By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,972 Members | 883 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,972 IT Pros & Developers. It's quick & easy.

Deny access to htm files

P: n/a
I have a web application using forms authentication and everything seemed to
be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want them
to read unless they have logged in?
Nov 19 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Hi,

How long are you persisting the cookie for Forms Authentication. The said
url is accessible because within a browser session, the cookie still exist.
Try calling FormsAuthentication.Signout() in the initial Page_Load before
you redirect to your login page.

Hope that helps.

Joyjit

"Brian Linden" <br***@ineedadip.com> wrote in message
news:%2******************@TK2MSFTNGP12.phx.gbl...
I have a web application using forms authentication and everything seemed to be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want them
to read unless they have logged in?

Nov 19 '05 #2

P: n/a
Well as Joyjit adviced that should work for you!
Patrick

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Nov 19 '05 #3

P: n/a
My *guess* would be that, because these files are normal, static, html
files, the ASP.NET engine isn't getting anywhere near them.

I wonder what would happen if you add the .htm extension to your IIS
config, to be processed through ASP.NET (you would also need to add a
handler - wonder how Page Handler would react to a plain htm file).

That would be the direction I would look in. Should be a change to IIS
and a change to machine.config.

Nov 19 '05 #4

P: n/a
Brian, I'm reading your question a little differently than Joyit and
Patrick, so I'll comment in case it helps.

If I understand your question, you'd like to know how to ensure that a
request for a .htm file forces a Forms Authentication login in the same way
that a request for a .aspx file does.

When a Url request is processed by IIS, a decision is made regarding who
gets to process it. This is done (rather frustratingly) based on the
extension of the Url.

Files ending in ".aspx" are processed by .NET, while other files like
".gif", ".jpeg", ".html" are processed directly by IIS.

Because Forms Authentication is a .NET feature, requests that bypass .NET
are not covered by the Forms Authentication security scheme.

As usual, there are a number of ways to handle this but the easiest way is
to make a list of all the file types you want protected by Forms
Authentication, and then configure IIS to pass all of these through .NET.

In the IIS Manager;

+ Pick your website
+ Right-click, properties; the property dialog appears
+ Select the "Home Directory" tab
+ Click the "Configuration" button; the "Application Configuration" dialog
appears
+ Select the "Mappings" tab

You'll see a list of Application extensions, with mappings to specific
handlers. For example,

".aspx" is mapped to;
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_isapi.dll

Check yours, it will contain the correct path to the aspnet_isapi.dll, which
is what you want.

Now go to all of the file types you need, such as .htm, .gif, .jpeg, .jpg,
and Edit their mappings to the same value. You may need to Add some entries
for certain file types as well.

Cheers,

/// M


"Brian Linden" <br***@ineedadip.com> wrote in message
news:#n**************@TK2MSFTNGP12.phx.gbl...
I have a web application using forms authentication and everything seemed to be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want them
to read unless they have logged in?

Nov 19 '05 #5

P: n/a
That is exactly what I meant.

Thank you,
That is exactly what I was looking for....BUT...
A .htm file was an example that I thought I could post and take the solution
and apply that
everywhere...but the majority of the files that I am trying to protect are
..asp files. And those already have an ISAP filter associated with it.

Can you think of a way to protect those?

"MWells" <outbound__at_sygnal.com> wrote in message
news:ek****************@TK2MSFTNGP09.phx.gbl...
Brian, I'm reading your question a little differently than Joyit and
Patrick, so I'll comment in case it helps.

If I understand your question, you'd like to know how to ensure that a
request for a .htm file forces a Forms Authentication login in the same way that a request for a .aspx file does.

When a Url request is processed by IIS, a decision is made regarding who
gets to process it. This is done (rather frustratingly) based on the
extension of the Url.

Files ending in ".aspx" are processed by .NET, while other files like
".gif", ".jpeg", ".html" are processed directly by IIS.

Because Forms Authentication is a .NET feature, requests that bypass .NET
are not covered by the Forms Authentication security scheme.

As usual, there are a number of ways to handle this but the easiest way is
to make a list of all the file types you want protected by Forms
Authentication, and then configure IIS to pass all of these through .NET.

In the IIS Manager;

+ Pick your website
+ Right-click, properties; the property dialog appears
+ Select the "Home Directory" tab
+ Click the "Configuration" button; the "Application Configuration" dialog appears
+ Select the "Mappings" tab

You'll see a list of Application extensions, with mappings to specific
handlers. For example,

".aspx" is mapped to;
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_isapi.dll

Check yours, it will contain the correct path to the aspnet_isapi.dll, which is what you want.

Now go to all of the file types you need, such as .htm, .gif, .jpeg, .jpg,
and Edit their mappings to the same value. You may need to Add some entries for certain file types as well.

Cheers,

/// M


"Brian Linden" <br***@ineedadip.com> wrote in message
news:#n**************@TK2MSFTNGP12.phx.gbl...
I have a web application using forms authentication and everything seemed
to
be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want

them to read unless they have logged in?


Nov 19 '05 #6

P: n/a
Unfortunately I don't; I've never tried mixing classic ASP and ASP.NET to
any meaningful extent. The idea of securing classic ASP using Forms
Authentication is probably a unique case; you might try a new post specific
to that scenario.

/// M

"Brian Linden" <br***@ineedadip.com> wrote in message
news:O8**************@TK2MSFTNGP10.phx.gbl...
That is exactly what I meant.

Thank you,
That is exactly what I was looking for....BUT...
A .htm file was an example that I thought I could post and take the solution and apply that
everywhere...but the majority of the files that I am trying to protect are
.asp files. And those already have an ISAP filter associated with it.

Can you think of a way to protect those?

"MWells" <outbound__at_sygnal.com> wrote in message
news:ek****************@TK2MSFTNGP09.phx.gbl...
Brian, I'm reading your question a little differently than Joyit and
Patrick, so I'll comment in case it helps.

If I understand your question, you'd like to know how to ensure that a
request for a .htm file forces a Forms Authentication login in the same

way
that a request for a .aspx file does.

When a Url request is processed by IIS, a decision is made regarding who
gets to process it. This is done (rather frustratingly) based on the
extension of the Url.

Files ending in ".aspx" are processed by .NET, while other files like
".gif", ".jpeg", ".html" are processed directly by IIS.

Because Forms Authentication is a .NET feature, requests that bypass ..NET
are not covered by the Forms Authentication security scheme.

As usual, there are a number of ways to handle this but the easiest way is to make a list of all the file types you want protected by Forms
Authentication, and then configure IIS to pass all of these through ..NET.
In the IIS Manager;

+ Pick your website
+ Right-click, properties; the property dialog appears
+ Select the "Home Directory" tab
+ Click the "Configuration" button; the "Application Configuration"

dialog
appears
+ Select the "Mappings" tab

You'll see a list of Application extensions, with mappings to specific
handlers. For example,

".aspx" is mapped to;
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_isapi.dll

Check yours, it will contain the correct path to the aspnet_isapi.dll,

which
is what you want.

Now go to all of the file types you need, such as .htm, .gif, .jpeg, ..jpg, and Edit their mappings to the same value. You may need to Add some

entries
for certain file types as well.

Cheers,

/// M


"Brian Linden" <br***@ineedadip.com> wrote in message
news:#n**************@TK2MSFTNGP12.phx.gbl...
I have a web application using forms authentication and everything

seemed
to
be working fine, as far as requiring them to login.

But then I noticed that you could type in:
http://domain.com/restrictefolder/test.htm

How do I deny access to a folder full of .htm files that I don't want

them to read unless they have logged in?



Nov 19 '05 #7

P: n/a

Original message:
Thank you,
That is exactly what I was looking for....BUT...
A .htm file was an example that I thought I could post and take the
solution and apply that everywhere...
but the majority of the files that I am trying to protect are .asp
files.
And those already have an ISAP filter associated with it.
Can you think of a way to protect those?
--------------------
my response:

In order to protect .asp files on my .net website:
- I coded my login form so it sets a session variable to "True"
- I coded global.asa so it checks this session variable, and transfers
control to the login form if the variable hasn't been set.

Here is the code in my login form:
private void ButtonLogin_Click(object sender, System.EventArgs e)
{
string sUsername = TextUsername.Text.ToLower();
string sPassword = TextPassword.Text.ToLower();
if (FormsAuthentication.Authenticate(sUsername, sPassword))
{
Session["LoggedIn"] = "True";
FormsAuthentication.RedirectFromLoginPage(
sUsername,
CheckBoxRememberMe.Checked);
}
}

Here is the code in global.asa
Sub Session_OnStart
FrontPage_StartSession '==FrontPage Generated==
FrontPage_ConvertFromODBC '==FrontPage Generated==

if Session("LoggedIn") = "True" then
exit sub
end if
Session("LoggedIn") = "False"
dim sLink
sLink = "/members/Login.aspx" _
& "?ReturnUrl=" _
& Request.ServerVariables("SCRIPT_NAME")
Response.Redirect sLink
End Sub

If a user starts a session by going directly to a .asp page:
- Session_OnStart in global.asa will be called
- The LoggedIn session variable has not set
- The user will be redirected to the login page
- If the user logs in correctly:
- The LoggedIn session variable will be set to "True"
- The user will be redirected to the .asp page they requested

This seems to be working on my website.
Please exercise caution with this suggestion - this might not be the
best solution.
Your code will vary from this depending on the name and location of
your login page, and the type of forms authentication you use.

Good luck,
Michael Aaronson

--
MichaelAaronson
------------------------------------------------------------------------
Posted via http://www.codecomments.com
------------------------------------------------------------------------

Nov 19 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.