Web.config: <allow users="xxxx" /> Where does xxxx come from?

[sjl]

I'm using Forms Authentication. When I authenticate a user from a database,
I use the following line:
FormsAuthentication.RedirectFromLoginPage(paramete rID.Value.ToString(),chkRemember.Checked);

where parameterID.Value is the ouput parameter from my stored proc which is
the primary key from the database of the user who logged in. That way, I
always use that key when writing back to the database for various tasks
(Page.User.Identity.Name). Is that the same value that gets evaluated in
the web.config file authorization section to allow/deny users? For example,
what user am I really looking for if I use <allow users="xxxx" /> in the
web.config file? They login using email/password, but I write the
authentication ticket using the primary key from the database.

What I'm really wanting to do is use forms auth to secure one folder for
only authenticated users. Anyone who is registered on my site and logs in
can get to all files in that folder. Additionally, I'd like to have an
administrative back-end for the site in another subfolder that will only all
myself into. Am I forced to use roles to accomplish this or can I do this
with simple web.config settings?

Thanks in advance.
sjl

[MasterGaurav]

Just use:
<deny users="?"/>

Anyway... "XXXX" in <allow users=..."/> is the list of users that will
be allowed access. It's the same as the first parameter in
RedirectFromLoginPage(...) method.

For your situation, you may like to do the following:

<location path="dirName">
<system.web>
<authorization>
<deny users="?"/> <!-- Denying anonymous users -->
</authorization>
<authentication mode="Forms">
....
</authentication>
</system.web>
</location>



--
Cheers,
Gaurav Vaish
[url]http://www.mastergaurav.org[/url]
[url]http://mastergaurav.blogspot.com[/url]
--------------------------------

[sjl]

Thanks Gaurav. Since I want to deny anonymous users AND all authenticated
users other than myself for this Admin folder, wouldn't I also need to add
<allow users="1" /> where my primary key ID from the database is 1? Or, do
I need to deny ALL users (<deny users="*"/>) and only <allow users = "1" />?
I'm pretty sure I've tried this, but couldn't determine why it wasn't only
allowing my account access and not all others.

I'll keep working on it. You've answered my question though regarding where
the xxxx comes from in the allow/deny users statement for the web.config.

Thanks,
sjl


"MasterGaurav" <gaurav.vaish@gmail.com> wrote in message
news:1114493976.328298.251340@f14g2000cwb.googlegr oups.com...

> Just use:
> <deny users="?"/>
>
> Anyway... "XXXX" in <allow users=..."/> is the list of users that will
> be allowed access. It's the same as the first parameter in
> RedirectFromLoginPage(...) method.
>
> For your situation, you may like to do the following:
>
> <location path="dirName">
> <system.web>
> <authorization>
> <deny users="?"/> <!-- Denying anonymous users -->
> </authorization>
> <authentication mode="Forms">
> ....
> </authentication>
> </system.web>
> </location>
>
>
>
> --
> Cheers,
> Gaurav Vaish
> [url]http://www.mastergaurav.org[/url]
> [url]http://mastergaurav.blogspot.com[/url]
> --------------------------------
>

[MasterGaurav]

Ok.. then do:

<allow users="comma, separated, list, of, id"/>
<deny users="*"/>

Allow first.
Deny next.

--
Cheers,
Gaurav Vaish
[url]http://www.mastergaurav.org[/url]
[url]http://mastergaurav.blogspot.com[/url]
--------------------------------