Wrox Programmer Forums

Need to download code?

View our list of code downloads.

| FAQ | Members List | Search | Today's Posts | Mark Forums Read
ASP.NET 1.0 and 1.1 Professional For advanced ASP.NET 1.x coders. Beginning-level questions will be redirected to other forums. NOT for "classic" ASP 3 or the newer ASP.NET 2.0 and 3.5
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 1.0 and 1.1 Professional section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old January 17th, 2008, 01:36 AM
Friend of Wrox
 
Join Date: Jun 2004
Location: Chennai, Tamil Nadu, India.
Posts: 449
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via MSN to r_ganesh76
Default Authentication

Hi Experts,

In my asp.net application, I have a login page which secures the individual pages using session. Basically I want to allow all the people in my LDAP access to the individual pages. This is perfectly done by my login.aspx.

I handle the session thru global.asax events, which will check for the existance of the session variables and redirect thru the login page in case session is missing. This works fine for all the aspx files. But the global.asax event does not capture the session when the request comes for pdf/doc.

So the pdf/doc inside my application are unsecured in the sense any body can access that without login if they know the url or have bookmarked the url.

Is there any way to handle this situation? Please advice

Regards
Ganesh
http://ganeshprof.blogspot.com
Find your solution here...
__________________
Regards
Ganesh
http://ganeshprof.blogspot.com
Find your solution here...
  #2 (permalink)  
Old January 17th, 2008, 11:01 AM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

Question: Why are you re-inventing what the ASP.NET already does (Forms Authentication)?


Code in your application's Global class can only run for files that are handled by the ASP.NET runtime. This is set by IIS. By default, any file other than those used in a .NET project are not handled by the ASP.NET runtime. Thus you don't get any of the security features for those other files.

One solution is to modify IIS. Go the the web site or virtual directory for this application, then choose Properties from its context menu. Go to the "Directory" tab, and click the "Configuration" button. Under the "Mappings" tab you can add a file extension for all file types you wish to secure. Even though a PDF or DOC file is meaningless to the ASP.NET runtime, the request will be handled by the runtime's isapi and will then be subject to the rules defined in the web config and application code. I just tried it with some XML files and by turning on forms authentication for a test virtual directory. Worked great! You will suffer a performance hit because lots of non-aspx requests will be run through the runtime application instead of just being served by IIS directly. However, this should be negligible and is likely the only solution.

-Peter
  #3 (permalink)  
Old January 18th, 2008, 01:17 AM
Friend of Wrox
 
Join Date: Jun 2004
Location: Chennai, Tamil Nadu, India.
Posts: 449
Thanks: 0
Thanked 1 Time in 1 Post
Send a message via MSN to r_ganesh76
Default

thanks peter for your reply.

I have done the same thing in my iis configuration. However, the global.asax event does not handle session for such files. Can this be achieved thru forms authentication?

Regards
Ganesh
http://ganeshprof.blogspot.com
Find your solution here...
  #4 (permalink)  
Old January 18th, 2008, 11:34 AM
planoie's Avatar
Friend of Wrox
Points: 16,481, Level: 55
Points: 16,481, Level: 55 Points: 16,481, Level: 55 Points: 16,481, Level: 55
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Aug 2003
Location: Clifton Park, New York, USA.
Posts: 5,407
Thanks: 0
Thanked 16 Times in 16 Posts
Default

I had success in having the ASP.NET runtime handle the request but I did not try any global code for it. It is possible that only resources that actually require some processing (ASPX, ASMX, ASHX) will result in execution of global events.

The reason I used forms authentication was that it was the fastest way to see that the ASP.NET run actually handling the call without writing any code in the global class. I simply got a redirect to the login page of the app when I requested a file with the extension I added to the IIS configuration. This wasn't a completely accurate test. I guess I made the unfair assumption that the global events would be handled any time the runtime handled a file request. That doesn't seem to be the case.

I'm not sure how you would go about changing this behavior. However, this gets us back to my original question and your last question. What you describe in your first post about redirecting the user based on session var checks is precisely what forms authentication is designed to do (although it's based on the presence of a forms auth ticket cookie). Forms auth handles all the logic to deny requests to unauthenticated users. There are many ways to authenticate the user so you can still use LDAP to authenticate users. I haven't worked with it so I can't provide any concrete examples. I imagine you already have code that works with that so you really just need to implement forms auth and eliminate the global event handlers.

-Peter
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Authentication stu9820 ASP.NET 1.0 and 1.1 Professional 4 December 7th, 2009 05:31 AM
Authentication koco ASP.NET 2.0 Professional 1 August 21st, 2007 09:02 AM
Authentication speedyH Beginning PHP 1 September 25th, 2004 11:34 AM
Authentication PbsiGuru General .NET 6 March 24th, 2004 02:41 PM
Authentication dbradley ASP.NET 1.0 and 1.1 Basics 2 August 13th, 2003 10:17 PM



All times are GMT -4. The time now is 10:02 AM.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.