user access to only selected pages

J

joe

Some time ago I set up an ASP application that used a login page which
checked a username and password against a database to determine a users
authorization to access certain pages on the site. This was done by setting
a session variable within the application if the user was authorized and
using code one each page for which protection was required to check for the
status of the session variable.

Now I am aware of the various techniques that ASP.NET provides to allow or
preclude access to asp.net apps but frankly I really liked that other one
because it didn't use cookies which many users are a bit afraid of.

My problem is this....I can't remember how I set it up and I don't know
where to look. I think I found the technique in an old ASP book (vs
asp.net).

Does anyone know where I can look to find this technique in the form of
sample code or a tutorial?

and

Is this a viable technique to use in ASP.Net?


Thanks in advance
 
S

Steve C. Orr, MCSD

You can put each group of files into their own subfolders under your root
web application, and then create a web.config for each subfolder with the
appropriate settings in it.
You could alternately do this with a single web.config file by using the
<location> tag.
Here's more info on that and an example:
http://www.dotnetbips.com/displayarticle.aspx?id=117
 
J

joe

Thanks Steve I've read that but call me dumb but I don't see how it works.
Perhaps I'm missing something, I don't see the way it :

1) determines which users to permit access to

nor

2) how it maintains the users status once authorized should the user request
additional pages in the protected folder.


Is that done in the web.config file? I don't see any instructions at that
link on how to accomplish this whithout using cookies.
 
S

Steve C. Orr, MCSD

It uses forms authentication, which uses cookies.
Here's more info on basic forms authentication:
http://www.dotnetbips.com/displayarticle.aspx?id=9

Of course you can also set Forms Authentication to work if the user has
cookies turned off by setting the cookieless="true" in your web.config.
Then it will munge the session id into the URL automatically.
You can specify which files and folders to allow to to which users in your
web.config file.
There is a link to sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117
 
J

joe

Thanks Steve...I'll check it out.


Steve C. Orr said:
It uses forms authentication, which uses cookies.
Here's more info on basic forms authentication:
http://www.dotnetbips.com/displayarticle.aspx?id=9

Of course you can also set Forms Authentication to work if the user has
cookies turned off by setting the cookieless="true" in your web.config.
Then it will munge the session id into the URL automatically.
You can specify which files and folders to allow to to which users in your
web.config file.
There is a link to sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117
 
J

joe

I see they have put the user names and passwords in the login.vb file. Isn't
this (hard coding) a potential security problem?

I realize it is not presented in the HTML on the client and the server does
all the work but it just makes me a bit uncomfortable.

Or am I wrong?
 
J

joe

I don't mind taking the time posting but I do understand that for some
reading is a bit more difficult than it is for others.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top