By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
457,953 Members | 1,562 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 457,953 IT Pros & Developers. It's quick & easy.

Custom html-protection of HTML-files

P: n/a
Hi

I face this challenge:

An existing site with 50000+ html-files needs to be protected by a custom
login-system which has two goals:

1. Protect HTML-content (authentication required)
2. If the same username is used by two persons at the same time, they have
to be logged out (when a login is used, other users currently logged in
using the same login need to be logged out).

It is not an option to modify the html-files.

I enabled forms authentication, and created login-code. This works great. I
also made sure asp.net processes html-files, so unauthenticated users are
sent to the login-screen. So far so good.

As for goal two, logging people using same login out, it's a bit more
challenging.

When a user (User A) logs in, I give the user a custom session-id, which I
store in the database and in a session-variable. If a new user logs in using
the same credentials (User B) , the session of the User A expires in the
database. The next time User A requests a page, I need to log User A out.

I have managed to get that working for .aspx-files using global.asax and the
Application_PreRequestHandlerExecute-sub (context.session is not available
in Application_BeginRequest). I use the section to check in a db if the
session is still valid - and if not I redirect to the login-page.

This section Application_PreRequestHandlerExecute also fires for a user who
requests a html-file, but the context.session object is not available. I get
an error that Context.session is nothing. It is however available when the
user requests a .aspx-file. That means I can't get a hold of the
session-variable I need, in order to check the users status in the db (if
the session is still valid).

How can I work around this? Other ideas are also welcome.

I know this is a bit complicated to explain, I hope I managed to get the
message through. :)
Thanks in advance

- Klaus
Oct 27 '06 #1
Share this Question
Share on Google+
1 Reply


P: n/a
number 1 is easy, iis will doit or if you want forms authenication map file
to asp.net.

number 2 is difficult unless you control the infrastructure (say its a local
lan). if you will allow the user only one browser session at time (they can
not open your site with two browser windows n the same computer), then you
can tie a session cookie to a login.

-- bruce (sqlwork.com)

"Klaus Jensen" <sp******@burninhell.comwrote in message
news:eb****************@TK2MSFTNGP05.phx.gbl...
Hi

I face this challenge:

An existing site with 50000+ html-files needs to be protected by a custom
login-system which has two goals:

1. Protect HTML-content (authentication required)
2. If the same username is used by two persons at the same time, they have
to be logged out (when a login is used, other users currently logged in
using the same login need to be logged out).

It is not an option to modify the html-files.

I enabled forms authentication, and created login-code. This works great.
I also made sure asp.net processes html-files, so unauthenticated users
are sent to the login-screen. So far so good.

As for goal two, logging people using same login out, it's a bit more
challenging.

When a user (User A) logs in, I give the user a custom session-id, which I
store in the database and in a session-variable. If a new user logs in
using the same credentials (User B) , the session of the User A expires in
the database. The next time User A requests a page, I need to log User A
out.

I have managed to get that working for .aspx-files using global.asax and
the Application_PreRequestHandlerExecute-sub (context.session is not
available in Application_BeginRequest). I use the section to check in a db
if the session is still valid - and if not I redirect to the login-page.

This section Application_PreRequestHandlerExecute also fires for a user
who requests a html-file, but the context.session object is not available.
I get an error that Context.session is nothing. It is however available
when the user requests a .aspx-file. That means I can't get a hold of the
session-variable I need, in order to check the users status in the db (if
the session is still valid).

How can I work around this? Other ideas are also welcome.

I know this is a bit complicated to explain, I hope I managed to get the
message through. :)
Thanks in advance

- Klaus

Oct 27 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.