Security :: Why Access Files Inside A Forms Authenticated Part Of Site
Aug 18, 2010
Why can I still access files inside a forms authenticated part of my site? Any webpages say that you need to login to view them, but people can still access images by typing in the address bar. I am using forms authentication with my own database, so none of the aspnetdb services like membership roles etc. Is this a bad way to do things because I'm pretty deep into it now and it would be very difficult to change.
View 16 Replies
Similar Messages:
Aug 18, 2010
I've a default.aspx page in my application's root folder. I added a a page in the root of inetpub that redirects requests to the default page. The idea is that the user need only enter the server name to get to the default page. How can I set things up so that all users have access to the default.aspx and that they only have access to the other pages once they've been authenticated?
I am using Windows Integrated Security and the users are being challenged and authenticated properly. I want them to be able to access Default.aspx without any challenges.
(On a side note which may answer this question, when using WIS does the user *allows* have to be challenged? Isn't it possible to pass through their Windows User and ID without the prompt?)
c: inetpubwwwroot
edirect.aspx (set as default document in IIS and simple executes Response.redirect("sites/mercury/default.aspx")
c:documents and settingsall usersdocumentswebsitesmercurydefault.aspx (home page for the site & server)web.config includes
[Code]....
View 2 Replies
Jun 14, 2010
I have a site almost finished that uses ASP.Net membership, forms authentication and roles. There are one or two requirements remaining and I'm not even sure how to properly approach one of them.
The site I've created is going to provide service ONLY through SSL, if that matters. Yes, I'll redirect a request that lands on port 80 but the intent is to encrypt everything.
Is there a "best practice" for creating a session with my site, from another site? In other words the company is building a marketing page that has spaces for a login and password. I can find lots of posts about passing a username and password to another
site to start a session, but very few if any about receiving the username and password.
If anyone can point me to an article or posting with a code sample where the login control of a forms-authenticated site is used as the target of a form hosted as part of a different web page/application on a different host, it'd be awesome.
To be clear, the scenario is essentially "brochureware website on a 3rd-party host" providing the visitor the ability to log in to a secure site on a more "internal" server.
View 1 Replies
Dec 9, 2010
I have a requirement that whenever a user logs onto a website using forms based authentication [FBA] that the site checks whether they have a related domain NT user record. There will be a matching lookup table between the ASPNETDB membership database and related domain accounts for users.Whenever an FBA user logs in and a related domain account is located then the member should be redirected to an alternative site / URL which is Windows NT authenticated rather than FBA. Before transferring them I would like to be able to pre authenticate them on the windows domain rather than an additional NT Login dialog box coming up and asking them to enter the related NT credentials.Is it possible to programatically preauthenticate using NT credentials before redirecting a user to an NT authenticated site?Note: This isn't technically a single sign on style scenario. The FBA / NT authenticated sites are not related other than the relationship between the original FBA credentials and the NT credentials lookup.
View 1 Replies
Jan 29, 2010
I have a web app, which contains a folder Uploads, to which users (authenticated) upload their files (for some reason it has to be a folder in the root of the web app).I want to deny access to this folder and files to all non-authenticated users.
In my web.config I have:
[Code]....
and everything seems to work in development, but on a staging server it redirects non-authenticated users to login page ONLY from aspx pages, but not when entering the url to the file in Uploads folder.
View 5 Replies
Jun 25, 2010
I have used the Forms Authentication for logging in and in that i have created the Forms Authentication Ticket and in that ticket i have passing the data with comma seperated values.how can i get the data which is in the ticket to access in the Authenticated user pages
View 1 Replies
Jun 29, 2010
Currently in my application using LDAP to authenticate user to a specific domain & then i check if the user exist in my site database.
Now i need to also allow users who do not belong to this specific LDAP domain to access my site ..How can i make it possible withoput affecting the exisiting users?
View 1 Replies
Oct 31, 2010
i want to know the number of users wich access to my site and show it
View 4 Replies
Mar 25, 2010
I am trying to find a good pattern to use for user access validation.
Basically on a webforms application I had a framework which used user roles to define access, ie, users were assigned into roles, and "pages" were granted access to a page. I had a table in the database with all the pages listed in it. Pages could have child pages that got their access inherited from the parent.
When defining access, I assigned the roles access to the pages. Users in the role then had access to the pages. It is fairly simple to manage as well. The way I implemented this was on a base class that every page inherited. On pageload/init I would check the page url and validate access and act appropriately.
However I am now working on a MVC application and need to implement something similar, however I can't find a good way to make my previous solution work. Purely because I don't have static pages as url paths. Also I am not sure how best to approach this as I now have controllers rather then aspx pages.
I have looked at the MVCSitemapprovider, but that does not work off a database, it needs a sitemap file. I need control of changing user persmissions on the fly.
View 2 Replies
Oct 21, 2010
I have an ASP.net 2.0 website that sits on a Windows XP SP3 box on IIS 5.1. The website needs to go across a UNC path to another server to grab an image file. Both boxes are in the same workgroup but no domain is setup. I have created the same user on both boxes with the same password and the website is using anonymous access using that account. The account is an admin on both boxes(i know security risk but this is for testing). File.Exists() just keeps returning false but the file is there. I suspect it has something to do with the ASPNET account but i'm at a loss. I've tried aspnet impersonation using that account as well with no luck.
View 4 Replies
Nov 9, 2010
I am faced with a rather tricky issue. I am developing a web application that resides beneath a web site. The web application is actually meant for the employees of the company owning the web site. The employees can access the web app from the login facility on the site.
The situation demands that an employee must be able to login to the app only from the office machines and not from anywhere outside. I thought of a logic where in the IP address of the machine in which the employee sits will be stored against the employee profile and when he logs in, the authentication will check for user credentials as well as whether he is logging from the designated IP. If not he is not allowed access to the app even if the login credentials where correct.
I am not sure if this is a good way, because I feel tricky persons can give the same IP of the office machine in another machine, say at home and the logic is broken. Can somebody provide me a better way of solving the issue. I am using ASP.Net login control for user login.
View 3 Replies
Dec 8, 2010
I have an internal corporate ASP.NET MVC website.
Requirement(1): When any person is on the network, they can access this site EXCEPT one AD Group (Example: AD_Sales group).
Requirement(2): Also like for example if a person that has the access passes a url (Ex: http://mysite/Home/Index/Product/Letter) to a sales group person, he still should NOT access and need to display a custom message saying "You are not authorised to view this page".
If the scenario is like to issue the access to one AD Group and deny access for all others, it is fairly is. It can done from IIS. I am Wondering how to do this.
View 2 Replies
Jun 15, 2010
I have built an online CMS that is forms authenticated. The CMS allows administrators to upload files to the website. These files are stored outside of the Forms Authenticated section of the site so that they can be accessed from another site I have built. This other site is also forms authenticated, so users must log in and then they can access the files on the CMS site. site1.com: CMS for administrators only. Site stores all the files. site2.com: Access site.
My second website (The access site), is basically an empty shell that is filled with all of its content through the CMS using an SQL database and then displayed on the page. This works fine as only authenticated users have access to the interface used to view and download the files. My problem was, even though there is no public interface to find the files, someone could surely type [URL] and the video would be available to them. I dont really know what to do here, is there any way that people could be blocked from retrieving the files like this?
View 1 Replies
Aug 19, 2010
Here is my dilema, on my site i have a WordPress Audio player (http://wpaudioplayer.com/standalone) that plays my mp3's.
It loads the Mp3's in by javascript...example below:
AudioPlayer.embed("audioplayer_7", { soundFile: "/Files/Music/[name of file].mp3" });
This file name is clearly visible in the browser source. Not a problem, however this means that any user can legitimately browse to the file directly and download it.
Now i still need the mp3 player (which is flash) to have access to the file but if a user was to try accessing the file directly, they would not be allowed access to it.
I am not sure how to go about this, i am circling the idea of a httphandler but not sure if this is sufficiant to stop the direct access to the file.
View 2 Replies
Oct 15, 2010
I have an intranet site that i set up to windows authentication. It works fine most of the time but some departments wont be able to access the site and will be asked to enter user name and password.I checked their Active Directory account and the only difference i could see was that the organizational unit parameter was different than the rest of the users.
View 5 Replies
May 11, 2010
Ok so I've created a login page that accesses my Active Directory and challenges against it. What I would like, is if a user is logged onto the computer within the intranet with Active Directory Credentials for them to bypass the login to the web page.
However if they are outside of the building on a random computer, they should be presented with a login box just like they are now.
View 1 Replies
Aug 2, 2010
I run a simple .aspx website on a Windows Server 2008 machine.There is no impersonation, and System.Security.Principal.WindowsIdentity.GetCurrent().Name returns NT AUTHORITYNETWORK SERVICE, which it the account which the application pool runs.I tried to test the security of the application and server by removing file permissions to the .aspx files. I was greatly worried when the website continued to run without problem (it should not have been able to read the .aspx files).By turning on file level auditing, I discovered that the .aspx files were being read by the machine$ account (if the machine is called Serv1, then the files would be read by the Serv1$ account, which seems to have access to all files on the local machine).Is this a security breach or is this behaviour by design ?
View 4 Replies
Aug 11, 2010
I have a folder with username and password over it.I wanna make a page where i can access files under that folders in .net and be able to download them.How to code that in VB.net?
View 2 Replies
Mar 7, 2011
My restricted files are all stored in ~/Secured folder on the root. Authorized users have no trouble accessing aspx files in that folder. Recently I added a part of an application whose files I wanted to keep separate and created a ~/Secured/HR folder. I am getting a "resource not found" error trying to use any aspx file in HR folder even after user successfully logs in, as if the file does not exist at all. Here is my web.config security settings:
[Code]....
Do I need to configure security for that folder separately?
View 1 Replies
Jul 20, 2010
I'm using roles based authenication and am trying to populate a dropdown list from Page_Load that resides inside a LoginView control. My problem is my code behind file doesnt recognize controls inside the LoginView templates.
View 6 Replies
Apr 17, 2010
I used to deploy developed web parts to a remote sharepoint site by Build->Deploy menu inside Visual Studio 2008 months ago ( I am not a regular web part developer). My network engineer also asked me how to deploy web parts without stsadm commands. anyway now I can't. Visual Studio keeps complaining that the specified site doesn't have sharepoint site contained. "No SharePoint Site exists at the specified URL."
After googling, it is said web parts can't be deployed to remote sharepoint sites from visual studio. Only can to local site. However I did it before. Visual Studio 2008 service pack or hot fix made this feature (remote deploy) removed? Or is there any workaround?
View 1 Replies
Jun 11, 2010
Why is it that a simple string inside a webpart not showing when the application is run ? Actually my requirement is to use a fusion (usually called as a function) and Visifire chart (usually called as a function from javascript) in web part which i'm not able to consume at all.
View 5 Replies
May 7, 2010
Followed the code sample of Chapter 10 (Logging in) of the Book, Microsoft ASP.NET 2.0, I created an ASP.NET 3.5 website with Forms Authentication. The sample code used Website Administration Tool (WAT) to manage the users, roles, and authorization.When running in the ASP.NET Development server environment, I can first login, then click to open the links for each for the 3 roles.
However when running the sample code in the IIS server environment, I can login but can not open the links for the role subfolders.Clicking each link popped up an error message for opening a login.aspx from the specific subfolder. I don't have a Login.aspx file in each subfolder.The 3 role subfolders were configured as the virtual folders in the IIS Server. Why the sample code worked fine inASP.NET Development server environment, but got an error message from theIIS Server environment? Why an authenticated user can not open the subfolder homepage?
View 5 Replies
Aug 20, 2015
As part of my new user setup, when they sign up for an account I create want to be able to create a directory under a Documents folder for them and then write a web.config file in that folder limiting access to it to the new account. However because they are still in the process they are an unauthenticated user at that point (Forms authentication), and I get an error that they don't have rights to that folder I want to create their sub-folder in. What do I need to set the folder security at to be able to create a folder and a file in that folder from code?
View 8 Replies
Oct 27, 2010
I need to check if an authenticated user is authorized to access a directory. I have done this before with a base class library method, I just cannot remember what class it's part of or what it's name was. I think the method was a static method and the class may have had the word Utility in it's name, but I just can't remember or find it on the net. BUT I KNOW I HAVE USED IT! The method definition was something like:
bool SomeTypeWithTheWordUtilityInTheNamePossibly.VerifyUserIsAuthorized(Principal user, string virtualPath)
I'm not using a roles provider in this application and I'm not planning to.
View 1 Replies
