Securing static files

Discussion in 'ASP .Net Security' started by Jon Haakon Ariansen, Jun 20, 2006.

  1. Hi,

    In short my problem is securing static pages, so that unauthorized
    (anonymous) people doesn't get access to these files. You'll find a
    detailed description below.

    I have a websolution that is made in Dotnet 2.0. The solution send the user
    to a correct module based on the users credentials. The users credentials
    are compared with username and password in MS SQL database which provide the
    right path to where the user is going. Thus the solution uses Form
    authentication to verify the user.
    The desination after login is mostly static pages (htm/html) calling Flash
    modules.

    One of my problems (not the biggest) is that the user keeps getting throwed
    out and have to log on again - several times. We need to get the application
    to be more presistant when the user has logged on. I'm not sure why the user
    have to log on all the time, but my guess is that when the user uses the
    flash module, IIS is not aware that the user is still logged on and when the
    user finally requests a new page there's been a timeout. In this case I have
    to find a solution to make the user beeing loged in. I guess I can use a
    cookie for this, but then I guess the user will always come to the same
    module. The user has to be presented the login page on startup each time,
    because the user might try another module.

    My biggest problem is after associating aspnet_isapi.dll with htm/html in
    IIS I'm not able to view
    htm/html at all. I get "Page cannot be displayed", however some modules end
    on ".asp" and these files show okey, though ASP is associated as well with
    asp_isapi.dll.
    I've tried to find a solution based on this article:
    http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    but I'm not sure if it's the best for me.

    Hope there is some who can help me with this.

    Kind regards,

    Jon Haakon
    Jon Haakon Ariansen, Jun 20, 2006
    #1
    1. Advertising

  2. if it is IIS6 - i would recommed setting up a Wildcard handler

    read here first - and if you have questions feel free to post

    http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > In short my problem is securing static pages, so that unauthorized
    > (anonymous) people doesn't get access to these files. You'll find a
    > detailed description below.
    >
    > I have a websolution that is made in Dotnet 2.0. The solution send the
    > user
    > to a correct module based on the users credentials. The users
    > credentials
    > are compared with username and password in MS SQL database which
    > provide the
    > right path to where the user is going. Thus the solution uses Form
    > authentication to verify the user.
    > The desination after login is mostly static pages (htm/html) calling
    > Flash
    > modules.
    > One of my problems (not the biggest) is that the user keeps getting
    > throwed out and have to log on again - several times. We need to get
    > the application to be more presistant when the user has logged on. I'm
    > not sure why the user have to log on all the time, but my guess is
    > that when the user uses the flash module, IIS is not aware that the
    > user is still logged on and when the user finally requests a new page
    > there's been a timeout. In this case I have to find a solution to make
    > the user beeing loged in. I guess I can use a cookie for this, but
    > then I guess the user will always come to the same module. The user
    > has to be presented the login page on startup each time, because the
    > user might try another module.
    >
    > My biggest problem is after associating aspnet_isapi.dll with htm/html
    > in
    > IIS I'm not able to view
    > htm/html at all. I get "Page cannot be displayed", however some
    > modules end
    > on ".asp" and these files show okey, though ASP is associated as well
    > with
    > asp_isapi.dll.
    > I've tried to find a solution based on this article:
    > http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    > but I'm not sure if it's the best for me.
    > Hope there is some who can help me with this.
    >
    > Kind regards,
    >
    > Jon Haakon
    >
    Dominick Baier [DevelopMentor], Jun 20, 2006
    #2
    1. Advertising

  3. Hello,

    Thank you for very fast feedback.
    I've read the page, but as you said - I have lot's of questions. I almost
    don't know what to ask.. :]

    If I insert in Web.config:

    <httpHandlers>

    <add path="*.htm" verb="*"

    type="System.Web.HttpForbiddenHandler" validate="True" />

    </httpHandlers>



    then files with extention .htm will now be shown - correct?

    But if the user's credentials is verified, do I have to do something to
    allow the user to open htm files?



    In advance thanks!



    Jon Haakon


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > if it is IIS6 - i would recommed setting up a Wildcard handler
    >
    > read here first - and if you have questions feel free to post
    >
    > http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET20.aspx
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi,
    >>
    >> In short my problem is securing static pages, so that unauthorized
    >> (anonymous) people doesn't get access to these files. You'll find a
    >> detailed description below.
    >>
    >> I have a websolution that is made in Dotnet 2.0. The solution send the
    >> user
    >> to a correct module based on the users credentials. The users
    >> credentials
    >> are compared with username and password in MS SQL database which
    >> provide the
    >> right path to where the user is going. Thus the solution uses Form
    >> authentication to verify the user.
    >> The desination after login is mostly static pages (htm/html) calling
    >> Flash
    >> modules.
    >> One of my problems (not the biggest) is that the user keeps getting
    >> throwed out and have to log on again - several times. We need to get
    >> the application to be more presistant when the user has logged on. I'm
    >> not sure why the user have to log on all the time, but my guess is
    >> that when the user uses the flash module, IIS is not aware that the
    >> user is still logged on and when the user finally requests a new page
    >> there's been a timeout. In this case I have to find a solution to make
    >> the user beeing loged in. I guess I can use a cookie for this, but
    >> then I guess the user will always come to the same module. The user
    >> has to be presented the login page on startup each time, because the
    >> user might try another module.
    >>
    >> My biggest problem is after associating aspnet_isapi.dll with htm/html
    >> in
    >> IIS I'm not able to view
    >> htm/html at all. I get "Page cannot be displayed", however some
    >> modules end
    >> on ".asp" and these files show okey, though ASP is associated as well
    >> with
    >> asp_isapi.dll.
    >> I've tried to find a solution based on this article:
    >> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >> but I'm not sure if it's the best for me.
    >> Hope there is some who can help me with this.
    >>
    >> Kind regards,
    >>
    >> Jon Haakon
    >>

    >
    >
    Jon Haakon Ariansen, Jun 20, 2006
    #3
  4. the first thing is to register aspnet_isapi as Wildcard mapping - after that
    _all_ files are treated like asp.net content - and authentication and authorization
    settings apply.

    Have you done that to this point?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello,
    >
    > Thank you for very fast feedback.
    > I've read the page, but as you said - I have lot's of questions. I
    > almost
    > don't know what to ask.. :]
    > If I insert in Web.config:
    >
    > <httpHandlers>
    >
    > <add path="*.htm" verb="*"
    >
    > type="System.Web.HttpForbiddenHandler" validate="True" />
    >
    > </httpHandlers>
    >
    > then files with extention .htm will now be shown - correct?
    >
    > But if the user's credentials is verified, do I have to do something
    > to allow the user to open htm files?
    >
    > In advance thanks!
    >
    > Jon Haakon
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> if it is IIS6 - i would recommed setting up a Wildcard handler
    >>
    >> read here first - and if you have questions feel free to post
    >>
    >> http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET2
    >> 0.aspx
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi,
    >>>
    >>> In short my problem is securing static pages, so that unauthorized
    >>> (anonymous) people doesn't get access to these files. You'll find a
    >>> detailed description below.
    >>>
    >>> I have a websolution that is made in Dotnet 2.0. The solution send
    >>> the
    >>> user
    >>> to a correct module based on the users credentials. The users
    >>> credentials
    >>> are compared with username and password in MS SQL database which
    >>> provide the
    >>> right path to where the user is going. Thus the solution uses Form
    >>> authentication to verify the user.
    >>> The desination after login is mostly static pages (htm/html) calling
    >>> Flash
    >>> modules.
    >>> One of my problems (not the biggest) is that the user keeps getting
    >>> throwed out and have to log on again - several times. We need to get
    >>> the application to be more presistant when the user has logged on.
    >>> I'm
    >>> not sure why the user have to log on all the time, but my guess is
    >>> that when the user uses the flash module, IIS is not aware that the
    >>> user is still logged on and when the user finally requests a new
    >>> page
    >>> there's been a timeout. In this case I have to find a solution to
    >>> make
    >>> the user beeing loged in. I guess I can use a cookie for this, but
    >>> then I guess the user will always come to the same module. The user
    >>> has to be presented the login page on startup each time, because the
    >>> user might try another module.
    >>> My biggest problem is after associating aspnet_isapi.dll with
    >>> htm/html
    >>> in
    >>> IIS I'm not able to view
    >>> htm/html at all. I get "Page cannot be displayed", however some
    >>> modules end
    >>> on ".asp" and these files show okey, though ASP is associated as
    >>> well
    >>> with
    >>> asp_isapi.dll.
    >>> I've tried to find a solution based on this article:
    >>> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >>> but I'm not sure if it's the best for me.
    >>> Hope there is some who can help me with this.
    >>> Kind regards,
    >>>
    >>> Jon Haakon
    >>>
    Dominick Baier [DevelopMentor], Jun 20, 2006
    #4
  5. Yes, I have done this.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > the first thing is to register aspnet_isapi as Wildcard mapping - after
    > that _all_ files are treated like asp.net content - and authentication and
    > authorization settings apply.
    >
    > Have you done that to this point?
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hello,
    >>
    >> Thank you for very fast feedback.
    >> I've read the page, but as you said - I have lot's of questions. I
    >> almost
    >> don't know what to ask.. :]
    >> If I insert in Web.config:
    >>
    >> <httpHandlers>
    >>
    >> <add path="*.htm" verb="*"
    >>
    >> type="System.Web.HttpForbiddenHandler" validate="True" />
    >>
    >> </httpHandlers>
    >>
    >> then files with extention .htm will now be shown - correct?
    >>
    >> But if the user's credentials is verified, do I have to do something
    >> to allow the user to open htm files?
    >>
    >> In advance thanks!
    >>
    >> Jon Haakon
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> if it is IIS6 - i would recommed setting up a Wildcard handler
    >>>
    >>> read here first - and if you have questions feel free to post
    >>>
    >>> http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET2
    >>> 0.aspx
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hi,
    >>>>
    >>>> In short my problem is securing static pages, so that unauthorized
    >>>> (anonymous) people doesn't get access to these files. You'll find a
    >>>> detailed description below.
    >>>>
    >>>> I have a websolution that is made in Dotnet 2.0. The solution send
    >>>> the
    >>>> user
    >>>> to a correct module based on the users credentials. The users
    >>>> credentials
    >>>> are compared with username and password in MS SQL database which
    >>>> provide the
    >>>> right path to where the user is going. Thus the solution uses Form
    >>>> authentication to verify the user.
    >>>> The desination after login is mostly static pages (htm/html) calling
    >>>> Flash
    >>>> modules.
    >>>> One of my problems (not the biggest) is that the user keeps getting
    >>>> throwed out and have to log on again - several times. We need to get
    >>>> the application to be more presistant when the user has logged on.
    >>>> I'm
    >>>> not sure why the user have to log on all the time, but my guess is
    >>>> that when the user uses the flash module, IIS is not aware that the
    >>>> user is still logged on and when the user finally requests a new
    >>>> page
    >>>> there's been a timeout. In this case I have to find a solution to
    >>>> make
    >>>> the user beeing loged in. I guess I can use a cookie for this, but
    >>>> then I guess the user will always come to the same module. The user
    >>>> has to be presented the login page on startup each time, because the
    >>>> user might try another module.
    >>>> My biggest problem is after associating aspnet_isapi.dll with
    >>>> htm/html
    >>>> in
    >>>> IIS I'm not able to view
    >>>> htm/html at all. I get "Page cannot be displayed", however some
    >>>> modules end
    >>>> on ".asp" and these files show okey, though ASP is associated as
    >>>> well
    >>>> with
    >>>> asp_isapi.dll.
    >>>> I've tried to find a solution based on this article:
    >>>> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >>>> but I'm not sure if it's the best for me.
    >>>> Hope there is some who can help me with this.
    >>>> Kind regards,
    >>>>
    >>>> Jon Haakon
    >>>>

    >
    >
    Jon Haakon Ariansen, Jun 20, 2006
    #5
  6. ok -

    you can now verify, e.g. by putting a breakpoint in Application_BeginRequest,
    that asp.net handles all requests now.

    This means that if a user tries to access a .htm file (or whatever) - he
    will be redirected to the login page and he has to authenticate first.

    Is that what you want?

    ps. and btw - make sure you have unchecked the "verify that file exists"
    box in the wildcard mapping dialog.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Yes, I have done this.
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> the first thing is to register aspnet_isapi as Wildcard mapping -
    >> after that _all_ files are treated like asp.net content - and
    >> authentication and authorization settings apply.
    >>
    >> Have you done that to this point?
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hello,
    >>>
    >>> Thank you for very fast feedback.
    >>> I've read the page, but as you said - I have lot's of questions. I
    >>> almost
    >>> don't know what to ask.. :]
    >>> If I insert in Web.config:
    >>> <httpHandlers>
    >>>
    >>> <add path="*.htm" verb="*"
    >>>
    >>> type="System.Web.HttpForbiddenHandler" validate="True" />
    >>>
    >>> </httpHandlers>
    >>>
    >>> then files with extention .htm will now be shown - correct?
    >>>
    >>> But if the user's credentials is verified, do I have to do something
    >>> to allow the user to open htm files?
    >>>
    >>> In advance thanks!
    >>>
    >>> Jon Haakon
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> if it is IIS6 - i would recommed setting up a Wildcard handler
    >>>>
    >>>> read here first - and if you have questions feel free to post
    >>>>
    >>>> http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNE
    >>>> T2 0.aspx
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hi,
    >>>>>
    >>>>> In short my problem is securing static pages, so that unauthorized
    >>>>> (anonymous) people doesn't get access to these files. You'll find
    >>>>> a detailed description below.
    >>>>>
    >>>>> I have a websolution that is made in Dotnet 2.0. The solution send
    >>>>> the
    >>>>> user
    >>>>> to a correct module based on the users credentials. The users
    >>>>> credentials
    >>>>> are compared with username and password in MS SQL database which
    >>>>> provide the
    >>>>> right path to where the user is going. Thus the solution uses Form
    >>>>> authentication to verify the user.
    >>>>> The desination after login is mostly static pages (htm/html)
    >>>>> calling
    >>>>> Flash
    >>>>> modules.
    >>>>> One of my problems (not the biggest) is that the user keeps
    >>>>> getting
    >>>>> throwed out and have to log on again - several times. We need to
    >>>>> get
    >>>>> the application to be more presistant when the user has logged on.
    >>>>> I'm
    >>>>> not sure why the user have to log on all the time, but my guess is
    >>>>> that when the user uses the flash module, IIS is not aware that
    >>>>> the
    >>>>> user is still logged on and when the user finally requests a new
    >>>>> page
    >>>>> there's been a timeout. In this case I have to find a solution to
    >>>>> make
    >>>>> the user beeing loged in. I guess I can use a cookie for this, but
    >>>>> then I guess the user will always come to the same module. The
    >>>>> user
    >>>>> has to be presented the login page on startup each time, because
    >>>>> the
    >>>>> user might try another module.
    >>>>> My biggest problem is after associating aspnet_isapi.dll with
    >>>>> htm/html
    >>>>> in
    >>>>> IIS I'm not able to view
    >>>>> htm/html at all. I get "Page cannot be displayed", however some
    >>>>> modules end
    >>>>> on ".asp" and these files show okey, though ASP is associated as
    >>>>> well
    >>>>> with
    >>>>> asp_isapi.dll.
    >>>>> I've tried to find a solution based on this article:
    >>>>> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >>>>> but I'm not sure if it's the best for me.
    >>>>> Hope there is some who can help me with this.
    >>>>> Kind regards,
    >>>>> Jon Haakon
    >>>>>
    Dominick Baier [DevelopMentor], Jun 20, 2006
    #6
  7. Hi Dominick Baier,

    Thank you very much for your tips! I really appreciate it!

    It seems like I have found a solution to my problem now.
    I've added:

    <httpHandlers>
    <add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
    <add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
    <add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
    </httpHandlers>

    to web.config and I can access the html files.
    But it depends how for how long I can access them. The html files calls on
    flash files which runs client-side. When the enduser is logged in,
    periodially
    they are kicked back to the login page.
    This might perhaps be caused by Session timeout. I'm not sure. Is there a
    why to make the login period more persistant? But it can't be so persistant
    that
    the user is automatically logged in if the user has used the program before.
    The user may log in with other credentials (username/password).

    Thank you so much for your help Dominick!!

    Kind regards,

    Jon Haakon


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > ok -
    > you can now verify, e.g. by putting a breakpoint in
    > Application_BeginRequest, that asp.net handles all requests now.
    >
    > This means that if a user tries to access a .htm file (or whatever) - he
    > will be redirected to the login page and he has to authenticate first.
    >
    > Is that what you want?
    >
    > ps. and btw - make sure you have unchecked the "verify that file exists"
    > box in the wildcard mapping dialog.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Yes, I have done this.
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> the first thing is to register aspnet_isapi as Wildcard mapping -
    >>> after that _all_ files are treated like asp.net content - and
    >>> authentication and authorization settings apply.
    >>>
    >>> Have you done that to this point?
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Hello,
    >>>>
    >>>> Thank you for very fast feedback.
    >>>> I've read the page, but as you said - I have lot's of questions. I
    >>>> almost
    >>>> don't know what to ask.. :]
    >>>> If I insert in Web.config:
    >>>> <httpHandlers>
    >>>>
    >>>> <add path="*.htm" verb="*"
    >>>>
    >>>> type="System.Web.HttpForbiddenHandler" validate="True" />
    >>>>
    >>>> </httpHandlers>
    >>>>
    >>>> then files with extention .htm will now be shown - correct?
    >>>>
    >>>> But if the user's credentials is verified, do I have to do something
    >>>> to allow the user to open htm files?
    >>>>
    >>>> In advance thanks!
    >>>>
    >>>> Jon Haakon
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> if it is IIS6 - i would recommed setting up a Wildcard handler
    >>>>>
    >>>>> read here first - and if you have questions feel free to post
    >>>>>
    >>>>> http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNE
    >>>>> T2 0.aspx
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Hi,
    >>>>>>
    >>>>>> In short my problem is securing static pages, so that unauthorized
    >>>>>> (anonymous) people doesn't get access to these files. You'll find
    >>>>>> a detailed description below.
    >>>>>>
    >>>>>> I have a websolution that is made in Dotnet 2.0. The solution send
    >>>>>> the
    >>>>>> user
    >>>>>> to a correct module based on the users credentials. The users
    >>>>>> credentials
    >>>>>> are compared with username and password in MS SQL database which
    >>>>>> provide the
    >>>>>> right path to where the user is going. Thus the solution uses Form
    >>>>>> authentication to verify the user.
    >>>>>> The desination after login is mostly static pages (htm/html)
    >>>>>> calling
    >>>>>> Flash
    >>>>>> modules.
    >>>>>> One of my problems (not the biggest) is that the user keeps
    >>>>>> getting
    >>>>>> throwed out and have to log on again - several times. We need to
    >>>>>> get
    >>>>>> the application to be more presistant when the user has logged on.
    >>>>>> I'm
    >>>>>> not sure why the user have to log on all the time, but my guess is
    >>>>>> that when the user uses the flash module, IIS is not aware that
    >>>>>> the
    >>>>>> user is still logged on and when the user finally requests a new
    >>>>>> page
    >>>>>> there's been a timeout. In this case I have to find a solution to
    >>>>>> make
    >>>>>> the user beeing loged in. I guess I can use a cookie for this, but
    >>>>>> then I guess the user will always come to the same module. The
    >>>>>> user
    >>>>>> has to be presented the login page on startup each time, because
    >>>>>> the
    >>>>>> user might try another module.
    >>>>>> My biggest problem is after associating aspnet_isapi.dll with
    >>>>>> htm/html
    >>>>>> in
    >>>>>> IIS I'm not able to view
    >>>>>> htm/html at all. I get "Page cannot be displayed", however some
    >>>>>> modules end
    >>>>>> on ".asp" and these files show okey, though ASP is associated as
    >>>>>> well
    >>>>>> with
    >>>>>> asp_isapi.dll.
    >>>>>> I've tried to find a solution based on this article:
    >>>>>> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >>>>>> but I'm not sure if it's the best for me.
    >>>>>> Hope there is some who can help me with this.
    >>>>>> Kind regards,
    >>>>>> Jon Haakon
    >>>>>>

    >
    >
    Jon Haakon Ariansen, Jun 21, 2006
    #7
  8. why did you have to add the handlers to web.config? should also work without
    them.

    It's not the session - it's the authentication timeout - you can set the
    timeout in the <forms> element in web.config.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick Baier,
    >
    > Thank you very much for your tips! I really appreciate it!
    >
    > It seems like I have found a solution to my problem now. I've added:
    >
    > <httpHandlers>
    > <add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
    > <add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
    > <add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
    > </httpHandlers>
    > to web.config and I can access the html files.
    > But it depends how for how long I can access them. The html files
    > calls on
    > flash files which runs client-side. When the enduser is logged in,
    > periodially
    > they are kicked back to the login page.
    > This might perhaps be caused by Session timeout. I'm not sure. Is
    > there a
    > why to make the login period more persistant? But it can't be so
    > persistant
    > that
    > the user is automatically logged in if the user has used the program
    > before.
    > The user may log in with other credentials (username/password).
    > Thank you so much for your help Dominick!!
    >
    > Kind regards,
    >
    > Jon Haakon
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> ok -
    >> you can now verify, e.g. by putting a breakpoint in
    >> Application_BeginRequest, that asp.net handles all requests now.
    >> This means that if a user tries to access a .htm file (or whatever) -
    >> he will be redirected to the login page and he has to authenticate
    >> first.
    >>
    >> Is that what you want?
    >>
    >> ps. and btw - make sure you have unchecked the "verify that file
    >> exists" box in the wildcard mapping dialog.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Yes, I have done this.
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> the first thing is to register aspnet_isapi as Wildcard mapping -
    >>>> after that _all_ files are treated like asp.net content - and
    >>>> authentication and authorization settings apply.
    >>>>
    >>>> Have you done that to this point?
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hello,
    >>>>>
    >>>>> Thank you for very fast feedback.
    >>>>> I've read the page, but as you said - I have lot's of questions. I
    >>>>> almost
    >>>>> don't know what to ask.. :]
    >>>>> If I insert in Web.config:
    >>>>> <httpHandlers>
    >>>>> <add path="*.htm" verb="*"
    >>>>>
    >>>>> type="System.Web.HttpForbiddenHandler" validate="True" />
    >>>>>
    >>>>> </httpHandlers>
    >>>>>
    >>>>> then files with extention .htm will now be shown - correct?
    >>>>>
    >>>>> But if the user's credentials is verified, do I have to do
    >>>>> something to allow the user to open htm files?
    >>>>>
    >>>>> In advance thanks!
    >>>>>
    >>>>> Jon Haakon
    >>>>>
    >>>>> "Dominick Baier [DevelopMentor]"
    >>>>> <> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> if it is IIS6 - i would recommed setting up a Wildcard handler
    >>>>>>
    >>>>>> read here first - and if you have questions feel free to post
    >>>>>>
    >>>>>> http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASP
    >>>>>> NE T2 0.aspx
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> Hi,
    >>>>>>>
    >>>>>>> In short my problem is securing static pages, so that
    >>>>>>> unauthorized (anonymous) people doesn't get access to these
    >>>>>>> files. You'll find a detailed description below.
    >>>>>>>
    >>>>>>> I have a websolution that is made in Dotnet 2.0. The solution
    >>>>>>> send
    >>>>>>> the
    >>>>>>> user
    >>>>>>> to a correct module based on the users credentials. The users
    >>>>>>> credentials
    >>>>>>> are compared with username and password in MS SQL database which
    >>>>>>> provide the
    >>>>>>> right path to where the user is going. Thus the solution uses
    >>>>>>> Form
    >>>>>>> authentication to verify the user.
    >>>>>>> The desination after login is mostly static pages (htm/html)
    >>>>>>> calling
    >>>>>>> Flash
    >>>>>>> modules.
    >>>>>>> One of my problems (not the biggest) is that the user keeps
    >>>>>>> getting
    >>>>>>> throwed out and have to log on again - several times. We need to
    >>>>>>> get
    >>>>>>> the application to be more presistant when the user has logged
    >>>>>>> on.
    >>>>>>> I'm
    >>>>>>> not sure why the user have to log on all the time, but my guess
    >>>>>>> is
    >>>>>>> that when the user uses the flash module, IIS is not aware that
    >>>>>>> the
    >>>>>>> user is still logged on and when the user finally requests a new
    >>>>>>> page
    >>>>>>> there's been a timeout. In this case I have to find a solution
    >>>>>>> to
    >>>>>>> make
    >>>>>>> the user beeing loged in. I guess I can use a cookie for this,
    >>>>>>> but
    >>>>>>> then I guess the user will always come to the same module. The
    >>>>>>> user
    >>>>>>> has to be presented the login page on startup each time, because
    >>>>>>> the
    >>>>>>> user might try another module.
    >>>>>>> My biggest problem is after associating aspnet_isapi.dll with
    >>>>>>> htm/html
    >>>>>>> in
    >>>>>>> IIS I'm not able to view
    >>>>>>> htm/html at all. I get "Page cannot be displayed", however some
    >>>>>>> modules end
    >>>>>>> on ".asp" and these files show okey, though ASP is associated as
    >>>>>>> well
    >>>>>>> with
    >>>>>>> asp_isapi.dll.
    >>>>>>> I've tried to find a solution based on this article:
    >>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >>>>>>> but I'm not sure if it's the best for me.
    >>>>>>> Hope there is some who can help me with this.
    >>>>>>> Kind regards,
    >>>>>>> Jon Haakon
    Dominick Baier [DevelopMentor], Jun 21, 2006
    #8
  9. Well, that was what it took to make the solution work.
    I got a tips:
    http://support.microsoft.com/?kbid=909641

    You mentioned that I could make a breakpoint in Application_BeginRequest.
    From what I have found out it is restricted access to variables here. I
    don't think session variables work here. Therefore the other solution seemed
    like a better solution.

    Thanks for your tip!

    Jon Haakon

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > why did you have to add the handlers to web.config? should also work
    > without them.
    >
    > It's not the session - it's the authentication timeout - you can set the
    > timeout in the <forms> element in web.config.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi Dominick Baier,
    >>
    >> Thank you very much for your tips! I really appreciate it!
    >>
    >> It seems like I have found a solution to my problem now. I've added:
    >>
    >> <httpHandlers>
    >> <add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
    >> <add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
    >> <add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
    >> </httpHandlers>
    >> to web.config and I can access the html files.
    >> But it depends how for how long I can access them. The html files
    >> calls on
    >> flash files which runs client-side. When the enduser is logged in,
    >> periodially
    >> they are kicked back to the login page.
    >> This might perhaps be caused by Session timeout. I'm not sure. Is
    >> there a
    >> why to make the login period more persistant? But it can't be so
    >> persistant
    >> that
    >> the user is automatically logged in if the user has used the program
    >> before.
    >> The user may log in with other credentials (username/password).
    >> Thank you so much for your help Dominick!!
    >>
    >> Kind regards,
    >>
    >> Jon Haakon
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> ok -
    >>> you can now verify, e.g. by putting a breakpoint in
    >>> Application_BeginRequest, that asp.net handles all requests now.
    >>> This means that if a user tries to access a .htm file (or whatever) -
    >>> he will be redirected to the login page and he has to authenticate
    >>> first.
    >>>
    >>> Is that what you want?
    >>>
    >>> ps. and btw - make sure you have unchecked the "verify that file
    >>> exists" box in the wildcard mapping dialog.
    >>>
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> Yes, I have done this.
    >>>>
    >>>> "Dominick Baier [DevelopMentor]"
    >>>> <> wrote in message
    >>>> news:...
    >>>>
    >>>>> the first thing is to register aspnet_isapi as Wildcard mapping -
    >>>>> after that _all_ files are treated like asp.net content - and
    >>>>> authentication and authorization settings apply.
    >>>>>
    >>>>> Have you done that to this point?
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Hello,
    >>>>>>
    >>>>>> Thank you for very fast feedback.
    >>>>>> I've read the page, but as you said - I have lot's of questions. I
    >>>>>> almost
    >>>>>> don't know what to ask.. :]
    >>>>>> If I insert in Web.config:
    >>>>>> <httpHandlers>
    >>>>>> <add path="*.htm" verb="*"
    >>>>>>
    >>>>>> type="System.Web.HttpForbiddenHandler" validate="True" />
    >>>>>>
    >>>>>> </httpHandlers>
    >>>>>>
    >>>>>> then files with extention .htm will now be shown - correct?
    >>>>>>
    >>>>>> But if the user's credentials is verified, do I have to do
    >>>>>> something to allow the user to open htm files?
    >>>>>>
    >>>>>> In advance thanks!
    >>>>>>
    >>>>>> Jon Haakon
    >>>>>>
    >>>>>> "Dominick Baier [DevelopMentor]"
    >>>>>> <> wrote in message
    >>>>>> news:...
    >>>>>>
    >>>>>>> if it is IIS6 - i would recommed setting up a Wildcard handler
    >>>>>>>
    >>>>>>> read here first - and if you have questions feel free to post
    >>>>>>>
    >>>>>>> http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASP
    >>>>>>> NE T2 0.aspx
    >>>>>>>
    >>>>>>> ---------------------------------------
    >>>>>>> Dominick Baier - DevelopMentor
    >>>>>>> http://www.leastprivilege.com
    >>>>>>>> Hi,
    >>>>>>>>
    >>>>>>>> In short my problem is securing static pages, so that
    >>>>>>>> unauthorized (anonymous) people doesn't get access to these
    >>>>>>>> files. You'll find a detailed description below.
    >>>>>>>>
    >>>>>>>> I have a websolution that is made in Dotnet 2.0. The solution
    >>>>>>>> send
    >>>>>>>> the
    >>>>>>>> user
    >>>>>>>> to a correct module based on the users credentials. The users
    >>>>>>>> credentials
    >>>>>>>> are compared with username and password in MS SQL database which
    >>>>>>>> provide the
    >>>>>>>> right path to where the user is going. Thus the solution uses
    >>>>>>>> Form
    >>>>>>>> authentication to verify the user.
    >>>>>>>> The desination after login is mostly static pages (htm/html)
    >>>>>>>> calling
    >>>>>>>> Flash
    >>>>>>>> modules.
    >>>>>>>> One of my problems (not the biggest) is that the user keeps
    >>>>>>>> getting
    >>>>>>>> throwed out and have to log on again - several times. We need to
    >>>>>>>> get
    >>>>>>>> the application to be more presistant when the user has logged
    >>>>>>>> on.
    >>>>>>>> I'm
    >>>>>>>> not sure why the user have to log on all the time, but my guess
    >>>>>>>> is
    >>>>>>>> that when the user uses the flash module, IIS is not aware that
    >>>>>>>> the
    >>>>>>>> user is still logged on and when the user finally requests a new
    >>>>>>>> page
    >>>>>>>> there's been a timeout. In this case I have to find a solution
    >>>>>>>> to
    >>>>>>>> make
    >>>>>>>> the user beeing loged in. I guess I can use a cookie for this,
    >>>>>>>> but
    >>>>>>>> then I guess the user will always come to the same module. The
    >>>>>>>> user
    >>>>>>>> has to be presented the login page on startup each time, because
    >>>>>>>> the
    >>>>>>>> user might try another module.
    >>>>>>>> My biggest problem is after associating aspnet_isapi.dll with
    >>>>>>>> htm/html
    >>>>>>>> in
    >>>>>>>> IIS I'm not able to view
    >>>>>>>> htm/html at all. I get "Page cannot be displayed", however some
    >>>>>>>> modules end
    >>>>>>>> on ".asp" and these files show okey, though ASP is associated as
    >>>>>>>> well
    >>>>>>>> with
    >>>>>>>> asp_isapi.dll.
    >>>>>>>> I've tried to find a solution based on this article:
    >>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >>>>>>>> but I'm not sure if it's the best for me.
    >>>>>>>> Hope there is some who can help me with this.
    >>>>>>>> Kind regards,
    >>>>>>>> Jon Haakon

    >
    >
    Jon Haakon Ariansen, Jun 21, 2006
    #9
  10. Not sure if i understand that - but if it works for you - thats fine.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Well, that was what it took to make the solution work. I got a tips:
    > http://support.microsoft.com/?kbid=909641
    >
    > You mentioned that I could make a breakpoint in
    > Application_BeginRequest. From what I have found out it is restricted
    > access to variables here. I don't think session variables work here.
    > Therefore the other solution seemed like a better solution.
    >
    > Thanks for your tip!
    >
    > Jon Haakon
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> why did you have to add the handlers to web.config? should also work
    >> without them.
    >>
    >> It's not the session - it's the authentication timeout - you can set
    >> the timeout in the <forms> element in web.config.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi Dominick Baier,
    >>>
    >>> Thank you very much for your tips! I really appreciate it!
    >>>
    >>> It seems like I have found a solution to my problem now. I've added:
    >>>
    >>> <httpHandlers>
    >>> <add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
    >>> <add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
    >>> <add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
    >>> </httpHandlers>
    >>> to web.config and I can access the html files.
    >>> But it depends how for how long I can access them. The html files
    >>> calls on
    >>> flash files which runs client-side. When the enduser is logged in,
    >>> periodially
    >>> they are kicked back to the login page.
    >>> This might perhaps be caused by Session timeout. I'm not sure. Is
    >>> there a
    >>> why to make the login period more persistant? But it can't be so
    >>> persistant
    >>> that
    >>> the user is automatically logged in if the user has used the program
    >>> before.
    >>> The user may log in with other credentials (username/password).
    >>> Thank you so much for your help Dominick!!
    >>> Kind regards,
    >>>
    >>> Jon Haakon
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> ok -
    >>>> you can now verify, e.g. by putting a breakpoint in
    >>>> Application_BeginRequest, that asp.net handles all requests now.
    >>>> This means that if a user tries to access a .htm file (or whatever)
    >>>> -
    >>>> he will be redirected to the login page and he has to authenticate
    >>>> first.
    >>>> Is that what you want?
    >>>>
    >>>> ps. and btw - make sure you have unchecked the "verify that file
    >>>> exists" box in the wildcard mapping dialog.
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Yes, I have done this.
    >>>>>
    >>>>> "Dominick Baier [DevelopMentor]"
    >>>>> <> wrote in message
    >>>>> news:...
    >>>>>
    >>>>>> the first thing is to register aspnet_isapi as Wildcard mapping -
    >>>>>> after that _all_ files are treated like asp.net content - and
    >>>>>> authentication and authorization settings apply.
    >>>>>>
    >>>>>> Have you done that to this point?
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> Hello,
    >>>>>>>
    >>>>>>> Thank you for very fast feedback.
    >>>>>>> I've read the page, but as you said - I have lot's of questions.
    >>>>>>> I
    >>>>>>> almost
    >>>>>>> don't know what to ask.. :]
    >>>>>>> If I insert in Web.config:
    >>>>>>> <httpHandlers>
    >>>>>>> <add path="*.htm" verb="*"
    >>>>>>> type="System.Web.HttpForbiddenHandler" validate="True" />
    >>>>>>>
    >>>>>>> </httpHandlers>
    >>>>>>>
    >>>>>>> then files with extention .htm will now be shown - correct?
    >>>>>>>
    >>>>>>> But if the user's credentials is verified, do I have to do
    >>>>>>> something to allow the user to open htm files?
    >>>>>>>
    >>>>>>> In advance thanks!
    >>>>>>>
    >>>>>>> Jon Haakon
    >>>>>>>
    >>>>>>> "Dominick Baier [DevelopMentor]"
    >>>>>>> <> wrote in message
    >>>>>>> news:...
    >>>>>>>
    >>>>>>>> if it is IIS6 - i would recommed setting up a Wildcard handler
    >>>>>>>>
    >>>>>>>> read here first - and if you have questions feel free to post
    >>>>>>>>
    >>>>>>>> http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithA
    >>>>>>>> SP NE T2 0.aspx
    >>>>>>>>
    >>>>>>>> ---------------------------------------
    >>>>>>>> Dominick Baier - DevelopMentor
    >>>>>>>> http://www.leastprivilege.com
    >>>>>>>>> Hi,
    >>>>>>>>>
    >>>>>>>>> In short my problem is securing static pages, so that
    >>>>>>>>> unauthorized (anonymous) people doesn't get access to these
    >>>>>>>>> files. You'll find a detailed description below.
    >>>>>>>>>
    >>>>>>>>> I have a websolution that is made in Dotnet 2.0. The solution
    >>>>>>>>> send
    >>>>>>>>> the
    >>>>>>>>> user
    >>>>>>>>> to a correct module based on the users credentials. The users
    >>>>>>>>> credentials
    >>>>>>>>> are compared with username and password in MS SQL database
    >>>>>>>>> which
    >>>>>>>>> provide the
    >>>>>>>>> right path to where the user is going. Thus the solution uses
    >>>>>>>>> Form
    >>>>>>>>> authentication to verify the user.
    >>>>>>>>> The desination after login is mostly static pages (htm/html)
    >>>>>>>>> calling
    >>>>>>>>> Flash
    >>>>>>>>> modules.
    >>>>>>>>> One of my problems (not the biggest) is that the user keeps
    >>>>>>>>> getting
    >>>>>>>>> throwed out and have to log on again - several times. We need
    >>>>>>>>> to
    >>>>>>>>> get
    >>>>>>>>> the application to be more presistant when the user has logged
    >>>>>>>>> on.
    >>>>>>>>> I'm
    >>>>>>>>> not sure why the user have to log on all the time, but my
    >>>>>>>>> guess
    >>>>>>>>> is
    >>>>>>>>> that when the user uses the flash module, IIS is not aware
    >>>>>>>>> that
    >>>>>>>>> the
    >>>>>>>>> user is still logged on and when the user finally requests a
    >>>>>>>>> new
    >>>>>>>>> page
    >>>>>>>>> there's been a timeout. In this case I have to find a solution
    >>>>>>>>> to
    >>>>>>>>> make
    >>>>>>>>> the user beeing loged in. I guess I can use a cookie for this,
    >>>>>>>>> but
    >>>>>>>>> then I guess the user will always come to the same module. The
    >>>>>>>>> user
    >>>>>>>>> has to be presented the login page on startup each time,
    >>>>>>>>> because
    >>>>>>>>> the
    >>>>>>>>> user might try another module.
    >>>>>>>>> My biggest problem is after associating aspnet_isapi.dll with
    >>>>>>>>> htm/html
    >>>>>>>>> in
    >>>>>>>>> IIS I'm not able to view
    >>>>>>>>> htm/html at all. I get "Page cannot be displayed", however
    >>>>>>>>> some
    >>>>>>>>> modules end
    >>>>>>>>> on ".asp" and these files show okey, though ASP is associated
    >>>>>>>>> as
    >>>>>>>>> well
    >>>>>>>>> with
    >>>>>>>>> asp_isapi.dll.
    >>>>>>>>> I've tried to find a solution based on this article:
    >>>>>>>>> http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
    >>>>>>>>> but I'm not sure if it's the best for me.
    >>>>>>>>> Hope there is some who can help me with this.
    >>>>>>>>> Kind regards,
    >>>>>>>>> Jon Haakon
    Dominick Baier [DevelopMentor], Jun 21, 2006
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Chris

    Securing XML files

    Chris, Jan 29, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    302
    bruce barker
    Jan 29, 2007
  2. JAG
    Replies:
    0
    Views:
    308
  3. Timothy W. Grove

    Securing files

    Timothy W. Grove, Feb 23, 2011, in forum: Python
    Replies:
    2
    Views:
    191
    entliczek
    Feb 23, 2011
  4. Steve Lloyd

    Securing files for download.

    Steve Lloyd, Dec 9, 2003, in forum: ASP .Net Security
    Replies:
    4
    Views:
    142
    Petr PALAS
    Dec 12, 2003
  5. crjunk

    Securing and Accessing XML Files

    crjunk, Dec 20, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    89
    Patrick Olurotimi Ige
    Dec 21, 2004
Loading...

Share This Page