Web.config: <allow users="xxxx" /> Where does xxxx come from?

S

sjl

I'm using Forms Authentication. When I authenticate a user from a database,
I use the following line:
FormsAuthentication.RedirectFromLoginPage(parameterID.Value.ToString(),chkRemember.Checked);

where parameterID.Value is the ouput parameter from my stored proc which is
the primary key from the database of the user who logged in. That way, I
always use that key when writing back to the database for various tasks
(Page.User.Identity.Name). Is that the same value that gets evaluated in
the web.config file authorization section to allow/deny users? For example,
what user am I really looking for if I use <allow users="xxxx" /> in the
web.config file? They login using email/password, but I write the
authentication ticket using the primary key from the database.

What I'm really wanting to do is use forms auth to secure one folder for
only authenticated users. Anyone who is registered on my site and logs in
can get to all files in that folder. Additionally, I'd like to have an
administrative back-end for the site in another subfolder that will only all
myself into. Am I forced to use roles to accomplish this or can I do this
with simple web.config settings?

Thanks in advance.
sjl
 
M

MasterGaurav

Just use:
<deny users="?"/>

Anyway... "XXXX" in <allow users=..."/> is the list of users that will
be allowed access. It's the same as the first parameter in
RedirectFromLoginPage(...) method.

For your situation, you may like to do the following:

<location path="dirName">
<system.web>
<authorization>
<deny users="?"/> <!-- Denying anonymous users -->
</authorization>
<authentication mode="Forms">
....
</authentication>
</system.web>
</location>



--
Cheers,
Gaurav Vaish
http://www.mastergaurav.org
http://mastergaurav.blogspot.com
--------------------------------
 
S

sjl

Thanks Gaurav. Since I want to deny anonymous users AND all authenticated
users other than myself for this Admin folder, wouldn't I also need to add
<allow users="1" /> where my primary key ID from the database is 1? Or, do
I need to deny ALL users (<deny users="*"/>) and only <allow users = "1" />?
I'm pretty sure I've tried this, but couldn't determine why it wasn't only
allowing my account access and not all others.

I'll keep working on it. You've answered my question though regarding where
the xxxx comes from in the allow/deny users statement for the web.config.

Thanks,
sjl
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top