Authentication in ASP.NET: best practice?

[Jules Hoppenbrouwers]

I'd like to poll for some best practices about ASP.NET application
security.

Here's what it's about:
I wanna develop an ASP.NET web application with VS.NET 2003. This
application consists of some pages which are available for anonymous
users and some that are NOT available for anonymous users (i.e. need
authentication).

To achieve this I set the web.config <authentication>-tag to <forms
....> and <deny users="?"> in the <authorization>-tag. This will
redirect every unkown user to my login-form. To allow anonymous users
browse to the other pages (which don't need authentication) I made a
second project. Here the <authorization>-tag in the web.config stated
<allow users="*">

But, since my application is not really big I thought this is too much
work (i.e. creating two projects); since I only need authentication
for half of my ASP.NET pages. Maybee there is another way. I was
thinking of making a new login-form where I set an attribute in the
session state. Then in every page which needs authentication, I check
if this attribute is set in the page_load. If not so, redirect the
user to the login-form. To logout the user can either close the
browser of I redirect them to a form where the can sign-out (which
will delete the session attribute).

Please share your thoughts about this. Maybe their are even (!) better
idea's.

Kind regards,

Jules Hoppenbrouwers

< Don't reply by email. Use this forum instead.>

[Nick Hertl]

I don't believe that your web.config must be global to the project. Try
creating a subdirectory for your project and put a second web.config in
there. Some settings cannot be overridden and it doesn't make sense to put
them in both locations, but the authentication and authorization stuff is
ok I think.

You will want the root to allow anonymous access, but then for any of the
pages that are restricted and in your second folder, the web.config will
notice that you marked that one as needing authentication and redicect to
the login.aspx page you specified unless they are already logged in.

I've done this before but don't have the project in front of me anymore to
send you my config files, but give that a try.

-----------

This posting is provided "AS IS" with no warranties, and
confers no rights.

Please do not send e-mail directly to this alias. This
alias is for newsgroup purposes only.

Thanks
Nick

>I'd like to poll for some best practices about ASP.NET application
>security.
>
>Here's what it's about:
>I wanna develop an ASP.NET web application with VS.NET 2003. This
>application consists of some pages which are available for anonymous
>users and some that are NOT available for anonymous users (i.e. need
>authentication).
>
>To achieve this I set the web.config <authentication>-tag to <forms
>...> and <deny users="?"> in the <authorization>-tag. This will
>redirect every unkown user to my login-form. To allow anonymous users
>browse to the other pages (which don't need authentication) I made a
>second project. Here the <authorization>-tag in the web.config stated
><allow users="*">
>
>But, since my application is not really big I thought this is too much
>work (i.e. creating two projects); since I only need authentication
>for half of my ASP.NET pages. Maybee there is another way. I was
>thinking of making a new login-form where I set an attribute in the
>session state. Then in every page which needs authentication, I check
>if this attribute is set in the page_load. If not so, redirect the
>user to the login-form. To logout the user can either close the
>browser of I redirect them to a form where the can sign-out (which
>will delete the session attribute).
>
>Please share your thoughts about this. Maybe their are even (!) better
>idea's.
>
>Kind regards,
>
>Jules Hoppenbrouwers
>
>< Don't reply by email. Use this forum instead.>
>

[Nick Hertl]

Shoot... it looks like I've deleted those files. But just try creating new
web.config files in the subdirectories with the settings that you want to
override. It will tell you about it and throw an error if it doesn't like
your configuration. And if it doesn't complain, try logging in and see
what all you can access. I remember I figured this one out by brail with
some help from my trusty ASP.NET unleashed book by Walther.

This posting is provided "AS IS" with no warranties, and
confers no rights.

Please do not send e-mail directly to this alias. This
alias is for newsgroup purposes only.

Thanks
Nick

--------------------

>I don't believe that your web.config must be global to the project. Try
>creating a subdirectory for your project and put a second web.config in
>there. Some settings cannot be overridden and it doesn't make sense to

put

>them in both locations, but the authentication and authorization stuff is
>ok I think.
>
>You will want the root to allow anonymous access, but then for any of the
>pages that are restricted and in your second folder, the web.config will
>notice that you marked that one as needing authentication and redicect to
>the login.aspx page you specified unless they are already logged in.
>
>I've done this before but don't have the project in front of me anymore to
>send you my config files, but give that a try.
>
>-----------
>
>This posting is provided "AS IS" with no warranties, and
>confers no rights.
>
>Please do not send e-mail directly to this alias. This
>alias is for newsgroup purposes only.
>
>Thanks
>Nick
>

>>I'd like to poll for some best practices about ASP.NET application
>>security.
>>
>>Here's what it's about:
>>I wanna develop an ASP.NET web application with VS.NET 2003. This
>>application consists of some pages which are available for anonymous
>>users and some that are NOT available for anonymous users (i.e. need
>>authentication).
>>
>>To achieve this I set the web.config <authentication>-tag to <forms
>>...> and <deny users="?"> in the <authorization>-tag. This will
>>redirect every unkown user to my login-form. To allow anonymous users
>>browse to the other pages (which don't need authentication) I made a
>>second project. Here the <authorization>-tag in the web.config stated
>><allow users="*">
>>
>>But, since my application is not really big I thought this is too much
>>work (i.e. creating two projects); since I only need authentication
>>for half of my ASP.NET pages. Maybee there is another way. I was
>>thinking of making a new login-form where I set an attribute in the
>>session state. Then in every page which needs authentication, I check
>>if this attribute is set in the page_load. If not so, redirect the
>>user to the login-form. To logout the user can either close the
>>browser of I redirect them to a form where the can sign-out (which
>>will delete the session attribute).
>>
>>Please share your thoughts about this. Maybe their are even (!) better
>>idea's.
>>
>>Kind regards,
>>
>>Jules Hoppenbrouwers
>>
>>< Don't reply by email. Use this forum instead.>
>>

>
>