Forms Authentication for only selected webforms? How to do this

[Rich]

Hi,

I might have missed this perhaps, but here's my query:

I am presently designing a site that is for public use in general. However,
several forms (pages) I need authentication from members.

For example: default.aspx is allowed for everyone, but members.aspx isn't
(and so are various pages)

So when public users try to access the members.aspx site, they will need to
log in. (typically on login.aspx)

If I use Forms-authentication, normally ALL requested pages will be
re-directed to the generic login.aspx page, on which the user credentials are
checked. This scenario will not work for me.

My main question is therefore, while using forms-authentication, can I setup
my default.aspx in such a way that it will NOT redirect to login.aspx when a
public user requests it? Would there be a property or such that I can set,
for example, so that requests to default.aspx will sort of bypass the
form-authentication mechanism.

Alternatively, I could check user credentials in every page.load-event in a
some kind of custom-security way, and deal with redirection to login.aspx
from there, but i guess I need to be sure whether nothing already exists that
deals with this while using forms-authentication.

Appreciate any feedback, tips, and comments etc...

[Brock Allen]

If you want to selectively configure authorization use the <location> element
in web.config. It allows you to change settings for a specific path:

<configuration>
<system.web>.....</system.web>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

<location path="admin.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>

</configuration>

-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]

> Hi,
>
> I might have missed this perhaps, but here's my query:
>
> I am presently designing a site that is for public use in general.
> However, several forms (pages) I need authentication from members.
>
> For example: default.aspx is allowed for everyone, but members.aspx
> isn't (and so are various pages)
>
> So when public users try to access the members.aspx site, they will
> need to log in. (typically on login.aspx)
>
> If I use Forms-authentication, normally ALL requested pages will be
> re-directed to the generic login.aspx page, on which the user
> credentials are checked. This scenario will not work for me.
>
> My main question is therefore, while using forms-authentication, can I
> setup my default.aspx in such a way that it will NOT redirect to
> login.aspx when a public user requests it? Would there be a property
> or such that I can set, for example, so that requests to default.aspx
> will sort of bypass the form-authentication mechanism.
>
> Alternatively, I could check user credentials in every page.load-event
> in a some kind of custom-security way, and deal with redirection to
> login.aspx from there, but i guess I need to be sure whether nothing
> already exists that deals with this while using forms-authentication.
>
> Appreciate any feedback, tips, and comments etc...
>

[Rich]

Thanks! This is great help. I'm going to try that out, and am sure it will
solve my little problem.

Cheers!
Richard

"Brock Allen" wrote:

> If you want to selectively configure authorization use the <location> element
> in web.config. It allows you to change settings for a specific path:
>
> <configuration>
> <system.web>.....</system.web>
>
> <location path="default.aspx">
> <system.web>
> <authorization>
> <allow users="*" />
> </authorization>
> </system.web>
> </location>
>
> <location path="admin.aspx">
> <system.web>
> <authorization>
> <allow roles="Admin" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
> </configuration>
>
> -Brock
> DevelopMentor
> [url]http://staff.develop.com/ballen[/url]
>
>
>

> > Hi,
> >
> > I might have missed this perhaps, but here's my query:
> >
> > I am presently designing a site that is for public use in general.
> > However, several forms (pages) I need authentication from members.
> >
> > For example: default.aspx is allowed for everyone, but members.aspx
> > isn't (and so are various pages)
> >
> > So when public users try to access the members.aspx site, they will
> > need to log in. (typically on login.aspx)
> >
> > If I use Forms-authentication, normally ALL requested pages will be
> > re-directed to the generic login.aspx page, on which the user
> > credentials are checked. This scenario will not work for me.
> >
> > My main question is therefore, while using forms-authentication, can I
> > setup my default.aspx in such a way that it will NOT redirect to
> > login.aspx when a public user requests it? Would there be a property
> > or such that I can set, for example, so that requests to default.aspx
> > will sort of bypass the form-authentication mechanism.
> >
> > Alternatively, I could check user credentials in every page.load-event
> > in a some kind of custom-security way, and deal with redirection to
> > login.aspx from there, but i guess I need to be sure whether nothing
> > already exists that deals with this while using forms-authentication.
> >
> > Appreciate any feedback, tips, and comments etc...
> >

>
>
>
>