开发者

Making a page secure

I am building a ASP.NET website that has members pages. I have created a folder where I keep the members pages in and that can only be accessed by logging in or creating a new account. T开发者_开发问答he problem is how do I make the url of these members pages secure, so that someone cant simply give the url to another user for them to copy into a browser or bookmark. Any suggestions greatly appreciated.


In web.config you need specify that this folder for permitted user only.

To grant individual security (person against person) just add checking (for example at Page_Load) that member is permitted to see this page and throw HttException with code 403 (forbidden)


You can do this through the Authentication element in your web.config.

http://support.microsoft.com/kb/316871 has details on this but roughly you will add things that look like this:

    <location path="subdir1">
    <system.web>
    <authorization>
        <deny users="?" /> 
    </authorization>
    </system.web>
    </location>

This will deny access to that subdir to all anonymous users.

To quote the MSDN page above:

When using forms-based authentication in ASP.NET applications, only authenticated users are granted access to pages in the application. Unauthenticated users are automatically redirected to the page specified by the loginUrl attribute of the Web.config file where they can submit their credentials. In some cases, you may want to permit users to access certain pages in an application without requiring authentication.


Edit:

In response to your edit of testing user pages then there are two ways I can think of that this might work. If the page is specific to a given user then you can just make sure that in the code rather than getting the user details from the url that you look up who the logged in user is and give them their page. So for example if you are currently looking at members/mypage.aspx?user=bob then instead just link to members/mypage.aspx and in the code get the name of the logged in user to use. Then there is no way to tell the code that you want Bob's page without being Bob.

In the more likely event that you have groups of users (eg admin) that can see a page then you will need to put some code on your page to check permissions. For a given page you will need to work out who can view it somehow (eg by lookign up that page against the allowed user roles to get a list of roles) and then check if the logged in user is in that list of who can view (does the user have one of those roles.

eg Bob is an admin and Frank isn't. When going to your admin.aspx page you first of all lookup admin.aspx and find out that roles Admin and SuperAdmin are allowed to view it. You then look up the logged in user and iterate through their roles til you find one in the allowed roles list. If you find one process the page as normal, if you don't then either redirect somewhere else or throw an exception (eg throw your own MyAccessDeniedException that gets caught in your global event handler and shows a message explaining the user doesn't have permissions).

All of this can be done in a base class of your page to prevent you having to include the code on every page. That is you can create MyPage that inherits from Page and in the onload (or oninit or wherever you fancy) of MyPage run this security check. Then all the pages of your site inherit from MyPage instead of Page and you immediately get the functionality on all pages.

Hopefully this answers your questions.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜