URL security problem

[angus]

Dear All,

In my web application, i have a login screen to allow the user to login to
my system.

all user should be logined in before they can use the system.

my question is

how to aviod the user from directly access my system by typing the exact
URL?

e.g.

http://localhost/demo/data/search.aspx

?

Regards,
Angus

 

[Rob Meade]

...

how to aviod the user from directly access my system by typing the exact
URL?

Store the fact that the user is logged in - in a session variable, then each
page checks for it, if it doesnt exist, either because their session has
expired or because they are trying to get in without logging it - redirect
them back to the login page.

Regards

Rob

 

[Saber]

in web.config add:
<location path="data/search.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

somewhere between <configuration> and </configuration>

 

[mortb]

This is best set in the web.config file
The settings below will redirect all users to the page myloginpage.aspx

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<customErrors mode="On" />

<authorization>
<deny users="?" />
</authorization>

<authentication mode="Forms">
<forms name="icontoolweb" path="/" protection="All"
loginUrl="myloginpage.aspx" timeout="400">
</forms>
</authentication>

</system.web>
<configuration>


in the loginpage yoou do some authorization then you call :
FormsAuthentication.RedirectFromLoginPage(userid, true);

Which will automatically return the user to the page he tried to access
directly

cheers,
mortb