user access to only selected pages

  • Thread starter Thread starter joe
  • Start date Start date
J

joe

Some time ago I set up an ASP application that used a login page which
checked a username and password against a database to determine a users
authorization to access certain pages on the site. This was done by setting
a session variable within the application if the user was authorized and
using code one each page for which protection was required to check for the
status of the session variable.

Now I am aware of the various techniques that ASP.NET provides to allow or
preclude access to asp.net apps but frankly I really liked that other one
because it didn't use cookies which many users are a bit afraid of.

My problem is this....I can't remember how I set it up and I don't know
where to look. I think I found the technique in an old ASP book (vs
asp.net).

Does anyone know where I can look to find this technique in the form of
sample code or a tutorial?

and

Is this a viable technique to use in ASP.Net?


Thanks in advance
 
You can put each group of files into their own subfolders under your root
web application, and then create a web.config for each subfolder with the
appropriate settings in it.
You could alternately do this with a single web.config file by using the
<location> tag.
Here's more info on that and an example:
http://www.dotnetbips.com/displayarticle.aspx?id=117
 
Thanks Steve I've read that but call me dumb but I don't see how it works.
Perhaps I'm missing something, I don't see the way it :

1) determines which users to permit access to

nor

2) how it maintains the users status once authorized should the user request
additional pages in the protected folder.


Is that done in the web.config file? I don't see any instructions at that
link on how to accomplish this whithout using cookies.
 
It uses forms authentication, which uses cookies.
Here's more info on basic forms authentication:
http://www.dotnetbips.com/displayarticle.aspx?id=9

Of course you can also set Forms Authentication to work if the user has
cookies turned off by setting the cookieless="true" in your web.config.
Then it will munge the session id into the URL automatically.
You can specify which files and folders to allow to to which users in your
web.config file.
There is a link to sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117
 
Thanks Steve...I'll check it out.


Steve C. Orr said:
It uses forms authentication, which uses cookies.
Here's more info on basic forms authentication:
http://www.dotnetbips.com/displayarticle.aspx?id=9

Of course you can also set Forms Authentication to work if the user has
cookies turned off by setting the cookieless="true" in your web.config.
Then it will munge the session id into the URL automatically.
You can specify which files and folders to allow to to which users in your
web.config file.
There is a link to sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117
Click to expand...
 
I see they have put the user names and passwords in the login.vb file. Isn't
this (hard coding) a potential security problem?

I realize it is not presented in the HTML on the client and the server does
all the work but it just makes me a bit uncomfortable.

Or am I wrong?
 
I don't mind taking the time posting but I do understand that for some
reading is a bit more difficult than it is for others.
 
Back
Top