FormAuthentication on ascx files

[Joey Lee]

Hi,

I have a default.aspx page which has PlaceHolder where it will call
different *.acx file based on the request url.
eg [url]http://localhost/default.aspx?module=home[/url]
will put a home.ascx in the place holder
and
eg [url]http://localhost/default.aspx?module=admin[/url]
will put a admin.ascx in the place holder

both the home and admin have its own folder respectively, where home.ascx is
in /home folder and admin.ascx is in /admin folder.

So I would like to implement form authentication, that if the user is not
authenticated, when the default page is called with the parameter of
module=admin, the user will be rejected.

As normal i will create another web.config file in the folder and restrict
all user which is not authenticated. However this did not work in my case
where the page which is invoked is the default.aspx page regardless of all
the .ascx files that are called.

From the look of it only if i create an aspx file in the admin folder and
call it like
[url]http://localhost/admin/admin.aspx[/url] then the authentication will work where
the user is rejected.

Is there any way to use form authentication for this?, or would I have to do
a different set of coding in the default page which will check if the ascx
page being called is retricted or not?

Or, would it be my design is totally wrong where i shouldn't have only a
single aspx file calling different "module" which are totally coded as ascx
files?

Thanks in advance.

Joey

[ranganh]

Dear Joey,

Your idea is good. But it doenst work as with normal when it comes to ascx
files. Basically ascx files are not pages but parts of a page and they are
rendered before the page is rendered.

One way to restrict users would be is to put the following code in the
codebehind of the usercontrol's page_load event as

If(! Page.User.Identity.IsAuthenticated)
{
Response.Redirect("LoginPage.aspx");
}

This should help you in filtering anonymous calls to admin sections.

Does that help.


"Joey Lee" wrote:

> Hi,
>
> I have a default.aspx page which has PlaceHolder where it will call
> different *.acx file based on the request url.
> eg [url]http://localhost/default.aspx?module=home[/url]
> will put a home.ascx in the place holder
> and
> eg [url]http://localhost/default.aspx?module=admin[/url]
> will put a admin.ascx in the place holder
>
> both the home and admin have its own folder respectively, where home.ascx is
> in /home folder and admin.ascx is in /admin folder.
>
> So I would like to implement form authentication, that if the user is not
> authenticated, when the default page is called with the parameter of
> module=admin, the user will be rejected.
>
> As normal i will create another web.config file in the folder and restrict
> all user which is not authenticated. However this did not work in my case
> where the page which is invoked is the default.aspx page regardless of all
> the .ascx files that are called.
>
> From the look of it only if i create an aspx file in the admin folder and
> call it like
> [url]http://localhost/admin/admin.aspx[/url] then the authentication will work where
> the user is rejected.
>
> Is there any way to use form authentication for this?, or would I have to do
> a different set of coding in the default page which will check if the ascx
> page being called is retricted or not?
>
> Or, would it be my design is totally wrong where i shouldn't have only a
> single aspx file calling different "module" which are totally coded as ascx
> files?
>
> Thanks in advance.
>
> Joey
>
>
>

[Joey Lee]

Thanks. That helps.

However i am wondering what does it mean by "form authentication protects
ascx files as well as all other a* files " which i read on the internet.

Joey

"ranganh" <ranganh@discussions.microsoft.com> wrote in message
news:91795D04-E535-49E4-A96D-A636EC0B6B56@microsoft.com...

>
>
> Dear Joey,
>
> Your idea is good. But it doenst work as with normal when it comes to

ascx

> files. Basically ascx files are not pages but parts of a page and they

are

> rendered before the page is rendered.
>
> One way to restrict users would be is to put the following code in the
> codebehind of the usercontrol's page_load event as
>
> If(! Page.User.Identity.IsAuthenticated)
> {
> Response.Redirect("LoginPage.aspx");
> }
>
> This should help you in filtering anonymous calls to admin sections.
>
> Does that help.
>
>
> "Joey Lee" wrote:
>

> > Hi,
> >
> > I have a default.aspx page which has PlaceHolder where it will call
> > different *.acx file based on the request url.
> > eg [url]http://localhost/default.aspx?module=home[/url]
> > will put a home.ascx in the place holder
> > and
> > eg [url]http://localhost/default.aspx?module=admin[/url]
> > will put a admin.ascx in the place holder
> >
> > both the home and admin have its own folder respectively, where

home.ascx is

> > in /home folder and admin.ascx is in /admin folder.
> >
> > So I would like to implement form authentication, that if the user is

not

> > authenticated, when the default page is called with the parameter of
> > module=admin, the user will be rejected.
> >
> > As normal i will create another web.config file in the folder and

restrict

> > all user which is not authenticated. However this did not work in my

case

> > where the page which is invoked is the default.aspx page regardless of

all

> > the .ascx files that are called.
> >
> > From the look of it only if i create an aspx file in the admin folder

and

> > call it like
> > [url]http://localhost/admin/admin.aspx[/url] then the authentication will work

where

> > the user is rejected.
> >
> > Is there any way to use form authentication for this?, or would I have

to do

> > a different set of coding in the default page which will check if the

ascx

> > page being called is retricted or not?
> >
> > Or, would it be my design is totally wrong where i shouldn't have only a
> > single aspx file calling different "module" which are totally coded as

ascx

> > files?
> >
> > Thanks in advance.
> >
> > Joey
> >
> >
> >

[ranganh]

It refers to that forms authentication protects by default, the files
handled by asp.net (aspnet_isapil.dll) such as aspx, ascx so that you dont
have to exclusively map the extensions to be handled by asp.net

Ok, say you want to protect a doc from being downloaded then along with
forms authentication, you also need to specify the handler in the IIS to make
asp.net handle the request for the doc type file. Else, it will be ignored
and will be downloaded regardless of whether the user is logged in or not.

Hope it clarifies.

"Joey Lee" wrote:

> Thanks. That helps.
>
> However i am wondering what does it mean by "form authentication protects
> ascx files as well as all other a* files " which i read on the internet.
>
> Joey
>
> "ranganh" <ranganh@discussions.microsoft.com> wrote in message
> news:91795D04-E535-49E4-A96D-A636EC0B6B56@microsoft.com...

> >
> >
> > Dear Joey,
> >
> > Your idea is good. But it doenst work as with normal when it comes to

> ascx

> > files. Basically ascx files are not pages but parts of a page and they

> are

> > rendered before the page is rendered.
> >
> > One way to restrict users would be is to put the following code in the
> > codebehind of the usercontrol's page_load event as
> >
> > If(! Page.User.Identity.IsAuthenticated)
> > {
> > Response.Redirect("LoginPage.aspx");
> > }
> >
> > This should help you in filtering anonymous calls to admin sections.
> >
> > Does that help.
> >
> >
> > "Joey Lee" wrote:
> >

> > > Hi,
> > >
> > > I have a default.aspx page which has PlaceHolder where it will call
> > > different *.acx file based on the request url.
> > > eg [url]http://localhost/default.aspx?module=home[/url]
> > > will put a home.ascx in the place holder
> > > and
> > > eg [url]http://localhost/default.aspx?module=admin[/url]
> > > will put a admin.ascx in the place holder
> > >
> > > both the home and admin have its own folder respectively, where

> home.ascx is

> > > in /home folder and admin.ascx is in /admin folder.
> > >
> > > So I would like to implement form authentication, that if the user is

> not

> > > authenticated, when the default page is called with the parameter of
> > > module=admin, the user will be rejected.
> > >
> > > As normal i will create another web.config file in the folder and

> restrict

> > > all user which is not authenticated. However this did not work in my

> case

> > > where the page which is invoked is the default.aspx page regardless of

> all

> > > the .ascx files that are called.
> > >
> > > From the look of it only if i create an aspx file in the admin folder

> and

> > > call it like
> > > [url]http://localhost/admin/admin.aspx[/url] then the authentication will work

> where

> > > the user is rejected.
> > >
> > > Is there any way to use form authentication for this?, or would I have

> to do

> > > a different set of coding in the default page which will check if the

> ascx

> > > page being called is retricted or not?
> > >
> > > Or, would it be my design is totally wrong where i shouldn't have only a
> > > single aspx file calling different "module" which are totally coded as

> ascx

> > > files?
> > >
> > > Thanks in advance.
> > >
> > > Joey
> > >
> > >
> > >

>
>
>