ASP.NET 2.0
I have an unusual situation dealing with forms authentication,
not doubt brought on by how I have structured the application.
The setup:
Users enter the site from one of several pages, A,B,C, etc.
These pages allow all users. In theses pages I setup site
customizing session variables then redirect users to a common
home page.
The home page is protected by deny anonymous users, so users
are sent to a login page to be authenticated. Authentication
is based on how they entered the site, A,B,C.
I set things up this way so I can use a common login page,
but that page is customized based on how the user entered the
site: A,B,C. (different logo, text, etc.).
The problem:
Let's say a user entered on page 'A', gets authenticated and
is sitting on the home page. Then they edit the browser URL
to navigate to page 'B'. (the user should not do this, but
users do all sorts of thing they shouldn't do).
Well, since the user is already authenticated the login screen
is by-passed. Additionally, since the home page is already
loaded in their browser, the home Page_Load event is not fired.
This results in Page A authentication but Page B session
variables - a big mess
To solve this problem I want to un-authenticate the user in
the page_load event of the entry pages (A,B,C..), but removing
the ASPXAUTH cookie does not seems to unauthenticate the user
as the login page is not displayed for some reason, but it does
force the home page_load event, so this is half correct - but
still no good.
I tried setting the web.config to allow anonymous, deny all on
the entry pages (A,B,C), and this works upon normal entry, but
when the user navigates there after authorization they can't
get past the login screen, because once they are authorized
they are denied access to the requested entry page and sent
back to the login page - and endless loop.
I did come up with something that works: I check for the
..ASPXAUTH cookie on the entry page and if it is present I
send the user to an error page.
To improve on this I keep a session variable "LastValidPage" ,
and if the user enters the site while authenticated (the
cookie is present) I simply redirect them to this page, so
from the users standpoint nothing has happened.
My question is - is there a better way?
I thought of having each entry page actually be a customized
login page (but I like the idea of having a single login page).
I'm not sure how this would work, the home page would deny
anonymous, so the system would want to redirect to a
login.aspx page - I suppose I could have the login.aspx page
display an error message instead of presenting a login. If
the user tried to access the home page directly they would
get the login error page. Then if the user changed to a
different entry page mid-site, they would need to login based
on that page's criteria and everything could be kept straight.
Thoughts or comments?
Thanks.
kpg
3  1447 
"kpg" <no@spam.comwro te in message
news:Xn******** *************** ********@207.46 .248.16...
ASP.NET 2.0
I have an unusual situation dealing with forms authentication,
not doubt brought on by how I have structured the application.
The setup:
Users enter the site from one of several pages, A,B,C, etc.
These pages allow all users. In theses pages I setup site
customizing session variables then redirect users to a common
home page.
>
The home page is protected by deny anonymous users, so users
are sent to a login page to be authenticated. Authentication
is based on how they entered the site, A,B,C.
I set things up this way so I can use a common login page,
but that page is customized based on how the user entered the
site: A,B,C. (different logo, text, etc.).
The problem:
Let's say a user entered on page 'A', gets authenticated and
is sitting on the home page. Then they edit the browser URL
to navigate to page 'B'. (the user should not do this, but
users do all sorts of thing they shouldn't do).
Well, since the user is already authenticated the login screen
is by-passed. Additionally, since the home page is already
loaded in their browser, the home Page_Load event is not fired.
This results in Page A authentication but Page B session
variables - a big mess
http://www.devcity.net/PrintArticle.aspx?ArticleID=47
>
Thoughts or comments?
Why don't you pass an encrypted key between the Web pages? If the URL has
the encrypted key, then you proceed because your program supplied the
correct key in the URL, otherwise, you stop them or redirect them to a *I
got to slap you in the face for this* page.
"Mr. Arnold" <MR. Ar****@Arnold.c omwrote in
news:u6******** ******@TK2MSFTN GP02.phx.gbl:
Why don't you pass an encrypted key between the Web pages? If the URL
has the encrypted key, then you proceed because your program supplied
the correct key in the URL, otherwise, you stop them or redirect them
to a *I got to slap you in the face for this* page.
So you suggest I handle the authentication myself? I like the way you
think. I was 'trying' to do things the 'right way', by that I mean
using the login control and web.config settings, but like in so many
other areas I find that doing it myself is better.
So without the sekrit key I deny access and redirect to an error page,
other than that, all pages are allow anonymous.
I tried my multi-login page technique (which the sekrit key technique
will also use) but with forms authentication even if I authenticate the
user I get sent to the login.aspx page <sigh>. I'm sure there's some
config file I can edit to change that, but I still have the issue that
I will have multiple login pages (as I have found this works out better
for several other unrelated reasons).
So yes, I like your idea - thanks.
kpg
"kpg" <no@spam.comwro te in message
news:Xn******** *************** *******@207.46. 248.16...
"Mr. Arnold" <MR. Ar****@Arnold.c omwrote in
news:u6******** ******@TK2MSFTN GP02.phx.gbl:
>Why don't you pass an encrypted key between the Web pages? If the URL
has the encrypted key, then you proceed because your program supplied
the correct key in the URL, otherwise, you stop them or redirect them
to a *I got to slap you in the face for this* page.
So you suggest I handle the authentication myself? I like the way you
think. I was 'trying' to do things the 'right way', by that I mean
using the login control and web.config settings, but like in so many
other areas I find that doing it myself is better.
So without the sekrit key I deny access and redirect to an error page,
other than that, all pages are allow anonymous.
If the solution is to be used by the public or not, it's a means of stopping
them from going where they want, by entering the URL and going there. You
should still keep secuirty in mind, and if a login provides that, then you
should implement that as well.
>
I tried my multi-login page technique (which the sekrit key technique
will also use) but with forms authentication even if I authenticate the
user I get sent to the login.aspx page <sigh>. I'm sure there's some
config file I can edit to change that, but I still have the issue that
I will have multiple login pages (as I have found this works out better
for several other unrelated reasons).
So yes, I like your idea - thanks.
I got that from MCTS 70-528 where they were talking about Encrypting the
QueryString.
Sometimes, one has to think out side the box. And nothing is the wrong way
if it works for you. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Jim Jewett |
last post by:
Normally, I expect a subclass to act in a manner consistent
with its Base classes. In particular, I don't expect to
*lose* any functionality, unless that was the whole point of
the subclass. (e.g., a security-restricted version, or an
interface implementation that doesn't require a filesystem.)
One (common?) exception seems to occur in initialization. I
understand stripping out arguments that your subclass explicitly
handles or...
|
by: Marc |
last post by:
Hi all,
I was using Tkinter.IntVar() to store values from a large list of
parts that I pulled from a list. This is the code to initialize the
instances:
def initVariables(self):
self.e = IntVar()
for part, list in info.masterList.items():
|
by: aurora |
last post by:
This may sound a little crazy. I capture the output of one class by
redirecting the sys.stdout. However the is another threading running at
the same time and occasionaly it output some messages to the redirected
sys.stdout irreleveant to the output I want to capture. Is there a way to
redirect output specific to some threads?
aurora
|
by: Ralf W. Grosse-Kunstleve |
last post by:
******************************************************************************
This posting is also available in HTML format:
http://cci.lbl.gov/~rwgk/python/adopt_init_args_2005_07_02.html
******************************************************************************
Hi fellow Python coders,
I often find myself writing::
class grouping:
|
by: Ralf W. Grosse-Kunstleve |
last post by:
My initial proposal
(http://cci.lbl.gov/~rwgk/python/adopt_init_args_2005_07_02.html) didn't
exactly get a warm welcome...
And Now for Something Completely Different:
class autoinit(object):
def __init__(self, *args, **keyword_args):
self.__dict__.update(
| | |
by: Wayne Sutton |
last post by:
OK, I'm a newbie...
I'm trying to learn Python & have had fun with it so far. But I'm having
trouble following the many code examples with the object "self." Can
someone explain this usage in plain english?
Thanks,
Wayne
|
by: Andrew Robert |
last post by:
Hi Everyone,
I am having a problem with a class and hope you can help.
When I try to use the class listed below, I get the statement that self
is not defined.
test=TriggerMessage(data)
var = test.decode(self.qname)
|
by: Peter Maas |
last post by:
The Python FAQ 1.4.5 gives 3 reasons for explicit self (condensed version):
1. Instance variables can be easily distinguished from local variables.
2. A method from a particular class can be called as
baseclass.methodname(self, <argument list>).
3. No need for declarations to disambiguate assignments to local/instance
variables.
|
by: braver |
last post by:
Is there any trick to get rid of having to type the annoying,
character-eating "self." prefix everywhere in a class? Sometimes I
avoid OO just not to deal with its verbosity. In fact, I try to use
Ruby anywhere speed is not crucial especially for @ prefix is better-
looking than self.
But things grow -- is there any metaprogramming tricks or whatnot we
can throw on the self?
Cheers,
|
by: Bart Kastermans |
last post by:
I am playing with some trees. In one of the procedures I wrote
for this I am trying to change self to a different tree. A tree
here has four members (val/type/left/right). I found that self = SS
does not work; I have to write self.val = SS.val and the same for
the other members (as shown below). Is there a better way to do this?
In the below self is part of a parse tree, F is the parse tree of a
function f with argument x. If a node...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
