization>
</system.web>
</location>

the above, would allow users with the above userid (whatever you give) and will deny all other users (anonymous and logged in).

however, in case you want to allow users with above userid as well as their own userid (logged in), change the <deny users="?" />. this will restrict only people
who are not logged in.

To check whether the user is logged in, use

if(User.Identity.IsAuthenticated)
{

}

to get the User's Id, use

User.Identity.Name

hope it helps.
 
C

Charlie Dison

Ok. that helps. Thanks
ranganh said:
Dear Charlie,

You don't need to arrange the authenticated pages inside a folder. You
can specify the pages (say if they are minimum 5 pages etc.,) using location
path. in that, you can also specify to allow the users, for whom you gave
an userid. the following illustration shows the same:-
<location path="ProtectedPage1.aspx">
<system.web>
<authorization>
<allow users="UserId" />
<deny users="*" />
</authorization>
</system.web>
</location>

the above, would allow users with the above userid (whatever you give) and
will deny all other users (anonymous and logged in).
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,899
Latest member
RodneyMcAu

Latest Threads

Top