ASP.NET Folder Security

[Dave]

Hi,

I am developing a web application which needs different levels of
security.

- Basic browsing with name and basic profile being stored
- Changing account information e.g. address, password etc
- Buying an item from the store

I want all users to be able to do this, but I want them to have three
different login processes so that I can control the system. I want to
use forms authentication and would ideally have a web.config in a
folder for each level to control the authentication process. I know
this can't be done unless I split them into different applications.
This will however cause problems with holding sessions across the
applications etc.

If you could offer any advice I would really appreciate it.

Thanks

 

[Brian]

Hi,

I am developing a web application which needs different levels of
security.

- Basic browsing with name and basic profile being stored
- Changing account information e.g. address, password etc
- Buying an item from the store

I want all users to be able to do this, but I want them to have three
different login processes so that I can control the system. I want to
use forms authentication and would ideally have a web.config in a
folder for each level to control the authentication process. I know
this can't be done unless I split them into different applications.
This will however cause problems with holding sessions across the
applications etc.

If you could offer any advice I would really appreciate it.

Thanks

Hey Dave -

After going through a similar delima myself, I more or less threw out Forms
Authentication. I'll add a minor gripe. Asp.Net is terrific if you're in a
cookie cutter shop. It's a nightmare if you want to do anything even
slightly out of the ordinary. All the nicities tend to work against a
proprietary solution.

I switched to a simple Session["User"] == null check. It looks like this:

protected void Page_Load {
if (Session["User"] == null)
Response.Redirect("login.aspx?returnurl="+Request.Url);
// or
Response.Redirect("login.aspx?returnurl=a_very_specific_url.aspx");
}

These lines of code occur in every page_load of every page that will be
authenticated. But it's only a few lines of code.

The login page sets Session["User"] of course. And logout sets it back to
null (or abandons the session).

This method is very simple. It has all the benefits of form authentication
without any of the application disadvantages. And it can intelligently
redirect requests. That is, if a user tries to bookmark step 4 of 5, and
return to it tomorrow, the page will still snap back to the first screen or
whatever. This is in contrast to forms authentication which returns the
user to whichever page made the unauthenticated request (without recourse).

I consider the maintenance very minor, certainly much less so than virtual
directories springing up like daisies.

HTH,
Brian