469,926 Members | 1,745 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,926 developers. It's quick & easy.

Help me with Login and user roles please.

This is a simplified version of my site.

There are Premium users who have access to the Premium directory.
Anyone else attempting to access it should be logged and then
redirected to the Premium.aspx - which explains the advantages of
being a Premium member and provides examples of content.

The default page for site visitors is "News/Default.aspx" but only
those with cookies set should go there otherwise visitors need to
login to access the important pages in the site (everything else apart
from the error pages and Premium.aspx).

Every single site visitor needs to be recorded. Browser agent, IP-
address are logged for everyone.
Q1: When a user first arrives at the site, where is the best place to
determine whether they are a valid user? Is this best done in
Session_Start()?

Q2: If a user bookmarks a page I want them to go directly to it next
time (provided they are in a suitable role). How does ASP.NET know
when to bypass the Login page (presumably it gets the cookie and
checks the user roles)?

Q3: Following on from Q2, how does ASP.NET know when to go to the
defaultUrl? Where is the logic done for that and what about the
ReturnUrl - if there is one?

Q4: At what stage does all this security checking take place and if I,
as web-site author, want to interrupt it where do I interrupt it?

Q5: Is there a routine in Global.asax that allows one to override the
system security and if not so then why not so?

Q6: Is the detail regarding the ASP.NET roles and security explained
anywhere (I do mean in detail)? Following on from that, I'm not
really interested in tutorials telling one how to set up security -
I'm interested in how it works and what I can do about it when it
doesn't work as I intend.

Q7: What is the best way of debugging these problems? Setting a
breakpoint followed by start debugging is useless because by the time
the page loads the security sytem has already by-passed the page which
I have bookmarked - which is niether loginUrl nor defaultUrl. For
instance when the user has a url book-marked, for some annoying reason
the security system decides that the user should go to the defaultUrl
- how would I change that and debug what was going on?
<system.web>

<authentication mode="Forms">
<forms name="myWebSite" loginUrl="Login.aspx" defaultUrl="News/
Default.aspx" protection="All" cookieless="AutoDetect"/>
</authentication>

<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424" cookieless="false"
timeout="5"/>

</system.web>

<location path="Premium">
<system.web>
<authorization>
<allow roles="Premium"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

<location path="Premium.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

Apr 19 '07 #1
2 1934
Well, as I've said many times before on here, we use forms authentication
with attributes that ensure that users are both logged in and in the correct
role to carry out the action they are attempting. It works well for us, and
means we can get what we want with minimal coding. In fact all our code is
pretty much the standard code you will see if you look up Forms
Authentication on msdn.

If I wanted to keep a site secure, I wouldn't rely on cookies at the expense
of getting users to authenticate. I'd want a new authentication for every
new session.

Just my 2c. YMMV.
Peter
"mark4asp" <ma******@gmail.comwrote in message
news:11**********************@p77g2000hsh.googlegr oups.com...
This is a simplified version of my site.

There are Premium users who have access to the Premium directory.
Anyone else attempting to access it should be logged and then
redirected to the Premium.aspx - which explains the advantages of
being a Premium member and provides examples of content.

The default page for site visitors is "News/Default.aspx" but only
those with cookies set should go there otherwise visitors need to
login to access the important pages in the site (everything else apart
from the error pages and Premium.aspx).

Every single site visitor needs to be recorded. Browser agent, IP-
address are logged for everyone.
Q1: When a user first arrives at the site, where is the best place to
determine whether they are a valid user? Is this best done in
Session_Start()?

Q2: If a user bookmarks a page I want them to go directly to it next
time (provided they are in a suitable role). How does ASP.NET know
when to bypass the Login page (presumably it gets the cookie and
checks the user roles)?

Q3: Following on from Q2, how does ASP.NET know when to go to the
defaultUrl? Where is the logic done for that and what about the
ReturnUrl - if there is one?

Q4: At what stage does all this security checking take place and if I,
as web-site author, want to interrupt it where do I interrupt it?

Q5: Is there a routine in Global.asax that allows one to override the
system security and if not so then why not so?

Q6: Is the detail regarding the ASP.NET roles and security explained
anywhere (I do mean in detail)? Following on from that, I'm not
really interested in tutorials telling one how to set up security -
I'm interested in how it works and what I can do about it when it
doesn't work as I intend.

Q7: What is the best way of debugging these problems? Setting a
breakpoint followed by start debugging is useless because by the time
the page loads the security sytem has already by-passed the page which
I have bookmarked - which is niether loginUrl nor defaultUrl. For
instance when the user has a url book-marked, for some annoying reason
the security system decides that the user should go to the defaultUrl
- how would I change that and debug what was going on?
<system.web>

<authentication mode="Forms">
<forms name="myWebSite" loginUrl="Login.aspx" defaultUrl="News/
Default.aspx" protection="All" cookieless="AutoDetect"/>
</authentication>

<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424" cookieless="false"
timeout="5"/>

</system.web>

<location path="Premium">
<system.web>
<authorization>
<allow roles="Premium"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

<location path="Premium.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

Apr 19 '07 #2
On 19 Apr, 16:12, "Peter Bradley" <pbrad...@uwic.ac.ukwrote:
Well, as I've said many times before on here, we use forms authentication
with attributes that ensure that users are both logged in and in the correct
role to carry out the action they are attempting. It works well for us, and
means we can get what we want with minimal coding. In fact all our code is
pretty much the standard code you will see if you look up Forms
Authentication on msdn.

If I wanted to keep a site secure, I wouldn't rely on cookies at the expense
of getting users to authenticate. I'd want a new authentication for every
new session.

Just my 2c. YMMV.

Peter
I suppose I should have said that I AM using forms authentification -
although you could have read as much from the snippet of web.config
which I gave.

The problem is that I'm only using some of it. The database already
exists. There's a member_group and member table in it. There are a
total of 8 roles for users and one of these roles is not stored in the
member table but in the member_group table. Some of these roles
depends upon combinations of column values from the tables.
Fortunately a member can only be in One member_group! - thank god for
small mercies.

As such there are major portions of the forms authentification
framework such as Membership which I can't use.

Anyhow, I found some helpful articles:

http://msdn2.microsoft.com/en-us/library/aa480476.aspx

http://msdn2.microsoft.com/en-us/library/ms978378.aspx

Anyhow there's a diagram in the first of thest URLs which indicates
that it all happens in the LoginUrl (Figure 1 - Forms Authentication
Control Flow) which I guess is what I needed to know.
Apr 19 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

5 posts views Thread by PaulThomas | last post: by
10 posts views Thread by Brian Conway | last post: by
3 posts views Thread by Kris van der Mast | last post: by
6 posts views Thread by \jason via DotNetMonster.com\ | last post: by
4 posts views Thread by Brad Isaacs | last post: by
5 posts views Thread by archana | last post: by
9 posts views Thread by Jonathan Wood | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.