homepage Welcome to WebmasterWorld Guest from 54.167.41.199
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

    
Password protect a single directory
Without the use of web.config file?
lZakl




msg:944322
 6:28 pm on Feb 3, 2006 (gmt 0)

Hello out there!

I have recently inherited a task that is growing more frustrating every minute. I will try however, to get it done with the least amount of friction as possible.

By "friction" I mean that I am not being given access to the web.config file from 'computer services'. What I am being asked to do is create a directory that is password protected. By what I know how to do, this would be extremely easy if I were given access to the web.config file. So according to what I don't know how to do, I am asking you -- You people out there in web-land -- Is there a 'satisfactory' method of protecting this directory using nothing but asp.net and access to MS SQL or Access 2000 database? If worse comes to worse, I am going to protect it using a web form and text files and tell them "you should have given me the tools I needed" when something goes wrong. -- But not really, my work ethic is too high to do something like that. Hence the "satisfactory" method I am seeking!

Thankful for your input!

-- Zak

 

emsaw




msg:944323
 7:05 pm on Feb 3, 2006 (gmt 0)

lZakl,

Sorry to hear about your frustrations. Is it possible for them to set the (virtual)directory as an application in IIS? if so, you can have your own web.config specifically for that directory, and the other one can be left alone.

other than that, I'd perhaps suggest a usercontrol that you drop on every page in that dir that would handle permissions(by session cookies or whatnot..)

Mark

mrMister




msg:944324
 7:25 pm on Feb 3, 2006 (gmt 0)

It sounds like you're using virtual hosting. The only way to protect a directory is to use IIS (web.config won't work unless all your documents are passed through the ASPX ISAPI extension).

Unless your hosting company is willing to set up the password protection then there's not much you can do.

If all your files in that directory are just ASP or ASP pages you can do it by baking your own password protection scripts on each page.

aspdaddy




msg:944325
 3:16 pm on Feb 4, 2006 (gmt 0)

Cany you just submit a request to 'computer services' to change the security settings on the folder?

>I am being asked to do is create a directory that is password protected

This makes no sense. Why not go back to client and bottom out te requirements before solving the problem - users, permissions etc.

tomasz




msg:944326
 4:10 am on Feb 5, 2006 (gmt 0)

At minimum yo need to have
<authentication mode="Forms" />
set in your web.config

Then you can create your own authentication cookie
on page load in every page you need to check if user is validated (SQL, Access )

if(User.Identity.Name==null)
response.redirect("login.aspx")

if not set,redirect to login page where you can check if user exists in database.
If user exist and passoword matches set user cookie..

string UserID = GetUserID(username,password)//gets userid from db
if (UserID!=null)
//set cookie

FormsAuthentication.SetAuthCookie(UserID, True)

mrMister




msg:944327
 5:13 pm on Feb 5, 2006 (gmt 0)

tomasz, that only works for documents that are passed through the ASP.Net module. If he has zip files, graphics or anything other than an ASP.Net page that he wants hiding, then by defaut ASP.Net authentication won't work for those documents.

a1call




msg:944328
 5:42 pm on Feb 5, 2006 (gmt 0)

Hi,
I had a similar situation on a host that had frontpage extensions enabled. Password protecting might have corrupted it. My solution was to link the link to this folder to an equivalent directory on another server where this was not an issue.
Why not put all your programs on a server where you have control on. So the address will say anotherdomain.com. As long as your program does what it should not many people will even notice the address until you tell them.
Just a brainstorm.

Another point is that if you have an index.* the contents won't be seen. In this case unless someone knows the exact file or directory name they won't be able to access it. In other words your file names would be kind of a password. Name them long and hard to guess.

beauzero




msg:944329
 4:17 pm on Feb 7, 2006 (gmt 0)

Set the security to that folder only and have all of the NT creds pass down. They will be prompted to login before getting access to the files there. This only works if you are using domains i.e. intranet app. Don't totally know your situation...if you describe the setup and the business rules it would help.

aspdaddy




msg:944330
 4:52 pm on Feb 7, 2006 (gmt 0)

It works for any site that disallows anonomous access, nothing to do with domains or intranets :)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved