View Full Version : securing with web.config

01-05-2005, 05:21 AM
Well i am finally working in .Net and trying to get the hang of it. To secure pages do i put a seperate web.config file in each of the secured directories? or do i make a change to the web.config file?

Here is my web.config file

<authentication mode="Forms">

<forms name=".ASPXAUTH"
path="/" />

<deny users="?" />

01-05-2005, 07:19 AM
the first thing is that with .nET 1.1 you can protect with web.config only one folder (personnally I don't use the web.config for protection)
then ... only one web.config at the root of your application (beside the global.asax)

<authentication mode="Forms">
<forms name="admin" loginUrl="~/admin/login.aspx" protection="All" timeout="30">
<allow users="*" />


in your login.aspx testing your username and password as you like

FormsAuthentication.RedirectFromLoginPage(textBoxLogin.Text, False)

01-05-2005, 05:40 PM
I am trying to make sure that I understand what you said. The web.config file should reside in the root directory, but I can protect a directory below that by having the login file inside the other directory?

What I need is a public section of the site which will be at the root level. This will have .htm and .aspx pages which are all publically viewable in it, and then a protected level which will be 1 level past that plus an admin level which is also protected.

If I was using classic .asp I would use a combination of session variables and info in database tables.

01-05-2005, 06:30 PM
the meaning of >>>

you are protecting the FULL folder admin and if you are not authentified you will be redirected to the page login.aspx

then let's say
// is your root, level 0



that's all what you need

but what you say is >>>
and then a protected level which will be 1 level past that plus an admin level which is also protected.

do you mean //FirstProtectedFolder/admin ?

if so you make your life complicated ... but why not anyway the web.config will protect only one folder

as I said before I never use it .. I use a httpModule or even better directly a protection level for each page