2 security questions

[John]

First off, I am very new to ASP.NET, please excuse my ignorance if I am
asking the obvious.



All forms authentication examples I have seen so far either use
userid/password info in the web.config file or validate it against the
database. If the user is authenticated, an authentication ticket is
created, encrypted, and stored in a cookie. Then every page decrypts the
ticket, checks the roles to confirm it should have access to this page.



This brings to mind 2 questions:



Q1. Instead of validating on every page, why not simply place the ticket
validation in an HTTPModule and redirect to the requested page or the login
page? Then any web-app, could basically; add the DB tables, Login page, and
new HTTPModule for instant security functionality. This is so simple, I
have to wonder if I've completely missed something, or it's a current
functionality in ASP.NET, and I just haven't seen it yet.



Q2. I want to make user, role, and permission maintenance available to the
administrator online. This would require a very simple object model and a
few simple pages. This is the type of thing that is pretty generic and
common. I don't want to reinvent the wheel, so does anybody know where I
could find these pages/objects?



Thanks in advance.



Regards,

John

 

[Scott Mitchell [MVP]]

Q1. Instead of validating on every page, why not simply place the ticket

validation in an HTTPModule and redirect to the requested page or the login
page? Then any web-app, could basically; add the DB tables, Login page, and
new HTTPModule for instant security functionality. This is so simple, I
have to wonder if I've completely missed something, or it's a current
functionality in ASP.NET, and I just haven't seen it yet.

Erm, this is *precisely* how the Forms Authentication piece of ASP.NET
works. See the class System.Web.Security.FormsAuthenticationModule, and
note how in the machine.config there's the registration of this HTTP Module:

<httpModules>
...
<add name="FormsAuthentication"
type="System.Web.Security.FormsAuthenticationModule"/>
...

Q2. I want to make user, role, and permission maintenance available to the
administrator online. This would require a very simple object model and a
few simple pages. This is the type of thing that is pretty generic and
common. I don't want to reinvent the wheel, so does anybody know where I
could find these pages/objects?

There's an article Darren Neimke [http://weblogs.asp.net/dneimke/] and I
wrote on this topic:
http://aspnet.4guysfromrolla.com/articles/082703-1.aspx

It doesn't provide a complete, pre-built solution, but it does have
plenty of code snippets that should move you in the right direction.

hth

--

Scott Mitchell
(e-mail address removed)
http://www.4GuysFromRolla.com

* When you think ASP.NET, think 4GuysFromRolla.com!