Welcome to WebmasterWorld Guest from

Forum Moderators: ocean10000

Message Too Old, No Replies

Password protect a single directory

Without the use of web.config file?



6:28 pm on Feb 3, 2006 (gmt 0)

10+ Year Member

Hello out there!

I have recently inherited a task that is growing more frustrating every minute. I will try however, to get it done with the least amount of friction as possible.

By "friction" I mean that I am not being given access to the web.config file from 'computer services'. What I am being asked to do is create a directory that is password protected. By what I know how to do, this would be extremely easy if I were given access to the web.config file. So according to what I don't know how to do, I am asking you -- You people out there in web-land -- Is there a 'satisfactory' method of protecting this directory using nothing but asp.net and access to MS SQL or Access 2000 database? If worse comes to worse, I am going to protect it using a web form and text files and tell them "you should have given me the tools I needed" when something goes wrong. -- But not really, my work ethic is too high to do something like that. Hence the "satisfactory" method I am seeking!

Thankful for your input!

-- Zak


7:05 pm on Feb 3, 2006 (gmt 0)

10+ Year Member


Sorry to hear about your frustrations. Is it possible for them to set the (virtual)directory as an application in IIS? if so, you can have your own web.config specifically for that directory, and the other one can be left alone.

other than that, I'd perhaps suggest a usercontrol that you drop on every page in that dir that would handle permissions(by session cookies or whatnot..)



7:25 pm on Feb 3, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

It sounds like you're using virtual hosting. The only way to protect a directory is to use IIS (web.config won't work unless all your documents are passed through the ASPX ISAPI extension).

Unless your hosting company is willing to set up the password protection then there's not much you can do.

If all your files in that directory are just ASP or ASP pages you can do it by baking your own password protection scripts on each page.


3:16 pm on Feb 4, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Cany you just submit a request to 'computer services' to change the security settings on the folder?

>I am being asked to do is create a directory that is password protected

This makes no sense. Why not go back to client and bottom out te requirements before solving the problem - users, permissions etc.


4:10 am on Feb 5, 2006 (gmt 0)

10+ Year Member

At minimum yo need to have
<authentication mode="Forms" />
set in your web.config

Then you can create your own authentication cookie
on page load in every page you need to check if user is validated (SQL, Access )


if not set,redirect to login page where you can check if user exists in database.
If user exist and passoword matches set user cookie..

string UserID = GetUserID(username,password)//gets userid from db
if (UserID!=null)
//set cookie

FormsAuthentication.SetAuthCookie(UserID, True)


5:13 pm on Feb 5, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

tomasz, that only works for documents that are passed through the ASP.Net module. If he has zip files, graphics or anything other than an ASP.Net page that he wants hiding, then by defaut ASP.Net authentication won't work for those documents.


5:42 pm on Feb 5, 2006 (gmt 0)

10+ Year Member

I had a similar situation on a host that had frontpage extensions enabled. Password protecting might have corrupted it. My solution was to link the link to this folder to an equivalent directory on another server where this was not an issue.
Why not put all your programs on a server where you have control on. So the address will say anotherdomain.com. As long as your program does what it should not many people will even notice the address until you tell them.
Just a brainstorm.

Another point is that if you have an index.* the contents won't be seen. In this case unless someone knows the exact file or directory name they won't be able to access it. In other words your file names would be kind of a password. Name them long and hard to guess.


4:17 pm on Feb 7, 2006 (gmt 0)

10+ Year Member

Set the security to that folder only and have all of the NT creds pass down. They will be prompted to login before getting access to the files there. This only works if you are using domains i.e. intranet app. Don't totally know your situation...if you describe the setup and the business rules it would help.


4:52 pm on Feb 7, 2006 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

It works for any site that disallows anonomous access, nothing to do with domains or intranets :)

Featured Threads

Hot Threads This Week

Hot Threads This Month