Mixing secure and unsecure pages with Forms Authentication

G

Guest

I want to use forms authentication on my website. Looking at the documentation, I create a sample site for testing. One of my requirements is to ensure that SOME pages required an authenticated user and some others, like the home page is not required. I specified the <deny users="?" /> on the web.config, but this is causing ALL pages require the authentication. How can I mix both, without loosing the web.config setup? I know that I can manually check the IsAuthenticated property on pages I want to enforce security, but I have an idea that there is some kind of Page property to specify that is secure, maybe I just dream it

Thanks
 
J

Joseph E Shook [MVP - ADSI]

Search the help files for the <location> element.

It lookes something like this

<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>



Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :)
 
G

Guest

When you said that you can "organize your content in folders representing different level of security", do you mean, multiple web applications (virtual directories)? or folders withing the same web application?. I understand that you can have only ONE web.config located at the ROOT of your web application (virtual directory). Could explain me a little bit more your approach

Having the <allow users="?"/> is going to allow ALL unauthenticated users to get access to ALL pages, which actually defeats the purpose of using these feature

What I'm trying to do is have a <deny users="?"/>, but at the same time ALLOW access to anybody to non restricted pages, I was thinking that the way to do this will be having some kind of property set a the page level to specify that the page is not checking authentication or something like. This will give flexibility to mix pages that requires authentication and some others that not



Thank


----- Joseph E Shook [MVP - ADSI] wrote: ----

Search the help files for the <location> element

It lookes something like thi

<location path="Logon.aspx"><system.web><authorization><allow users="?"/></authorization></system.web></location



Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :



MR. UNDERHILL wrote
 
J

Joseph E Shook [MVP - ADSI]

If you read this you will start to see the ways one can place multiple
web.config files in a single web application. It forms a inheritance
and override behavior. Here is the link...

http://msdn.microsoft.com/library/d...-us/cpguide/html/cpconaspnetconfiguration.asp


MR. UNDERHILL said:
When you said that you can "organize your content in folders representing different level of security", do you mean, multiple web applications (virtual directories)? or folders withing the same web application?. I understand that you can have only ONE web.config located at the ROOT of your web application (virtual directory). Could explain me a little bit more your approach.

Having the <allow users="?"/> is going to allow ALL unauthenticated users to get access to ALL pages, which actually defeats the purpose of using these feature!

What I'm trying to do is have a <deny users="?"/>, but at the same time ALLOW access to anybody to non restricted pages, I was thinking that the way to do this will be having some kind of property set a the page level to specify that the page is not checking authentication or something like. This will give flexibility to mix pages that requires authentication and some others that not.





Thanks




----- Joseph E Shook [MVP - ADSI] wrote: -----

Search the help files for the <location> element.

It lookes something like this

<location path="Logon.aspx"><system.web><authorization><allow users="?"/></authorization></system.web></location>



Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :)
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
secure and non-secure pages 0
Forms authentication with Active Directory 0
Forms Authentication question in web.config 3
Problem with my forms authentication 1
Forms authentication for certain pages 3
Forms Authentication errror 1
ASP.NET Forms Authentication site calling web service 8

Members online

No members online now.
Total: 30 (members: 0, guests: 30)
Robots: 324

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,011
Latest member
AjaUqq1950

Latest Threads

Top