Help me with Login and user roles please.


M

mark4asp

This is a simplified version of my site.

There are Premium users who have access to the Premium directory.
Anyone else attempting to access it should be logged and then
redirected to the Premium.aspx - which explains the advantages of
being a Premium member and provides examples of content.

The default page for site visitors is "News/Default.aspx" but only
those with cookies set should go there otherwise visitors need to
login to access the important pages in the site (everything else apart
from the error pages and Premium.aspx).

Every single site visitor needs to be recorded. Browser agent, IP-
address are logged for everyone.


Q1: When a user first arrives at the site, where is the best place to
determine whether they are a valid user? Is this best done in
Session_Start()?

Q2: If a user bookmarks a page I want them to go directly to it next
time (provided they are in a suitable role). How does ASP.NET know
when to bypass the Login page (presumably it gets the cookie and
checks the user roles)?

Q3: Following on from Q2, how does ASP.NET know when to go to the
defaultUrl? Where is the logic done for that and what about the
ReturnUrl - if there is one?

Q4: At what stage does all this security checking take place and if I,
as web-site author, want to interrupt it where do I interrupt it?

Q5: Is there a routine in Global.asax that allows one to override the
system security and if not so then why not so?

Q6: Is the detail regarding the ASP.NET roles and security explained
anywhere (I do mean in detail)? Following on from that, I'm not
really interested in tutorials telling one how to set up security -
I'm interested in how it works and what I can do about it when it
doesn't work as I intend.

Q7: What is the best way of debugging these problems? Setting a
breakpoint followed by start debugging is useless because by the time
the page loads the security sytem has already by-passed the page which
I have bookmarked - which is niether loginUrl nor defaultUrl. For
instance when the user has a url book-marked, for some annoying reason
the security system decides that the user should go to the defaultUrl
- how would I change that and debug what was going on?


<system.web>

<authentication mode="Forms">
<forms name="myWebSite" loginUrl="Login.aspx" defaultUrl="News/
Default.aspx" protection="All" cookieless="AutoDetect"/>
</authentication>

<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424" cookieless="false"
timeout="5"/>

</system.web>

<location path="Premium">
<system.web>
<authorization>
<allow roles="Premium"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

<location path="Premium.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
 
Ad

Advertisements

P

Peter Bradley

Well, as I've said many times before on here, we use forms authentication
with attributes that ensure that users are both logged in and in the correct
role to carry out the action they are attempting. It works well for us, and
means we can get what we want with minimal coding. In fact all our code is
pretty much the standard code you will see if you look up Forms
Authentication on msdn.

If I wanted to keep a site secure, I wouldn't rely on cookies at the expense
of getting users to authenticate. I'd want a new authentication for every
new session.

Just my 2c. YMMV.


Peter
 
Ad

Advertisements

M

mark4asp

Well, as I've said many times before on here, we use forms authentication
with attributes that ensure that users are both logged in and in the correct
role to carry out the action they are attempting. It works well for us, and
means we can get what we want with minimal coding. In fact all our code is
pretty much the standard code you will see if you look up Forms
Authentication on msdn.

If I wanted to keep a site secure, I wouldn't rely on cookies at the expense
of getting users to authenticate. I'd want a new authentication for every
new session.

Just my 2c. YMMV.

Peter

I suppose I should have said that I AM using forms authentification -
although you could have read as much from the snippet of web.config
which I gave.

The problem is that I'm only using some of it. The database already
exists. There's a member_group and member table in it. There are a
total of 8 roles for users and one of these roles is not stored in the
member table but in the member_group table. Some of these roles
depends upon combinations of column values from the tables.
Fortunately a member can only be in One member_group! - thank god for
small mercies.

As such there are major portions of the forms authentification
framework such as Membership which I can't use.

Anyhow, I found some helpful articles:

http://msdn2.microsoft.com/en-us/library/aa480476.aspx

http://msdn2.microsoft.com/en-us/library/ms978378.aspx

Anyhow there's a diagram in the first of thest URLs which indicates
that it all happens in the LoginUrl (Figure 1 - Forms Authentication
Control Flow) which I guess is what I needed to know.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top