Forms based security

[Charlie Dison]

Hi there,
In forms based security do I have to arrange pages into subdirectories
in order to secure them? I want the public to access my home page and
public content but want to restrict other content only to those for whom
I've granted a userid. Seems like I must organize all the private content
into one or more subdirectories. My problem is that I have some content
that should be accessible to both and I hate to have to specify directory
names when redirecting. Is there something that I can place in the load
event of each page that checks to see if the user has been authenticated
(checks for the cookie that would have been created)

[[MSFT]]

Hi Charlie,

To get the form authentication cookie, you may get the cookie name from:

FormsAuthentication.FormsCookieName

However, the cookie is encrypted, and we cannot get its actual value.

Regarding the issue, since the content are accessible to both of
Authenticated user and others, you can just leave the content public. Is
this right?

If you have private and public content on a same web form, you may consider
following work around:

When perform form authentication, you can add a cookie by yourself,
indcating the user has been authenticated. And then, arrange pages based
on this cookie value.

Hope this help,

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

[ranganh]

Dear Charlie,

You don't need to arrange the authenticated pages inside a folder. You can specify the pages (say if they are minimum 5 pages etc.,) using location path. in that, you can also specify to allow the users, for whom you gave an userid. the following illustration shows the same:-

<location path="ProtectedPage1.aspx">
<system.web>
<authorization>
<allow users="UserId" />
<deny users="*" />
</authorization>
</system.web>
</location>

the above, would allow users with the above userid (whatever you give) and will deny all other users (anonymous and logged in).

however, in case you want to allow users with above userid as well as their own userid (logged in), change the <deny users="?" />. this will restrict only people
who are not logged in.

To check whether the user is logged in, use

if(User.Identity.IsAuthenticated)
{

}

to get the User's Id, use

User.Identity.Name

hope it helps.

"Charlie Dison" wrote:

> Hi there,
> In forms based security do I have to arrange pages into subdirectories
> in order to secure them? I want the public to access my home page and
> public content but want to restrict other content only to those for whom
> I've granted a userid. Seems like I must organize all the private content
> into one or more subdirectories. My problem is that I have some content
> that should be accessible to both and I hate to have to specify directory
> names when redirecting. Is there something that I can place in the load
> event of each page that checks to see if the user has been authenticated
> (checks for the cookie that would have been created)
>
>
>
>
>

[Charlie Dison]

Ok. that helps. Thanks
"ranganh" <ranganh@discussions.microsoft.com> wrote in message
news:985ABE3F-3E97-4557-93E8-1EDE5C89D06F@microsoft.com...

> Dear Charlie,
>
> You don't need to arrange the authenticated pages inside a folder. You

can specify the pages (say if they are minimum 5 pages etc.,) using location
path. in that, you can also specify to allow the users, for whom you gave
an userid. the following illustration shows the same:-

>
> <location path="ProtectedPage1.aspx">
> <system.web>
> <authorization>
> <allow users="UserId" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
>
> the above, would allow users with the above userid (whatever you give) and

will deny all other users (anonymous and logged in).

>
> however, in case you want to allow users with above userid as well as

their own userid (logged in), change the <deny users="?" />. this will
restrict only people

> who are not logged in.
>
> To check whether the user is logged in, use
>
> if(User.Identity.IsAuthenticated)
> {
>
> }
>
> to get the User's Id, use
>
> User.Identity.Name
>
> hope it helps.
>
> "Charlie Dison" wrote:
>

> > Hi there,
> > In forms based security do I have to arrange pages into

subdirectories

> > in order to secure them? I want the public to access my home page and
> > public content but want to restrict other content only to those for whom
> > I've granted a userid. Seems like I must organize all the private

content

> > into one or more subdirectories. My problem is that I have some content
> > that should be accessible to both and I hate to have to specify

directory

> > names when redirecting. Is there something that I can place in the load
> > event of each page that checks to see if the user has been authenticated
> > (checks for the cookie that would have been created)
> >
> >
> >
> >
> >

>

[Charlie Dison]

Ok. that helps. Thanks
"[MSFT]" <lukezhan@online.microsoft.com> wrote in message
news:X82wmA0VEHA.692@cpmsftngxa10.phx.gbl...

> Hi Charlie,
>
> To get the form authentication cookie, you may get the cookie name from:
>
> FormsAuthentication.FormsCookieName
>
> However, the cookie is encrypted, and we cannot get its actual value.
>
> Regarding the issue, since the content are accessible to both of
> Authenticated user and others, you can just leave the content public. Is
> this right?
>
> If you have private and public content on a same web form, you may

consider

> following work around:
>
> When perform form authentication, you can add a cookie by yourself,
> indcating the user has been authenticated. And then, arrange pages based
> on this cookie value.
>
> Hope this help,
>
> Luke
> Microsoft Online Support
>
> Get Secure! [url]www.microsoft.com/security[/url]
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>