...

View Full Version : securing with web.config



miranda
01-05-2005, 06:21 AM
Well i am finally working in .Net and trying to get the hang of it. To secure pages do i put a seperate web.config file in each of the secured directories? or do i make a change to the web.config file?

Here is my web.config file


<authentication mode="Forms">

<forms name=".ASPXAUTH"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/" />

</authentication>
<authorization>
<deny users="?" />
</authorization>

gwendaal
01-05-2005, 08:19 AM
the first thing is that with .nET 1.1 you can protect with web.config only one folder (personnally I don't use the web.config for protection)
then ... only one web.config at the root of your application (beside the global.asax)


<authentication mode="Forms">
<forms name="admin" loginUrl="~/admin/login.aspx" protection="All" timeout="30">
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>

---------------------------

in your login.aspx testing your username and password as you like

FormsAuthentication.RedirectFromLoginPage(textBoxLogin.Text, False)

miranda
01-05-2005, 06:40 PM
I am trying to make sure that I understand what you said. The web.config file should reside in the root directory, but I can protect a directory below that by having the login file inside the other directory?

What I need is a public section of the site which will be at the root level. This will have .htm and .aspx pages which are all publically viewable in it, and then a protected level which will be 1 level past that plus an admin level which is also protected.

If I was using classic .asp I would use a combination of session variables and info in database tables.

gwendaal
01-05-2005, 07:30 PM
the meaning of >>>
loginUrl="~/admin/login.aspx"

you are protecting the FULL folder admin and if you are not authentified you will be redirected to the page login.aspx

then let's say
// is your root, level 0

//web.config
//default.aspx
//global.asax

//admin/default.aspx
//admin/login.aspx

that's all what you need

but what you say is >>>
and then a protected level which will be 1 level past that plus an admin level which is also protected.

do you mean //FirstProtectedFolder/admin ?

if so you make your life complicated ... but why not anyway the web.config will protect only one folder

as I said before I never use it .. I use a httpModule or even better directly a protection level for each page



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum