This is a simplified version of my site.
There are Premium users who have access to the Premium directory.
Anyone else attempting to access it should be logged and then
redirected to the Premium.aspx - which explains the advantages of
being a Premium member and provides examples of content.
The default page for site visitors is "News/Default.aspx" but only
those with cookies set should go there otherwise visitors need to
login to access the important pages in the site (everything else apart
from the error pages and Premium.aspx).
Every single site visitor needs to be recorded. Browser agent, IP-
address are logged for everyone.
Q1: When a user first arrives at the site, where is the best place to
determine whether they are a valid user? Is this best done in
Session_Start()?
Q2: If a user bookmarks a page I want them to go directly to it next
time (provided they are in a suitable role). How does ASP.NET know
when to bypass the Login page (presumably it gets the cookie and
checks the user roles)?
Q3: Following on from Q2, how does ASP.NET know when to go to the
defaultUrl? Where is the logic done for that and what about the
ReturnUrl - if there is one?
Q4: At what stage does all this security checking take place and if I,
as web-site author, want to interrupt it where do I interrupt it?
Q5: Is there a routine in Global.asax that allows one to override the
system security and if not so then why not so?
Q6: Is the detail regarding the ASP.NET roles and security explained
anywhere (I do mean in detail)? Following on from that, I'm not
really interested in tutorials telling one how to set up security -
I'm interested in how it works and what I can do about it when it
doesn't work as I intend.
Q7: What is the best way of debugging these problems? Setting a
breakpoint followed by start debugging is useless because by the time
the page loads the security sytem has already by-passed the page which
I have bookmarked - which is niether loginUrl nor defaultUrl. For
instance when the user has a url book-marked, for some annoying reason
the security system decides that the user should go to the defaultUrl
- how would I change that and debug what was going on?
<system.web>
<authentication mode="Forms">
<forms name="myWebSite" loginUrl="Login.aspx" defaultUrl="News/
Default.aspx" protection="All" cookieless="AutoDetect"/>
</authentication>
<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424" cookieless="false"
timeout="5"/>
</system.web>
<location path="Premium">
<system.web>
<authorization>
<allow roles="Premium"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Premium.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
