Authentication

M

Maziar Aflatoun

Hi everyone,

I have a login .aspx page that I like to forward my users to. However,
can't do it using
<authorization>
.....
</authorization>
because I need anonymous users to use it without any authentication. We
have this in our Web.config file
<authentication mode="Forms">
<forms name="tpweb" loginUrl="login.aspx"/>
</authentication>

In my code I say something like if Session["myuser"] is not set,
Response.Redirect("/Login.aspx?with_the_return_page"). My questions is that
is it possible to issue you a command to do the redirect instead of
Response.Redirect("...")?

Thank you
Maz.
 
L

Lionel LASKE

My guess is that Server.Transfer("...") is a best method than
Response.Redirect("...") because in your case, you don't need to do client
response.
I hope it could help.

Lionel.
 
M

MWells

Maziar, you lost me a bit with the anonymous-user support requirement.

Are you saying that the entire site needs to be usable by anonymous users,
but that you want it to behave a bit differently when users are
authenticated?

Or are you saying that portions of the site require authentication, whereas
others are fully public?
 
M

Maziar Aflatoun

Hi MWells,

Yes extactly. /downloads is currently accessed by all users (limited file
listing) however, when they authenticate they see files based on their
groups in the database.

Thanks
Maz.



MWells said:
Maziar, you lost me a bit with the anonymous-user support requirement.

Are you saying that the entire site needs to be usable by anonymous users,
but that you want it to behave a bit differently when users are
authenticated?

Or are you saying that portions of the site require authentication,
whereas
others are fully public?

Maziar Aflatoun said:
Hi everyone,

I have a login .aspx page that I like to forward my users to. However,
can't do it using
<authorization>
....
</authorization>
because I need anonymous users to use it without any authentication. We
have this in our Web.config file
<authentication mode="Forms">
<forms name="tpweb" loginUrl="login.aspx"/>
</authentication>

In my code I say something like if Session["myuser"] is not set,
Response.Redirect("/Login.aspx?with_the_return_page"). My questions is that
is it possible to issue you a command to do the redirect instead of
Response.Redirect("...")?

Thank you
Maz.
Click to expand...
Click to expand...
 
M

MWells

I usually use Forms Authentication in one of four models, which I'll call;

+ "Full Authentication" - meaning that the user can't see any page on the
site (excepting the login page) without first authenticating.
+ "Partial Authentication Closed" - meaning that most of the site requires
full authentication, but there are a couple of directories that are wide
open. Usually I use this to expose a debug directory, or a monitor
directory with heartbeat and testing functions that outside processes need
to reach.
+ "Partial Authentication Open" - meaning that most of the site is
unauthenticated, excepting a couple of directories that require login.
Usually used when I have admin tools built directly into the public site.
+ "Optional Authentication" - meaning that the user can access everything,
but that the application behaves differently for anonymous users than it
does for those who are logged in.

If I understand correctly, you're asking about #4, maybe in conjunction with
#2. I don't see any reason why both techniques wouldn't work in harmony, so
I'll outline both in case it's useful.

#2 is simplest, I'll start there. Setup your site for regular Forms
Authentication. Lock it down so that any page that is accessed requires
authentication. Then, in any directories that you want to be open for
unauthenticated users, drop in a stripped-down Web.config that looks like
this;

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>

In your main, root Web.config, the authorization section would read as;

<authorization>
<deny users="?" />
</authorization>

This denies all unauthenticated users throughout the application EXCEPT in
directories where you've put the alternate Web.config, which allows all
users.

Now for the fun part; model #4.

Anywhere in your .NET application you can determine whether the user is
authenticated or not by using;

Context.User.Identity.IsAuthenticated

If true, you can make any adjustments you want; such as making
administrative control panels visible, and so on.

In your case, you are wanting to make /downloads available to all, but for
authenticated users to change the content based on user privileges. You'll
probably just do a database query when the user hits the page, passing in
the UserID, joining to groups, and then to your files listing. To make that
especially clean, take a look at.

http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=41

More or less, this allows you to append information to your forms
authentication ticket (UserID, a privs list, User name, ... ) and then
passes it back to the user as a cookie. Since its a cookie, and you're
storing important data in there, make sure you're aware of any security
impacts. Unfortunately my knowledge of FormsAuth doesn't plumb the depths
of the ticket far enough to know what exposure you might face. Nonetheless
in apps with light-deterrent only, I find it extremely useful in that I can
gather all the info at login, and avoid per-page db queries regarding user
privs. Of course, Session vars, etc. could also do the job nicely, but I
still avoid those out of habit.

/// M


Maziar Aflatoun said:
Hi MWells,

Yes extactly. /downloads is currently accessed by all users (limited file
listing) however, when they authenticate they see files based on their
groups in the database.

Thanks
Maz.



MWells said:
Maziar, you lost me a bit with the anonymous-user support requirement.

Are you saying that the entire site needs to be usable by anonymous users,
but that you want it to behave a bit differently when users are
authenticated?

Or are you saying that portions of the site require authentication,
whereas
others are fully public?

Maziar Aflatoun said:
Hi everyone,

I have a login .aspx page that I like to forward my users to. However,
can't do it using
<authorization>
....
</authorization>
because I need anonymous users to use it without any authentication. We
have this in our Web.config file
<authentication mode="Forms">
<forms name="tpweb" loginUrl="login.aspx"/>
</authentication>

In my code I say something like if Session["myuser"] is not set,
Response.Redirect("/Login.aspx?with_the_return_page"). My questions is that
is it possible to issue you a command to do the redirect instead of
Response.Redirect("...")?

Thank you
Maz.
Click to expand...
Click to expand...
Click to expand...
 
M

Maziar Aflatoun

Very informative :)

Thanks
Maz.

MWells said:
I usually use Forms Authentication in one of four models, which I'll call;

+ "Full Authentication" - meaning that the user can't see any page on the
site (excepting the login page) without first authenticating.
+ "Partial Authentication Closed" - meaning that most of the site
requires
full authentication, but there are a couple of directories that are wide
open. Usually I use this to expose a debug directory, or a monitor
directory with heartbeat and testing functions that outside processes need
to reach.
+ "Partial Authentication Open" - meaning that most of the site is
unauthenticated, excepting a couple of directories that require login.
Usually used when I have admin tools built directly into the public site.
+ "Optional Authentication" - meaning that the user can access
everything,
but that the application behaves differently for anonymous users than it
does for those who are logged in.

If I understand correctly, you're asking about #4, maybe in conjunction
with
#2. I don't see any reason why both techniques wouldn't work in harmony,
so
I'll outline both in case it's useful.

#2 is simplest, I'll start there. Setup your site for regular Forms
Authentication. Lock it down so that any page that is accessed requires
authentication. Then, in any directories that you want to be open for
unauthenticated users, drop in a stripped-down Web.config that looks like
this;

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>

In your main, root Web.config, the authorization section would read as;

<authorization>
<deny users="?" />
</authorization>

This denies all unauthenticated users throughout the application EXCEPT in
directories where you've put the alternate Web.config, which allows all
users.

Now for the fun part; model #4.

Anywhere in your .NET application you can determine whether the user is
authenticated or not by using;

Context.User.Identity.IsAuthenticated

If true, you can make any adjustments you want; such as making
administrative control panels visible, and so on.

In your case, you are wanting to make /downloads available to all, but for
authenticated users to change the content based on user privileges.
You'll
probably just do a database query when the user hits the page, passing in
the UserID, joining to groups, and then to your files listing. To make
that
especially clean, take a look at.

http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=41

More or less, this allows you to append information to your forms
authentication ticket (UserID, a privs list, User name, ... ) and then
passes it back to the user as a cookie. Since its a cookie, and you're
storing important data in there, make sure you're aware of any security
impacts. Unfortunately my knowledge of FormsAuth doesn't plumb the depths
of the ticket far enough to know what exposure you might face.
Nonetheless
in apps with light-deterrent only, I find it extremely useful in that I
can
gather all the info at login, and avoid per-page db queries regarding user
privs. Of course, Session vars, etc. could also do the job nicely, but I
still avoid those out of habit.

/// M


Maziar Aflatoun said:
Hi MWells,

Yes extactly. /downloads is currently accessed by all users (limited
file
listing) however, when they authenticate they see files based on their
groups in the database.

Thanks
Maz.



MWells said:
Maziar, you lost me a bit with the anonymous-user support requirement.

Are you saying that the entire site needs to be usable by anonymous users,
but that you want it to behave a bit differently when users are
authenticated?

Or are you saying that portions of the site require authentication,
whereas
others are fully public?

Hi everyone,

I have a login .aspx page that I like to forward my users to.
However,
can't do it using
<authorization>
....
</authorization>
because I need anonymous users to use it without any authentication. We
have this in our Web.config file
<authentication mode="Forms">
<forms name="tpweb" loginUrl="login.aspx"/>
</authentication>

In my code I say something like if Session["myuser"] is not set,
Response.Redirect("/Login.aspx?with_the_return_page"). My questions
is
that
is it possible to issue you a command to do the redirect instead of
Response.Redirect("...")?

Thank you
Maz.
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Restrict access to Classic ASP pages in web.config 2
Forms authentication page not called 7
Login page won't redirect to a Register (new account) page 3
Forms Authentication not Redirecting 1
How to redirect any page to Login.aspx? I tried but... 3
Forms Authentication 4
not enforcing authentication on some page 2
Authorization & Theme 1

Top