473,698 Members | 2,426 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Deny access to htm files

I have a web application using forms authentication and everything seemed to
be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want them
to read unless they have logged in?
Nov 19 '05 #1
7 2370
Hi,

How long are you persisting the cookie for Forms Authentication. The said
url is accessible because within a browser session, the cookie still exist.
Try calling FormsAuthentica tion.Signout() in the initial Page_Load before
you redirect to your login page.

Hope that helps.

Joyjit

"Brian Linden" <br***@ineedadi p.com> wrote in message
news:%2******** **********@TK2M SFTNGP12.phx.gb l...
I have a web application using forms authentication and everything seemed to be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want them
to read unless they have logged in?

Nov 19 '05 #2
Well as Joyjit adviced that should work for you!
Patrick

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #3
My *guess* would be that, because these files are normal, static, html
files, the ASP.NET engine isn't getting anywhere near them.

I wonder what would happen if you add the .htm extension to your IIS
config, to be processed through ASP.NET (you would also need to add a
handler - wonder how Page Handler would react to a plain htm file).

That would be the direction I would look in. Should be a change to IIS
and a change to machine.config.

Nov 19 '05 #4
Brian, I'm reading your question a little differently than Joyit and
Patrick, so I'll comment in case it helps.

If I understand your question, you'd like to know how to ensure that a
request for a .htm file forces a Forms Authentication login in the same way
that a request for a .aspx file does.

When a Url request is processed by IIS, a decision is made regarding who
gets to process it. This is done (rather frustratingly) based on the
extension of the Url.

Files ending in ".aspx" are processed by .NET, while other files like
".gif", ".jpeg", ".html" are processed directly by IIS.

Because Forms Authentication is a .NET feature, requests that bypass .NET
are not covered by the Forms Authentication security scheme.

As usual, there are a number of ways to handle this but the easiest way is
to make a list of all the file types you want protected by Forms
Authentication, and then configure IIS to pass all of these through .NET.

In the IIS Manager;

+ Pick your website
+ Right-click, properties; the property dialog appears
+ Select the "Home Directory" tab
+ Click the "Configurat ion" button; the "Applicatio n Configuration" dialog
appears
+ Select the "Mappings" tab

You'll see a list of Application extensions, with mappings to specific
handlers. For example,

".aspx" is mapped to;
C:\WINDOWS\Micr osoft.NET\Frame work\v1.1.4322\ aspnet_isapi.dl l

Check yours, it will contain the correct path to the aspnet_isapi.dl l, which
is what you want.

Now go to all of the file types you need, such as .htm, .gif, .jpeg, .jpg,
and Edit their mappings to the same value. You may need to Add some entries
for certain file types as well.

Cheers,

/// M


"Brian Linden" <br***@ineedadi p.com> wrote in message
news:#n******** ******@TK2MSFTN GP12.phx.gbl...
I have a web application using forms authentication and everything seemed to be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want them
to read unless they have logged in?

Nov 19 '05 #5
That is exactly what I meant.

Thank you,
That is exactly what I was looking for....BUT...
A .htm file was an example that I thought I could post and take the solution
and apply that
everywhere...bu t the majority of the files that I am trying to protect are
..asp files. And those already have an ISAP filter associated with it.

Can you think of a way to protect those?

"MWells" <outbound__at_s ygnal.com> wrote in message
news:ek******** ********@TK2MSF TNGP09.phx.gbl. ..
Brian, I'm reading your question a little differently than Joyit and
Patrick, so I'll comment in case it helps.

If I understand your question, you'd like to know how to ensure that a
request for a .htm file forces a Forms Authentication login in the same way that a request for a .aspx file does.

When a Url request is processed by IIS, a decision is made regarding who
gets to process it. This is done (rather frustratingly) based on the
extension of the Url.

Files ending in ".aspx" are processed by .NET, while other files like
".gif", ".jpeg", ".html" are processed directly by IIS.

Because Forms Authentication is a .NET feature, requests that bypass .NET
are not covered by the Forms Authentication security scheme.

As usual, there are a number of ways to handle this but the easiest way is
to make a list of all the file types you want protected by Forms
Authentication, and then configure IIS to pass all of these through .NET.

In the IIS Manager;

+ Pick your website
+ Right-click, properties; the property dialog appears
+ Select the "Home Directory" tab
+ Click the "Configurat ion" button; the "Applicatio n Configuration" dialog appears
+ Select the "Mappings" tab

You'll see a list of Application extensions, with mappings to specific
handlers. For example,

".aspx" is mapped to;
C:\WINDOWS\Micr osoft.NET\Frame work\v1.1.4322\ aspnet_isapi.dl l

Check yours, it will contain the correct path to the aspnet_isapi.dl l, which is what you want.

Now go to all of the file types you need, such as .htm, .gif, .jpeg, .jpg,
and Edit their mappings to the same value. You may need to Add some entries for certain file types as well.

Cheers,

/// M


"Brian Linden" <br***@ineedadi p.com> wrote in message
news:#n******** ******@TK2MSFTN GP12.phx.gbl...
I have a web application using forms authentication and everything seemed
to
be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want

them to read unless they have logged in?


Nov 19 '05 #6
Unfortunately I don't; I've never tried mixing classic ASP and ASP.NET to
any meaningful extent. The idea of securing classic ASP using Forms
Authentication is probably a unique case; you might try a new post specific
to that scenario.

/// M

"Brian Linden" <br***@ineedadi p.com> wrote in message
news:O8******** ******@TK2MSFTN GP10.phx.gbl...
That is exactly what I meant.

Thank you,
That is exactly what I was looking for....BUT...
A .htm file was an example that I thought I could post and take the solution and apply that
everywhere...bu t the majority of the files that I am trying to protect are
.asp files. And those already have an ISAP filter associated with it.

Can you think of a way to protect those?

"MWells" <outbound__at_s ygnal.com> wrote in message
news:ek******** ********@TK2MSF TNGP09.phx.gbl. ..
Brian, I'm reading your question a little differently than Joyit and
Patrick, so I'll comment in case it helps.

If I understand your question, you'd like to know how to ensure that a
request for a .htm file forces a Forms Authentication login in the same

way
that a request for a .aspx file does.

When a Url request is processed by IIS, a decision is made regarding who
gets to process it. This is done (rather frustratingly) based on the
extension of the Url.

Files ending in ".aspx" are processed by .NET, while other files like
".gif", ".jpeg", ".html" are processed directly by IIS.

Because Forms Authentication is a .NET feature, requests that bypass ..NET
are not covered by the Forms Authentication security scheme.

As usual, there are a number of ways to handle this but the easiest way is to make a list of all the file types you want protected by Forms
Authentication, and then configure IIS to pass all of these through ..NET.
In the IIS Manager;

+ Pick your website
+ Right-click, properties; the property dialog appears
+ Select the "Home Directory" tab
+ Click the "Configurat ion" button; the "Applicatio n Configuration"

dialog
appears
+ Select the "Mappings" tab

You'll see a list of Application extensions, with mappings to specific
handlers. For example,

".aspx" is mapped to;
C:\WINDOWS\Micr osoft.NET\Frame work\v1.1.4322\ aspnet_isapi.dl l

Check yours, it will contain the correct path to the aspnet_isapi.dl l,

which
is what you want.

Now go to all of the file types you need, such as .htm, .gif, .jpeg, ..jpg, and Edit their mappings to the same value. You may need to Add some

entries
for certain file types as well.

Cheers,

/// M


"Brian Linden" <br***@ineedadi p.com> wrote in message
news:#n******** ******@TK2MSFTN GP12.phx.gbl...
I have a web application using forms authentication and everything

seemed
to
be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want

them to read unless they have logged in?



Nov 19 '05 #7

Original message:
Thank you,
That is exactly what I was looking for....BUT...
A .htm file was an example that I thought I could post and take the
solution and apply that everywhere...
but the majority of the files that I am trying to protect are .asp
files.
And those already have an ISAP filter associated with it.
Can you think of a way to protect those?
--------------------
my response:

In order to protect .asp files on my .net website:
- I coded my login form so it sets a session variable to "True"
- I coded global.asa so it checks this session variable, and transfers
control to the login form if the variable hasn't been set.

Here is the code in my login form:
private void ButtonLogin_Cli ck(object sender, System.EventArg s e)
{
string sUsername = TextUsername.Te xt.ToLower();
string sPassword = TextPassword.Te xt.ToLower();
if (FormsAuthentic ation.Authentic ate(sUsername, sPassword))
{
Session["LoggedIn"] = "True";
FormsAuthentica tion.RedirectFr omLoginPage(
sUsername,
CheckBoxRemembe rMe.Checked);
}
}

Here is the code in global.asa
Sub Session_OnStart
FrontPage_Start Session '==FrontPage Generated==
FrontPage_Conve rtFromODBC '==FrontPage Generated==

if Session("Logged In") = "True" then
exit sub
end if
Session("Logged In") = "False"
dim sLink
sLink = "/members/Login.aspx" _
& "?ReturnUrl =" _
& Request.ServerV ariables("SCRIP T_NAME")
Response.Redire ct sLink
End Sub

If a user starts a session by going directly to a .asp page:
- Session_OnStart in global.asa will be called
- The LoggedIn session variable has not set
- The user will be redirected to the login page
- If the user logs in correctly:
- The LoggedIn session variable will be set to "True"
- The user will be redirected to the .asp page they requested

This seems to be working on my website.
Please exercise caution with this suggestion - this might not be the
best solution.
Your code will vary from this depending on the name and location of
your login page, and the type of forms authentication you use.

Good luck,
Michael Aaronson

--
MichaelAaronson
------------------------------------------------------------------------
Posted via http://www.codecomments.com
------------------------------------------------------------------------

Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
1206
by: spike | last post by:
I tried to upload a .htaccess-file to the directory that i wanted to protect. This is what I wrote in it: ------------------------------------------------ <Limit GET> order deny,allow deny from all allow from mydomain.com </Limit>
1
2005
by: Onur Bozkurt | last post by:
How can I deny access to a folder when authorization mode is none. I have xml files and I don't want then to be seen. When I restrict it from IIS, I can't read the files from codebehind.
3
2747
by: david | last post by:
Hi, I have a asp.net site running on an MS Access database this is, for better or worse, stored under the webroot. How can I lockout the database directory to prevent anyone from downloading the mdb file via HTTP?
4
12161
by: Dan | last post by:
hi ng. i have a strange behaviour when i want to control who can access a web application by setting web.config like: <authorization> <allow users="DOMAIN\ACCOUNT,..." /> <deny users="*" /> the authorization is working fine, but the user receives the standard "The page cannot be displayed"
7
3867
by: ABC | last post by:
How can I deny all users directly access image files from images folder?
2
4728
by: psion | last post by:
Hello, I have not found a clear way of doing what I want and resort to posting my question. I have a php file that will link to pdf files from a directory called pdf (within the apache htdocs folder). The way I have it coded now, the address to the pdf shows in the address bar, and a user can modify just the file name to read other files, which is something I don't want. I am trying to deny access to this pdf directory to anyone except...
5
16430
by: profdotnet | last post by:
Below is the code of web.config file: <configuration> <system.web> <authentication mode="Forms" /> <authorization> <allow users="Admin"/> <deny users="Jack,Mary" /> <deny users="?"> </authorization>
0
1139
by: ramakanaveen | last post by:
Hi , I have an applet like <Applet code="x.class" codebase="a.jar,b.jar" ...> The above a.jar and b.jar are in defaultwebapp folder of web application which is a public access folder, so everybody can download the jar files by typing http://url/a.jar. The requirement is not to allow the jar files to download , so i denied access by modifying the <URL-Pattern> in web.xml ,
1
1182
by: Scottmat | last post by:
Hello, How do I control (allow / deny) access to files such as videos. It seems that can be used httphandler but I can not! Someone would have an idea or a concrete example of code ? Thank you
0
8678
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8609
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9030
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8899
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
7737
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6525
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4371
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3052
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2333
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.