Re: Security based on session, what's wrong?

From: Brock Allen (ballen_at_NOSPAMdevelop.com)
Date: 04/27/05

• Next message: Mark A. Richman: "Re: EventLogPermission via caspol.exe"
• Previous message: S Hayes: "Re: Access Denied executing Batch File from CreateProcessAsUser"
• In reply to: Matt: "Security based on session, what's wrong?"
• Next in thread: Matt: "Re: Security based on session, what's wrong?"
• Reply: Matt: "Re: Security based on session, what's wrong?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 27 Apr 2005 06:09:22 -0700

You can always go and build your own authentication and authorization mechanism.
The intent of Forms is that much of the routine checks and identity management
is done for you. Of course there are pieces you have to fill in, such as
the login page and the database of usernames/passwords, but the check on
every page is done for you to see if the user is logged in and if they're
allowed to access the pages. The cool thing is that this is declarative with
the <authorization> elements in web.config, and there's typically little
or no access checks you have to write in your own code.

-Brock
DevelopMentor
http://staff.develop.com/ballen

> Hello,
>
> I'm working on a portal derived from IBuySpy, and I have changed
>
> I check username and pwd against a database, then I make a
> Session["User"]= UserID (the ID I get from the database, if it
> exists).
> Now I create all the pages based on that ID stored in a session
> variable.
> If that user is authorized to see a certain tab, module or content,
> the page is created that way. All the auth info (user/contents) are
> stored in another database table.
> Everything works fine without use fo forms authentication.
> Is there something wrong with it? should I use forms authentication?
> why?
> Thanks,
> Mattia

---

• Next message: Mark A. Richman: "Re: EventLogPermission via caspol.exe"
• Previous message: S Hayes: "Re: Access Denied executing Batch File from CreateProcessAsUser"
• In reply to: Matt: "Security based on session, what's wrong?"
• Next in thread: Matt: "Re: Security based on session, what's wrong?"
• Reply: Matt: "Re: Security based on session, what's wrong?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages asp.net vulnerability ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ... (microsoft.public.sharepoint.portalserver) Re: application pool custom identity ... Kerberos becomes a possibility when the web server is in a Domain, ... The problem happens when the browser/server selects Kerberos authentication, ... LocalSystem credentials will work for Kerberos; custom AppPool Identity ... Authorization. ... (microsoft.public.inetserver.iis) Re: Kerberos OpenLDAP Frontend ... Jonathan Javier Cordoba Gonzalez wrote: ... but then you are mixing the authentication with the authorization. ... A KDC with passwords and LDAP ... (comp.protocols.kerberos) ASP.NET Forms Authentication Best Practices ... ASP.NET Forms Authentication Best Practices ... What happens if your user database is compromised? ... Listing One, where you want to use login.aspx to log users in. ... string FirstName ... (microsoft.public.dotnet.framework.aspnet) Re: ASP.NET Authentication exception case ... It doesn't seem to like the authorization tag underneath the location tag ... This section sets the authentication policies of the application. ... <!-- SESSION STATE SETTINGS ... (microsoft.public.dotnet.languages.csharp)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.dotnet.framework.aspnet.security  > 2005-04