Re: Forms Authentication
- From: "Alexey Smirnov" <alexey.smirnov@xxxxxxxxx>
- Date: 4 Apr 2007 13:58:19 -0700
On Apr 4, 12:02 pm, m.ow...@xxxxxxxxxxx wrote:
Hi,
I am new to the concept of asp.net authentication so this might be
obvious. Im working on an application writtten by my predecessor,
which has login page. This is authenticated against credentials in a
database. If the user is an administrator, the user is forwarded to a
management console. If the user is a standard user then the user is
forwarded to the user console.
The problem is, when logged in there's nothing to stop the user
(logged in as a standard user) modifying the URL in the browser window
and navigating to the administrator area of the website.
Whats the best way of getting around this? Can I assign roles to the
users (in the cookie) and use the web.config file to interrogate these
credentials and allow / deny access?
Thanks in advance
Matt
There are two standard ways to authorize users in your case: URL
authorization and roles. With URL authorization, you can allow or deny
access to a particular link by user name.
<location path="admin.aspx">
<authorization>
<allow users="admin,superadmin"/>
<deny users="*"/>
</authorization>
</location>
Role based authorization lets you assign a users to roles. You can
either use "allow roles", "deny roles" in a web.config, or configure
access in the code using the User.IsInRole() function
if (User.IsInRole("admin")) {
Response.Redirect("admin.aspx")
}
.
- References:
- Forms Authentication
- From: m . owens
- Forms Authentication
- Prev by Date: Re: Problem with ASP.net menu control
- Next by Date: Re: What is the Page Directive?
- Previous by thread: Re: Forms Authentication
- Next by thread: Diff between convert.ToDouble and (Double)
- Index(es):
Relevant Pages
|
