user access to only selected pages

[joe]

Some time ago I set up an ASP application that used a login page which
checked a username and password against a database to determine a users
authorization to access certain pages on the site. This was done by setting
a session variable within the application if the user was authorized and
using code one each page for which protection was required to check for the
status of the session variable.

Now I am aware of the various techniques that ASP.NET provides to allow or
preclude access to asp.net apps but frankly I really liked that other one
because it didn't use cookies which many users are a bit afraid of.

My problem is this....I can't remember how I set it up and I don't know
where to look. I think I found the technique in an old ASP book (vs
asp.net).

Does anyone know where I can look to find this technique in the form of
sample code or a tutorial?

and

Is this a viable technique to use in ASP.Net?


Thanks in advance

[Steve C. Orr, MCSD]

You can put each group of files into their own subfolders under your root
web application, and then create a web.config for each subfolder with the
appropriate settings in it.
You could alternately do this with a single web.config file by using the
<location> tag.
Here's more info on that and an example:
[url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]

--
I hope this helps,
Steve C. Orr, MCSD
[url]http://Steve.Orr.net[/url]


"joe" <contact_by_Newsgroup_only.please> wrote in message
news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...

> Some time ago I set up an ASP application that used a login page which
> checked a username and password against a database to determine a users
> authorization to access certain pages on the site. This was done by

setting

> a session variable within the application if the user was authorized and
> using code one each page for which protection was required to check for

the

> status of the session variable.
>
> Now I am aware of the various techniques that ASP.NET provides to allow or
> preclude access to asp.net apps but frankly I really liked that other one
> because it didn't use cookies which many users are a bit afraid of.
>
> My problem is this....I can't remember how I set it up and I don't know
> where to look. I think I found the technique in an old ASP book (vs
> asp.net).
>
> Does anyone know where I can look to find this technique in the form of
> sample code or a tutorial?
>
> and
>
> Is this a viable technique to use in ASP.Net?
>
>
> Thanks in advance
>
>

[joe]

Thanks Steve I've read that but call me dumb but I don't see how it works.
Perhaps I'm missing something, I don't see the way it :

1) determines which users to permit access to

nor

2) how it maintains the users status once authorized should the user request
additional pages in the protected folder.


Is that done in the web.config file? I don't see any instructions at that
link on how to accomplish this whithout using cookies.






"Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
news:evYTDo1QDHA.3700@tk2msftngp13.phx.gbl...

> You can put each group of files into their own subfolders under your root
> web application, and then create a web.config for each subfolder with the
> appropriate settings in it.
> You could alternately do this with a single web.config file by using the
> <location> tag.
> Here's more info on that and an example:
> [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
>
> --
> I hope this helps,
> Steve C. Orr, MCSD
> [url]http://Steve.Orr.net[/url]
>
>
> "joe" <contact_by_Newsgroup_only.please> wrote in message
> news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...

> > Some time ago I set up an ASP application that used a login page which
> > checked a username and password against a database to determine a users
> > authorization to access certain pages on the site. This was done by

> setting

> > a session variable within the application if the user was authorized and
> > using code one each page for which protection was required to check for

> the

> > status of the session variable.
> >
> > Now I am aware of the various techniques that ASP.NET provides to allow

or

> > preclude access to asp.net apps but frankly I really liked that other

one

> > because it didn't use cookies which many users are a bit afraid of.
> >
> > My problem is this....I can't remember how I set it up and I don't know
> > where to look. I think I found the technique in an old ASP book (vs
> > asp.net).
> >
> > Does anyone know where I can look to find this technique in the form of
> > sample code or a tutorial?
> >
> > and
> >
> > Is this a viable technique to use in ASP.Net?
> >
> >
> > Thanks in advance
> >
> >

>
>

[Steve C. Orr, MCSD]

It uses forms authentication, which uses cookies.
Here's more info on basic forms authentication:
[url]http://www.dotnetbips.com/displayarticle.aspx?id=9[/url]

Of course you can also set Forms Authentication to work if the user has
cookies turned off by setting the cookieless="true" in your web.config.
Then it will munge the session id into the URL automatically.
You can specify which files and folders to allow to to which users in your
web.config file.
There is a link to sample code that you can download and play with.
[url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]

--
I hope this helps,
Steve C. Orr, MCSD
[url]http://Steve.Orr.net[/url]



"joe" <contact_by_Newsgroup_only.please> wrote in message
news:u4AXzv1QDHA.304@tk2msftngp13.phx.gbl...

> Thanks Steve I've read that but call me dumb but I don't see how it works.
> Perhaps I'm missing something, I don't see the way it :
>
> 1) determines which users to permit access to
>
> nor
>
> 2) how it maintains the users status once authorized should the user

request

> additional pages in the protected folder.
>
>
> Is that done in the web.config file? I don't see any instructions at that
> link on how to accomplish this whithout using cookies.
>
>
>
>
>
>
> "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> news:evYTDo1QDHA.3700@tk2msftngp13.phx.gbl...

> > You can put each group of files into their own subfolders under your

root

> > web application, and then create a web.config for each subfolder with

the

> > appropriate settings in it.
> > You could alternately do this with a single web.config file by using the
> > <location> tag.
> > Here's more info on that and an example:
> > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> >
> > --
> > I hope this helps,
> > Steve C. Orr, MCSD
> > [url]http://Steve.Orr.net[/url]
> >
> >
> > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...

> > > Some time ago I set up an ASP application that used a login page which
> > > checked a username and password against a database to determine a

users

> > > authorization to access certain pages on the site. This was done by

> > setting

> > > a session variable within the application if the user was authorized

and

> > > using code one each page for which protection was required to check

for

> > the

> > > status of the session variable.
> > >
> > > Now I am aware of the various techniques that ASP.NET provides to

allow

> or

> > > preclude access to asp.net apps but frankly I really liked that other

> one

> > > because it didn't use cookies which many users are a bit afraid of.
> > >
> > > My problem is this....I can't remember how I set it up and I don't

know

> > > where to look. I think I found the technique in an old ASP book (vs
> > > asp.net).
> > >
> > > Does anyone know where I can look to find this technique in the form

of

> > > sample code or a tutorial?
> > >
> > > and
> > >
> > > Is this a viable technique to use in ASP.Net?
> > >
> > >
> > > Thanks in advance
> > >
> > >

> >
> >

>
>

[joe]

Thanks Steve...I'll check it out.


"Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
news:OkPIQ31QDHA.1988@TK2MSFTNGP12.phx.gbl...

> It uses forms authentication, which uses cookies.
> Here's more info on basic forms authentication:
> [url]http://www.dotnetbips.com/displayarticle.aspx?id=9[/url]
>
> Of course you can also set Forms Authentication to work if the user has
> cookies turned off by setting the cookieless="true" in your web.config.
> Then it will munge the session id into the URL automatically.
> You can specify which files and folders to allow to to which users in your
> web.config file.
> There is a link to sample code that you can download and play with.
> [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
>
> --
> I hope this helps,
> Steve C. Orr, MCSD
> [url]http://Steve.Orr.net[/url]
>
>
>
> "joe" <contact_by_Newsgroup_only.please> wrote in message
> news:u4AXzv1QDHA.304@tk2msftngp13.phx.gbl...

> > Thanks Steve I've read that but call me dumb but I don't see how it

works.

> > Perhaps I'm missing something, I don't see the way it :
> >
> > 1) determines which users to permit access to
> >
> > nor
> >
> > 2) how it maintains the users status once authorized should the user

> request

> > additional pages in the protected folder.
> >
> >
> > Is that done in the web.config file? I don't see any instructions at

that

> > link on how to accomplish this whithout using cookies.
> >
> >
> >
> >
> >
> >
> > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > news:evYTDo1QDHA.3700@tk2msftngp13.phx.gbl...

> > > You can put each group of files into their own subfolders under your

> root

> > > web application, and then create a web.config for each subfolder with

> the

> > > appropriate settings in it.
> > > You could alternately do this with a single web.config file by using

the

> > > <location> tag.
> > > Here's more info on that and an example:
> > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > >
> > > --
> > > I hope this helps,
> > > Steve C. Orr, MCSD
> > > [url]http://Steve.Orr.net[/url]
> > >
> > >
> > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...
> > > > Some time ago I set up an ASP application that used a login page

which

> > > > checked a username and password against a database to determine a

> users

> > > > authorization to access certain pages on the site. This was done by
> > > setting
> > > > a session variable within the application if the user was authorized

> and

> > > > using code one each page for which protection was required to check

> for

> > > the
> > > > status of the session variable.
> > > >
> > > > Now I am aware of the various techniques that ASP.NET provides to

> allow

> > or

> > > > preclude access to asp.net apps but frankly I really liked that

other

> > one

> > > > because it didn't use cookies which many users are a bit afraid of.
> > > >
> > > > My problem is this....I can't remember how I set it up and I don't

> know

> > > > where to look. I think I found the technique in an old ASP book (vs
> > > > asp.net).
> > > >
> > > > Does anyone know where I can look to find this technique in the form

> of

> > > > sample code or a tutorial?
> > > >
> > > > and
> > > >
> > > > Is this a viable technique to use in ASP.Net?
> > > >
> > > >
> > > > Thanks in advance
> > > >
> > > >
> > >
> > >

> >
> >

>
>

[joe]

I see they have put the user names and passwords in the login.vb file. Isn't
this (hard coding) a potential security problem?

I realize it is not presented in the HTML on the client and the server does
all the work but it just makes me a bit uncomfortable.

Or am I wrong?




"joe" <contact_by_Newsgroup_only.please> wrote in message
news:eFxu791QDHA.3700@tk2msftngp13.phx.gbl...

> Thanks Steve...I'll check it out.
>
>
> "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> news:OkPIQ31QDHA.1988@TK2MSFTNGP12.phx.gbl...

> > It uses forms authentication, which uses cookies.
> > Here's more info on basic forms authentication:
> > [url]http://www.dotnetbips.com/displayarticle.aspx?id=9[/url]
> >
> > Of course you can also set Forms Authentication to work if the user has
> > cookies turned off by setting the cookieless="true" in your web.config.
> > Then it will munge the session id into the URL automatically.
> > You can specify which files and folders to allow to to which users in

your

> > web.config file.
> > There is a link to sample code that you can download and play with.
> > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> >
> > --
> > I hope this helps,
> > Steve C. Orr, MCSD
> > [url]http://Steve.Orr.net[/url]
> >
> >
> >
> > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > news:u4AXzv1QDHA.304@tk2msftngp13.phx.gbl...

> > > Thanks Steve I've read that but call me dumb but I don't see how it

> works.

> > > Perhaps I'm missing something, I don't see the way it :
> > >
> > > 1) determines which users to permit access to
> > >
> > > nor
> > >
> > > 2) how it maintains the users status once authorized should the user

> > request

> > > additional pages in the protected folder.
> > >
> > >
> > > Is that done in the web.config file? I don't see any instructions at

> that

> > > link on how to accomplish this whithout using cookies.
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > > news:evYTDo1QDHA.3700@tk2msftngp13.phx.gbl...
> > > > You can put each group of files into their own subfolders under your

> > root

> > > > web application, and then create a web.config for each subfolder

with

> > the

> > > > appropriate settings in it.
> > > > You could alternately do this with a single web.config file by using

> the

> > > > <location> tag.
> > > > Here's more info on that and an example:
> > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > > >
> > > > --
> > > > I hope this helps,
> > > > Steve C. Orr, MCSD
> > > > [url]http://Steve.Orr.net[/url]
> > > >
> > > >
> > > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > > news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...
> > > > > Some time ago I set up an ASP application that used a login page

> which

> > > > > checked a username and password against a database to determine a

> > users

> > > > > authorization to access certain pages on the site. This was done

by

> > > > setting
> > > > > a session variable within the application if the user was

authorized

> > and

> > > > > using code one each page for which protection was required to

check

> > for

> > > > the
> > > > > status of the session variable.
> > > > >
> > > > > Now I am aware of the various techniques that ASP.NET provides to

> > allow

> > > or
> > > > > preclude access to asp.net apps but frankly I really liked that

> other

> > > one
> > > > > because it didn't use cookies which many users are a bit afraid

of.

> > > > >
> > > > > My problem is this....I can't remember how I set it up and I don't

> > know

> > > > > where to look. I think I found the technique in an old ASP book

(vs

> > > > > asp.net).
> > > > >
> > > > > Does anyone know where I can look to find this technique in the

form

> > of

> > > > > sample code or a tutorial?
> > > > >
> > > > > and
> > > > >
> > > > > Is this a viable technique to use in ASP.Net?
> > > > >
> > > > >
> > > > > Thanks in advance
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >

> >
> >

>
>

[Vincent V]

you should buy a book it would save time posting


"joe" <contact_by_Newsgroup_only.please> wrote in message
news:#LPVhI2QDHA.1560@TK2MSFTNGP12.phx.gbl...

> I see they have put the user names and passwords in the login.vb file.

Isn't

> this (hard coding) a potential security problem?
>
> I realize it is not presented in the HTML on the client and the server

does

> all the work but it just makes me a bit uncomfortable.
>
> Or am I wrong?
>
>
>
>
> "joe" <contact_by_Newsgroup_only.please> wrote in message
> news:eFxu791QDHA.3700@tk2msftngp13.phx.gbl...

> > Thanks Steve...I'll check it out.
> >
> >
> > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > news:OkPIQ31QDHA.1988@TK2MSFTNGP12.phx.gbl...

> > > It uses forms authentication, which uses cookies.
> > > Here's more info on basic forms authentication:
> > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=9[/url]
> > >
> > > Of course you can also set Forms Authentication to work if the user

has

> > > cookies turned off by setting the cookieless="true" in your

web.config.

> > > Then it will munge the session id into the URL automatically.
> > > You can specify which files and folders to allow to to which users in

> your

> > > web.config file.
> > > There is a link to sample code that you can download and play with.
> > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > >
> > > --
> > > I hope this helps,
> > > Steve C. Orr, MCSD
> > > [url]http://Steve.Orr.net[/url]
> > >
> > >
> > >
> > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > news:u4AXzv1QDHA.304@tk2msftngp13.phx.gbl...
> > > > Thanks Steve I've read that but call me dumb but I don't see how it

> > works.

> > > > Perhaps I'm missing something, I don't see the way it :
> > > >
> > > > 1) determines which users to permit access to
> > > >
> > > > nor
> > > >
> > > > 2) how it maintains the users status once authorized should the user
> > > request
> > > > additional pages in the protected folder.
> > > >
> > > >
> > > > Is that done in the web.config file? I don't see any instructions

at

> > that

> > > > link on how to accomplish this whithout using cookies.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > > > news:evYTDo1QDHA.3700@tk2msftngp13.phx.gbl...
> > > > > You can put each group of files into their own subfolders under

your

> > > root
> > > > > web application, and then create a web.config for each subfolder

> with

> > > the
> > > > > appropriate settings in it.
> > > > > You could alternately do this with a single web.config file by

using

> > the

> > > > > <location> tag.
> > > > > Here's more info on that and an example:
> > > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > > > >
> > > > > --
> > > > > I hope this helps,
> > > > > Steve C. Orr, MCSD
> > > > > [url]http://Steve.Orr.net[/url]
> > > > >
> > > > >
> > > > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > > > news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...
> > > > > > Some time ago I set up an ASP application that used a login page

> > which

> > > > > > checked a username and password against a database to determine

a

> > > users
> > > > > > authorization to access certain pages on the site. This was done

> by

> > > > > setting
> > > > > > a session variable within the application if the user was

> authorized

> > > and
> > > > > > using code one each page for which protection was required to

> check

> > > for
> > > > > the
> > > > > > status of the session variable.
> > > > > >
> > > > > > Now I am aware of the various techniques that ASP.NET provides

to

> > > allow
> > > > or
> > > > > > preclude access to asp.net apps but frankly I really liked that

> > other

> > > > one
> > > > > > because it didn't use cookies which many users are a bit afraid

> of.

> > > > > >
> > > > > > My problem is this....I can't remember how I set it up and I

don't

> > > know
> > > > > > where to look. I think I found the technique in an old ASP book

> (vs

> > > > > > asp.net).
> > > > > >
> > > > > > Does anyone know where I can look to find this technique in the

> form

> > > of
> > > > > > sample code or a tutorial?
> > > > > >
> > > > > > and
> > > > > >
> > > > > > Is this a viable technique to use in ASP.Net?
> > > > > >
> > > > > >
> > > > > > Thanks in advance
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >

> >
> >

>
>

[joe]

I don't mind taking the time posting but I do understand that for some
reading is a bit more difficult than it is for others.


"Vincent V" <vincentv@-n0-5pam-optushome.com.au> wrote in message
news:O2kefR2QDHA.3880@tk2msftngp13.phx.gbl...

> you should buy a book it would save time posting
>
>
> "joe" <contact_by_Newsgroup_only.please> wrote in message
> news:#LPVhI2QDHA.1560@TK2MSFTNGP12.phx.gbl...

> > I see they have put the user names and passwords in the login.vb file.

> Isn't

> > this (hard coding) a potential security problem?
> >
> > I realize it is not presented in the HTML on the client and the server

> does

> > all the work but it just makes me a bit uncomfortable.
> >
> > Or am I wrong?
> >
> >
> >
> >
> > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > news:eFxu791QDHA.3700@tk2msftngp13.phx.gbl...

> > > Thanks Steve...I'll check it out.
> > >
> > >
> > > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > > news:OkPIQ31QDHA.1988@TK2MSFTNGP12.phx.gbl...
> > > > It uses forms authentication, which uses cookies.
> > > > Here's more info on basic forms authentication:
> > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=9[/url]
> > > >
> > > > Of course you can also set Forms Authentication to work if the user

> has

> > > > cookies turned off by setting the cookieless="true" in your

> web.config.

> > > > Then it will munge the session id into the URL automatically.
> > > > You can specify which files and folders to allow to to which users

in

> > your

> > > > web.config file.
> > > > There is a link to sample code that you can download and play with.
> > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > > >
> > > > --
> > > > I hope this helps,
> > > > Steve C. Orr, MCSD
> > > > [url]http://Steve.Orr.net[/url]
> > > >
> > > >
> > > >
> > > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > > news:u4AXzv1QDHA.304@tk2msftngp13.phx.gbl...
> > > > > Thanks Steve I've read that but call me dumb but I don't see how

it

> > > works.
> > > > > Perhaps I'm missing something, I don't see the way it :
> > > > >
> > > > > 1) determines which users to permit access to
> > > > >
> > > > > nor
> > > > >
> > > > > 2) how it maintains the users status once authorized should the

user

> > > > request
> > > > > additional pages in the protected folder.
> > > > >
> > > > >
> > > > > Is that done in the web.config file? I don't see any instructions

> at

> > > that
> > > > > link on how to accomplish this whithout using cookies.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > > > > news:evYTDo1QDHA.3700@tk2msftngp13.phx.gbl...
> > > > > > You can put each group of files into their own subfolders under

> your

> > > > root
> > > > > > web application, and then create a web.config for each subfolder

> > with

> > > > the
> > > > > > appropriate settings in it.
> > > > > > You could alternately do this with a single web.config file by

> using

> > > the
> > > > > > <location> tag.
> > > > > > Here's more info on that and an example:
> > > > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > > > > >
> > > > > > --
> > > > > > I hope this helps,
> > > > > > Steve C. Orr, MCSD
> > > > > > [url]http://Steve.Orr.net[/url]
> > > > > >
> > > > > >
> > > > > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > > > > news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...
> > > > > > > Some time ago I set up an ASP application that used a login

page

> > > which
> > > > > > > checked a username and password against a database to

determine

> a

> > > > users
> > > > > > > authorization to access certain pages on the site. This was

done

> > by

> > > > > > setting
> > > > > > > a session variable within the application if the user was

> > authorized

> > > > and
> > > > > > > using code one each page for which protection was required to

> > check

> > > > for
> > > > > > the
> > > > > > > status of the session variable.
> > > > > > >
> > > > > > > Now I am aware of the various techniques that ASP.NET provides

> to

> > > > allow
> > > > > or
> > > > > > > preclude access to asp.net apps but frankly I really liked

that

> > > other
> > > > > one
> > > > > > > because it didn't use cookies which many users are a bit

afraid

> > of.

> > > > > > >
> > > > > > > My problem is this....I can't remember how I set it up and I

> don't

> > > > know
> > > > > > > where to look. I think I found the technique in an old ASP

book

> > (vs

> > > > > > > asp.net).
> > > > > > >
> > > > > > > Does anyone know where I can look to find this technique in

the

> > form

> > > > of
> > > > > > > sample code or a tutorial?
> > > > > > >
> > > > > > > and
> > > > > > >
> > > > > > > Is this a viable technique to use in ASP.Net?
> > > > > > >
> > > > > > >
> > > > > > > Thanks in advance
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >

> >
> >

>
>

[joe]

Thanks again Steve.


"Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
news:O$h5cU2QDHA.2636@TK2MSFTNGP10.phx.gbl...

> You can use a database for this if you prefer.
> Here are some examples:
>

[url]http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT03.asp[/url]

> [url]http://www.4guysfromrolla.com/webtech/121901-1.shtml[/url]
>
> --
> I hope this helps,
> Steve C. Orr, MCSD
> [url]http://Steve.Orr.net[/url]
>
>
> "joe" <contact_by_Newsgroup_only.please> wrote in message
> news:%23LPVhI2QDHA.1560@TK2MSFTNGP12.phx.gbl...

> > I see they have put the user names and passwords in the login.vb file.

> Isn't

> > this (hard coding) a potential security problem?
> >
> > I realize it is not presented in the HTML on the client and the server

> does

> > all the work but it just makes me a bit uncomfortable.
> >
> > Or am I wrong?
> >
> >
> >
> >
> > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > news:eFxu791QDHA.3700@tk2msftngp13.phx.gbl...

> > > Thanks Steve...I'll check it out.
> > >
> > >
> > > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > > news:OkPIQ31QDHA.1988@TK2MSFTNGP12.phx.gbl...
> > > > It uses forms authentication, which uses cookies.
> > > > Here's more info on basic forms authentication:
> > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=9[/url]
> > > >
> > > > Of course you can also set Forms Authentication to work if the user

> has

> > > > cookies turned off by setting the cookieless="true" in your

> web.config.

> > > > Then it will munge the session id into the URL automatically.
> > > > You can specify which files and folders to allow to to which users

in

> > your

> > > > web.config file.
> > > > There is a link to sample code that you can download and play with.
> > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > > >
> > > > --
> > > > I hope this helps,
> > > > Steve C. Orr, MCSD
> > > > [url]http://Steve.Orr.net[/url]
> > > >
> > > >
> > > >
> > > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > > news:u4AXzv1QDHA.304@tk2msftngp13.phx.gbl...
> > > > > Thanks Steve I've read that but call me dumb but I don't see how

it

> > > works.
> > > > > Perhaps I'm missing something, I don't see the way it :
> > > > >
> > > > > 1) determines which users to permit access to
> > > > >
> > > > > nor
> > > > >
> > > > > 2) how it maintains the users status once authorized should the

user

> > > > request
> > > > > additional pages in the protected folder.
> > > > >
> > > > >
> > > > > Is that done in the web.config file? I don't see any instructions

> at

> > > that
> > > > > link on how to accomplish this whithout using cookies.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Steve C. Orr, MCSD" <Steve@Orr.net> wrote in message
> > > > > news:evYTDo1QDHA.3700@tk2msftngp13.phx.gbl...
> > > > > > You can put each group of files into their own subfolders under

> your

> > > > root
> > > > > > web application, and then create a web.config for each subfolder

> > with

> > > > the
> > > > > > appropriate settings in it.
> > > > > > You could alternately do this with a single web.config file by

> using

> > > the
> > > > > > <location> tag.
> > > > > > Here's more info on that and an example:
> > > > > > [url]http://www.dotnetbips.com/displayarticle.aspx?id=117[/url]
> > > > > >
> > > > > > --
> > > > > > I hope this helps,
> > > > > > Steve C. Orr, MCSD
> > > > > > [url]http://Steve.Orr.net[/url]
> > > > > >
> > > > > >
> > > > > > "joe" <contact_by_Newsgroup_only.please> wrote in message
> > > > > > news:u$wvWU1QDHA.2832@TK2MSFTNGP10.phx.gbl...
> > > > > > > Some time ago I set up an ASP application that used a login

page

> > > which
> > > > > > > checked a username and password against a database to

determine

> a

> > > > users
> > > > > > > authorization to access certain pages on the site. This was

done

> > by

> > > > > > setting
> > > > > > > a session variable within the application if the user was

> > authorized

> > > > and
> > > > > > > using code one each page for which protection was required to

> > check

> > > > for
> > > > > > the
> > > > > > > status of the session variable.
> > > > > > >
> > > > > > > Now I am aware of the various techniques that ASP.NET provides

> to

> > > > allow
> > > > > or
> > > > > > > preclude access to asp.net apps but frankly I really liked

that

> > > other
> > > > > one
> > > > > > > because it didn't use cookies which many users are a bit

afraid

> > of.

> > > > > > >
> > > > > > > My problem is this....I can't remember how I set it up and I

> don't

> > > > know
> > > > > > > where to look. I think I found the technique in an old ASP

book

> > (vs

> > > > > > > asp.net).
> > > > > > >
> > > > > > > Does anyone know where I can look to find this technique in

the

> > form

> > > > of
> > > > > > > sample code or a tutorial?
> > > > > > >
> > > > > > > and
> > > > > > >
> > > > > > > Is this a viable technique to use in ASP.Net?
> > > > > > >
> > > > > > >
> > > > > > > Thanks in advance
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >

> >
> >

>
>