Background:
I want to be able to authenticate users whose usernames & passwords are
stored in a SQL database.
I only want certain pages to require authentication.
I have tried to implement this by creating the following class
public class SecuredPage : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!User.Identity.IsAuthenticated)
Response.Redirect("./Login.aspx");
}
}
I then have all of the pages that I want to be secured inherit the
SecuredPage class.
Problem:
User.Identity.IsAuthenticated refers to the local windows account of the
user accessing the page.
I can write a function that verifies the identity of a user by going out and
checking the database, but I don't want this to happen everytime the page
loads.
I am thinking that I could use session state to store the current user's
credentials once first obtained, and check the session variables first before
going out to SQL for authentication.
Question:
Am I correct in assuming that "Forms Authentication" is applied sitewide?
Would I have to create child web applications to isolate the pages I want
secured? If this is the case, and I'm not interested in either requiring
sitewide authentication or creating child web applications to implement
security, what do you think about the following ideas?
Could I store a boolean value in session state once a user has been
authenticated so that I can reference that on Page_Loads as opposed to
quering SQL? Would that make it too easy for a hacker to get into my site?
As an alternative, is it safe to store an encrypted username and password in
session state after initial authentication? Are there any security concerns
in doing this?
Are the meathods I'm considering "Forms Authentication"?
What is the "best practice" implementation for the authentication I'm trying
to achieve?
Thanks in advance for your help!
Paul Daly
