forms-based authentication

  • Thread starter Thread starter Vic
  • Start date Start date
V

Vic

I am trying to implement a forms-based authentication on my website, so some
directories will have web.config file which will deny certain users, based
on role, etc. The problem I encountered is that it's only asp.net files (or
the files with the extension mapped to aspnet_isapi.dll) are the ones being
secured.

The solution I found is to map all of the extension I'd keep in my secured
directory to aspnet_isapi.dll.

I am planning to map .htm, *.exe, and *.shtm files to be processed by .NET.
How is it going to affect the performance of the site? Is there another way
of achieving the same thing?

Thanks,
Vic
 
I accomplished this in a recent project by putting other files in a private
directory.
Then when I needed to send one of the files to the user, I'd use
Response.WriteFile to grab the file from the private directory and output it
to the user. Of couse the ASPNET user account needs read access to the
private directory.
I used code similar to this:
Response.Clear();
Response.AddHeader("Content-Disposition","inline;filename=myfile.doc");
Response.WriteFile("c:\privatedir\myfile.doc");
 
Vic said:
I am trying to implement a forms-based authentication on my website, so some
directories will have web.config file which will deny certain users, based
on role, etc. The problem I encountered is that it's only asp.net files (or
the files with the extension mapped to aspnet_isapi.dll) are the ones being
secured.

The solution I found is to map all of the extension I'd keep in my secured
directory to aspnet_isapi.dll.

I am planning to map .htm, *.exe, and *.shtm files to be processed by ..NET.
How is it going to affect the performance of the site? Is there another way
of achieving the same thing?
Click to expand...

The only way to find out how it performs is to try it.

As a general statement, consider that it shouldn't be any worse than the
performance of processing ASP.NET files, which have to deal with executing
code and possibly even compiling it.

One thing to be aware of: the StaticFileHandler which ASP.NET uses for these
file types seems to read the entire file into memory before sending it out.
This can be an issue for huge files...
 
Thanks, John.

I think it's not such a hot idea, since some of the files are more than
20MB...

I'll probably use Steve's approach:
Response.WriteFile("c:\privatedir\myfile.doc");

Of course, this could also load the file in the memory first...

Thanks,
Vic
 
Thanks, Steve.

It sure does help...

Vic

Steve C. Orr said:
I accomplished this in a recent project by putting other files in a private
directory.
Then when I needed to send one of the files to the user, I'd use
Response.WriteFile to grab the file from the private directory and output it
to the user. Of couse the ASPNET user account needs read access to the
private directory.
I used code similar to this:
Response.Clear();
Response.AddHeader("Content-Disposition","inline;filename=myfile.doc");
Response.WriteFile("c:\privatedir\myfile.doc");

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
Hire top-notch developers at http://www.able-consulting.com
Click to expand...
 
Steve.

Is there an easy way to simulate the Save As behavior with
Response.WriteFile() ? I want user to prompted with the Save As dialog and
the file to be downloaded to the specified location on user's PC, instead of
dumping it into the page.

Thanks in advance.

Vic
 
Vic said:
Thanks, John.

I think it's not such a hot idea, since some of the files are more than
20MB...

I'll probably use Steve's approach:
Response.WriteFile("c:\privatedir\myfile.doc");

Of course, this could also load the file in the memory first...
Click to expand...

Victor,

In a similar case, I wrote a asynchronous HttpHandler (implementing
IHttpAsyncHandler) to handle product downloads from our site. I found the
following article very helpful in that:

Use Threads and Build Asynchronous Handlers in Your Server-Side Web Code
(http://msdn.microsoft.com/msdnmag/issues/03/06/Threading/default.aspx).

I hope that helps,
John
 
Thanks John.

I read article -- it sure does make sense making those downloads a separate
thread.

Vic
 
Back
Top