Web Forms Security via web.config?

In classic ASP, if you wanted to restrict someone from a certain area on the website (say, a "client area"), you would activate a session flag once their login creditials had been verified, and challenge each visiter at each protected page for that session flag.

I had heard that with ASP.NET, this has been greatly simplified through the web.config file, but wasn't offered too much support on the issue.  Does anyone know how it can be implemented simply and quickly via the web.config file?  Are there any simple descriptions online somewhere?  Ideally, I'd like to authorize the users from an admin table in a database, with each person having their own ID and PWD....not authorizing them through static ID and PWD's listed in the web.config file.

Anyone know about this?  Huh? <img src=" src="/emoticons/emotion-18.gif">

0
snipe1k
6/13/2005 5:04:15 PM
asp.net.security 27051 articles. 1 followers. Follow

1 Replies
960 Views

Similar Articles

[PageSpeed] 41

See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrflocationelement.asp.
Using the location element you can specify the configuration for a file
or directory (including authorization).

- Wilco Bauwer (MSFT) / http://www.wilcob.com
0
WilcoB
6/13/2005 5:39:53 PM
Reply:

Similar Artilces:

Could PB .NET Web Form POST security Information to others web page??
This is a multi-part message in MIME format. ------=_NextPart_000_00F9_01C9C4D5.8FB45C90 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: quoted-printable Hi,=20 Have anyone came across the requesion to POST security informations from = PB .NET web form web page to other web site?? I have tried many datys, Could any kind man give me some suggessions?? thanks & Best regards Leon ------=_NextPart_000_00F9_01C9C4D5.8FB45C90 Content-Type: text/html; charset="big5" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML P...

A question about Web Service security / secured web service Testing
Hi, I created a web service and secure it using SoapExtention. I implemented code from this link. http://www.developer.com/net/net/article.php/11087_2192901_2 Now if I create proxy class from my other webapplication and call any webmethod of my webservice, I must provide username password to access any of its webmethod, otherwise it is throwing SOAP Exception which works fine. But now when I open this webservice locally using its URL, in Internet Explorer, like http://localhost/MyWebService/poservice.asmx, it shows me all webmethods and I can invoke any webmethod from here without using ...

File security from web-apps with Forms security enabled?
I am developing a series of web-apps, in the process of converting older client-server FoxPro apps.  We are forced to use Forms-level security on our web-apps, due to licensing issues with providing Active Directory Windows-base security, and have adopted the ASP.NET 2.0 security schema.  However, I have ran into a problem because many of our applications use sensitive Word and Excel attachments to the plans we store in the SQL Server 2000 and 2005 databases.  Forms security adequately protects the web-site pages and the database data but when it comes to protecting access to ...

Simple security via the web.config
Hi I'm creating a very basic website and I'd like to provide a simple login page for an admin user to update some simple stuff in an access database. I was hoping I could setup a username and password in the web.config, and then use the login control as usual. I've added the below to the root web.config and created a simple login page, but all I get is incorrect username and/or password??? What am I doing wrong? (.Net 3.5, C#) <authentication mode="Forms"><forms loginUrl="login.aspx"><credentials passwordFormat="Clear"><user na...

Forms security via web services?
My site is currently secured via forms authentication and it works just fine. I've been using a lot of asp.net ajax Page Methods but I want to centralize the services available for ajax and so I'm moving the methods into asmx files however, when I was using page methods the actual page was secured via forms authentication still. Is this a valid approach for asmx files? i.e. place a web.config in the same folder to control access?thanks  You could certinaly get Forms auth to "work" for a WebService, but that's a really non-standards approach. The best approach to ...

web web web
Name: bahadir Email: sensiz_olmuyor_t1_at_hotmail.com Product: Firefox 2 Beta 2 Summary: web web web Comments: web sayfası yapmak Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.8.1b2) Gecko/20060821 Firefox/2.0b2 ...

unable to add a secure java web service to .net thru visual studio add web reference
I have a secure java web service running on my system.   I am able to successfully do a URL based invocation of it and also was able to get the expected SOAP response. It uses the Basic Authentication mechanism to make it secure. So basically when I type the URL in the address bar and invoke it, it asks me for a user name password, I enter it and it runs normally.  Now, when I try to add that web service to a simple asp.net web application thru visual studio add web reference mechanism, it first prompts with a certificate, which I accept and then prompts with Discovery Credential window asking for username and  password and domain . No idea what the domain is.  so I enter just the username and password and leave that domain empty.  Then it fails to add the web reference with the following : There was an error downloading 'https://84q5tb1:7002/WebServices/security/transport/basicAuthentication/BasicAuthentication.jws'. The underlying connection was closed: An unexpected error occurred on a receive. Can you please help me with this situation.  The web service itself isn't what the web reference mechanism wants. It wants the WSDL. You don't really need it when using .NET web services because .NET knows where to look for it, but if its in Java, you'll have to point the Add Web Reference tool to the WSDL address.   I did supply the WSDL to the add web reference from visual studio.  https://loc...

RSS and Machine.config/web.config security
I am trying to set up RSS feeds and also do some scraping, and have came to the conclusion that I need to set up the machine.config and web.config to allow access for it to work.I have access to the machine.config file, but I am not sure how to edit it to make the changes. The file has the following entry for trust mode: <location allowOverride="true"> <system.web> <securityPolicy> <trustLevel name="Full" policyFile="internal"/> <trustLevel name="High" policyFile="web_hightrust.config"/> <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>...

How secure is the web.config?
I need to provide a lot of security to a web application. It is hosted by a third party hosting company so I don't have much control of the server, itself. Originally, I was going to encrypt the connection string in the web.config file but I am having trouble unencrypting the string. I need to run a utility on the server and I am not sure that the host will allow it. I understand that all of the files are secure as long as no one gets to them. However, I am not versed on how many ways there are to hack into a system. Would it be more secure if I put the connection string in the code behi...

Security and Web.config
I'm trying to secure a sub-dir of my main web site and I'm having difficulties. Off of my main web directory, I have a sub-dir named "Community". I want all users to be able to browse my main root web directory and I only want authenticated users of the correct role to be able to browse the Community folder. My web.config in the root folder looks like this: <authentication mode="Forms"> <forms name="AHNAUTH" loginUrl="~/Login.aspx" protection="All" timeout="30" path=&quo...

Security web.config
Hi, I have 2 secure folders, say 'user' and 'admin'. I specify two web.config files within the folders with the autorization tag containing -- <deny users="?"> --. The problem is they have two different login pages. How can I redirect them to their corresponding login pages using the <authentication> tag??...

Use web.config with web forms?
 Hi All, I'm doing some unit testing of a web application, and would like to use settings from a web.config file.  Is this possible? Thanks much,- Mark I'd suggest keeping your Unit Tests in a seperate project and using it's own .config file. It will be a little repetition but it will help to keep things seperated for perf and reusability without bloating your production app. I agree with Curt. It is better to seperate options for testing and release version. This will decrease the job to be done once the unit testing process is finished.Haissam Abdul Mal...

Web Application and Web Service security
I have a web application that is implementing forms authetication and a web service using WSE 3.0 Direct Authentication with UsernameToken. I have tested each one independently and everything works as advertised. Great!  Now, the piece that I don't understand is how to get the password to setup the token. I can get the username.  For example: 1. The web.config file is setup to deny anonymous users.  2. When the default page is hit the user is directed to the login page. The login in page iplements ASP.net's Login Control and is accessing the memb...

.net 2.0 Security Web.Config problem (possible IIS issue?)
I have a website I developed using asp.net (vb) that has a protected content sections, users and roles.  The established roles are 'Admin', 'Customer', and 'Employee' The protected directories are the /admin, /employee, and /customer respectively.  User's assigned to the 'Admin' role should be granted access to all three sections.  User's with the 'Employee' role should only be granted access to the /employee section, and user's with the 'Customer' role should only be allowed to access the /customer directory.  ...

Why System.Web.Security and not System.Security?
Hi!I was wondering... why is the Security namespace under the System.Web and not the System namespace? Almost all the features could also be used for Windows application and in fact work fine. If you create a Windows app and add a reference to the System.Web, you can use the Membership providers the same way with a web app, simply be adding some configuration settings in the app.config.So... Why System.Web.Security and not System.Security?Dimitris PapadimitriouSoftware Development Professional...

Setting up secure and non secure webs
Using Apache 1.3 on NW sp4, We need our website so that there is a secure, password protected area as well. When, setting up the document folders, I have a volume called web. Do I create a separate root folder for the secure data, or can the directory be located under the public root folder? Darrell Darrell, > Do I create a separate root folder for the secure > data, or can the directory be located under the public root folder? > IIRC it can be either way. You then configure uthentication for that directory. - Anders Gustafsson, Engineer, CNE6, ASE NSC Volu...

running 2 web.configs in the same website 1 in /web.config and one in /swf/web.config
Im having issues doing this. and when i remove the authentication from the swf/web.config it still doesnt seem to be applying to the child website at all. Whats the proper way to set a child website? Thanks!!  The lower most web.config overrides all previous settings. So if you remove the section from the /swf/web.config whatever settings you have in the web.config in the next higher level will have an effect on the content of the child folder.So instead of removing a section, try giving appropriate settings in the /swf/web.config....

Secure web browsing with the OP web browser
"Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had limited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. ..." <http://www.cs.uiuc.edu/homes/kingst/Research_files/grier08.pdf> -- Michael ...

Is it possible to modify web.config from a web form?
I am trying to create an admin tool for a web application (within the application). I would like to allow an administrator to alter the contents of the web.config file where a lot of custom settings are held through a Web Form in the same application. Is this possible? I can, obviously, read the web.config with out issue. However trying to update the file I am getting the error "The web config file could not be loaded, it is being used by another process". I've also had to give the ASPNET account full control over the file which I am confused about because I have impersona...

form security against security
i have a form in my website which is to be filled by user and that form stores in database(sql server 2005). but someone told me that anyone can run script  in textboxes in that form and can damage database, so how to avoid such security lack.  it is common practice to use parameterized sql statements or stored procs to insure you are protected from sql injections attacks. if you concatenate user input directly into a sql statement, then you are at risk.Mike Banavige~~~~~~~~~~~~Need a site code sample in a different language? Try converting it with: http://converte...

Web forms and mobile web forms
Hey everyone, I am looking to develope a web site that depending on the device connecting to it, it will display a certain page. In this case im looking to create a web and wap version of the same project. I have the Web forms version finished using ASP.NET and C# and I am wondering how to create the mobile web form and incorporate it in the project. In the project folder, can I just add a mobile web??? But what about displaying device specific pages?? Cheers -Dudach Yes, you can add mobile web forms and controls to your Web Application project. No problem. For device/br...

How to Make Web Forms from other Web Forms
In putting together an ASP.NET application for a biz application, we have come to the point where there are three different types of basic forms which have, for the most part, been perfected. Now its is a matter of cloning those forms for various uses and modifying or adding code to suit the particular need. Copy and paste works OK, but there is a lot of changing of certain words, etc. Is there a way in ASP.NET to take these basic forms, turn them into classes or templates, create forms from them, then add or overwrite code? ? (Anybody who is a Vis Fox Pro programmer would know imme...

Forms Authentication, Custom Membership Provider, nested web.config, the nested app ==> Parser Error Message: Could not load type 'MyCompany.Security.FrameworkRoleProvider'.
Hi, I have written a custom membership provider for our application (which is in the root of the "default web site" in IIS). In the default-web-site web.config, I've specified the MyCustomMembership Provider and all works well (see below for snippet of web.config file). However, if I want to put another application is a (sub) virtual-directory to this main directory, then run the app in this virtual directory, I get the error: Parser Error Message: Could not load type 'MyCompany.Security.MyCustomMembershipProvider'.Source Error: Line 113: <provi...

How to secure the connectstring in web.config
Using DPAPI it is possible to encrypt the connectstring in the web.config file of the dotnetnuke website. See http://builder.com.com/5102-6373-1052981.html for encrypting the connectstring using DPAPIThis is especially required for a secure setup when using SQL integrated security for the database of dotnetnuke. Then the database user and password must be included in the connectstring.My question is, in what location of dotnetnuke do you use the decrypt function to transform the encrypted connectstring back to a string that can be used by the dotnetnuke application. I tried al...

Web resources about - Web Forms Security via web.config? - asp.net.security

Krebs on Security
The House Financial Services Committee is slated to hold a hearing this Friday on the impact of cyber heists against small- to mid-sized businesses. ...

Security Middle East - Latest news from the Middle East.
Security Middle East is a news portal for the entire security industry, focussed specifically on latest security news from the Middle East. Security ...

Information Security News, IT Security News & Expert Insights: SecurityWeek.Com
IT Security News and Information Security News, Cyber Security, Network Security, Enterprise Security Threats, Cybercrime News and more. Information ...

Security (finance) - Wikipedia, the free encyclopedia
equity securities, e.g., common stocks ; and, The company or other entity issuing the security is called the issuer . A country's regulatory ...

School security guard accused of locking unruly 7-year-old in closet
Chicago public school elementary student says he was locked in an electrical closet as punishment for acting up

Review: 5 application security testing tools compared
Users weigh in on favorite features, room for improvement. Application security is arguably the biggest cyber threat , responsible for 90 percent ...

Legislation seeks independent panel on security and technology
Bipartisan legislation introduced in Congress on Monday calls for creating an independent, 16-member national commission on security and technology ...

HPE Launches New Security Technologies at RSA
Hewlett Packard Enterprise's Cyber Reference Architecture and secure mobile technologies add to its security platform play.

Security Luminaries Stand With Apple On iPhone Backdoors Loretta Lynch Says Americans Back DoJ
... Lynch says she is "surprised" Apple has put up a fight against government demands, but the iPhone maker has the backing of plenty of security ...

US asks UN Security Council for vote on new North Korea sanctions
US asks UN Security Council for vote on new North Korea sanctions

Resources last updated: 3/2/2016 12:56:48 PM