How can I secure an ASP .NET website that already uses Forms authentication?

I've got an ASP .NET website which uses Forms authentication to secure certain parts of the site. We have a test version of the site on a server and are making it available to partners over the web, e.g. at test.mydomain.com.

I need to secure all parts of the site so that only our partners can use it.开发者_运维百科 Ideally it would be nice to have basic authentication pop up when they first hit the site, then have it work as normal thereafter, i.e. forms auth for certain areas.

However it seems ASP .NET and IIS don't support this. I'm aware of MADAM but that achieves something slightly different to what I need.

I'm considering restricting access by IP but that has two drawbacks, one it requires parters to "sign up" with their IP, and two, their IP could change.

Does anyone else have any suggestions?

One solution is to check for the existence of a 'basic authentication' cookie on each request. If it doesn't exist or doesn't have valid data, don't allow access to the site. This could be checked in a base page that all pages inherit from or masterpage etc.

In order to set the cookie, you could create page that you send your partners to. It might just be at a obscure url, or require that they enter a password. Basically what ever security mechanism suits you, but once they 'pass the test', you set the cookie that gives them access to the site.

Then they would have access and be able to login using your existing forms authentication.

Does that make sense.

Assuming your site implements roles, you can block access using traditional forms authentication and the location attributes. Something like:

<configuration>
 <location path="Testing">
  <system.web>
     <authorization>
        <allow roles="partners" />
        <deny users="*" />
     </authorization>
  </system.web>
 </location>
</configuration>

You would then need to make sure all of the users that need access to that part of the site were in the partners role.

Ummm....

Well, the above solutions will work, but overall there is a better way. But does require some planning ahead.

1. your development and staging servers shouldn't be open to the general public, search bots, ect.. ect..
2. your dev and stg boxes can be locked down buy firewall or even ip access controls via IIS

No code solution

In the end we decided that securing the entire site via Forms authentication, and issuing test accounts to our partners, was the best solution.

Thanks to all for your suggestions.