Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Senior Coder
    Join Date
    Dec 2002
    Location
    Arlington, Texas USA
    Posts
    1,062
    Thanks
    4
    Thanked 8 Times in 8 Posts

    securing with web.config

    Well i am finally working in .Net and trying to get the hang of it. To secure pages do i put a seperate web.config file in each of the secured directories? or do i make a change to the web.config file?

    Here is my web.config file
    Code:
    <authentication mode="Forms">
    
             <forms name=".ASPXAUTH"
                               loginUrl="login.aspx"
                               protection="All"
                               timeout="30"
                               path="/" />
    
    </authentication>
    <authorization>
             <deny users="?" />
    </authorization>

  • #2
    Regular Coder
    Join Date
    Jul 2004
    Location
    France
    Posts
    141
    Thanks
    0
    Thanked 0 Times in 0 Posts
    the first thing is that with .nET 1.1 you can protect with web.config only one folder (personnally I don't use the web.config for protection)
    then ... only one web.config at the root of your application (beside the global.asax)


    <authentication mode="Forms">
    <forms name="admin" loginUrl="~/admin/login.aspx" protection="All" timeout="30">
    </forms>
    </authentication>
    <authorization>
    <allow users="*" />
    </authorization>

    ---------------------------

    in your login.aspx testing your username and password as you like

    FormsAuthentication.RedirectFromLoginPage(textBoxLogin.Text, False)

  • #3
    Senior Coder
    Join Date
    Dec 2002
    Location
    Arlington, Texas USA
    Posts
    1,062
    Thanks
    4
    Thanked 8 Times in 8 Posts
    I am trying to make sure that I understand what you said. The web.config file should reside in the root directory, but I can protect a directory below that by having the login file inside the other directory?

    What I need is a public section of the site which will be at the root level. This will have .htm and .aspx pages which are all publically viewable in it, and then a protected level which will be 1 level past that plus an admin level which is also protected.

    If I was using classic .asp I would use a combination of session variables and info in database tables.

  • #4
    Regular Coder
    Join Date
    Jul 2004
    Location
    France
    Posts
    141
    Thanks
    0
    Thanked 0 Times in 0 Posts
    the meaning of >>>
    loginUrl="~/admin/login.aspx"

    you are protecting the FULL folder admin and if you are not authentified you will be redirected to the page login.aspx

    then let's say
    // is your root, level 0

    //web.config
    //default.aspx
    //global.asax

    //admin/default.aspx
    //admin/login.aspx

    that's all what you need

    but what you say is >>>
    and then a protected level which will be 1 level past that plus an admin level which is also protected.

    do you mean //FirstProtectedFolder/admin ?

    if so you make your life complicated ... but why not anyway the web.config will protect only one folder

    as I said before I never use it .. I use a httpModule or even better directly a protection level for each page


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •