Reply to thread

Message: [QUOTE="Jules Hoppenbrouwers, post: 4270674"] I'd like to poll for some best practices about ASP.NET application security. Here's what it's about: I wanna develop an ASP.NET web application with VS.NET 2003. This application consists of some pages which are available for anonymous users and some that are NOT available for anonymous users (i.e. need authentication). To achieve this I set the web.config <authentication>-tag to <forms ....> and <deny users="?"> in the <authorization>-tag. This will redirect every unkown user to my login-form. To allow anonymous users browse to the other pages (which don't need authentication) I made a second project. Here the <authorization>-tag in the web.config stated <allow users="*"> But, since my application is not really big I thought this is too much work (i.e. creating two projects); since I only need authentication for half of my ASP.NET pages. Maybee there is another way. I was thinking of making a new login-form where I set an attribute in the session state. Then in every page which needs authentication, I check if this attribute is set in the page_load. If not so, redirect the user to the login-form. To logout the user can either close the browser of I redirect them to a form where the can sign-out (which will delete the session attribute). Please share your thoughts about this. Maybe their are even (!) better idea's. Kind regards, Jules Hoppenbrouwers < Don't reply by email. Use this forum instead.> [/QUOTE]