best practice asp.net 2.0 approach for includes

[Ned Balzer]

Hi all,

I am pretty new to asp.net; I've done lots of classic asp, but am just
beginning to get my mind wrapped around .net.

What I'd like to do is include some code that tests if a user is logged
in, on each and every page, and redirects the user to a login page if
s/he's not logged in. The login page will also take care of some
standard setup, such as choosing/populating a user profile. I used to
use <!-- #include ... --> for this, but I understand that's not the way
to do it in .net.

I am not interested in using the .net 2.0 login controls, because our
university already has some standard tools for authentication against
university-wide (non-Microsoft) LDAP.

What is the best practice approach for this? I've read various threads
on this forum about .ascx user controls. I think I want to override
page_load() -- is that correct? But the page_load() subroutine will
also often need to perform some page-specific tasks. Is there an
approach that uses master pages?

It seems like one of those cases where there are a hundred ways to do
something, but various ways may have some advantages or disadvantages.

Thanks for any helpful advice.

-- Ned

 

[Alvin Bruney [MVP]]

Then you shouldn't have titled the thread best practice. Best
practice/correctness recommends you use the provided login controls over
your home grown remedies.

--
________________________
Warm regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Professional VSTO.NET - Wrox/Wiley
The O.W.C. Black Book with .NET
www.lulu.com/owc, Amazon
Blog: http://www.msmvps.com/blogs/alvin

 

[Ned Balzer]

I titled my post best practices because I want to know what the best
practices are, given my situation. Maybe I'm wrong, and the asp.net
login controls would work against an external LDAP -- if so, please
correct me.

Does anyone else have any advice that is actually helpful? I would
genuinely appreciate it.

-- Ned

Then you shouldn't have titled the thread best practice. Best
practice/correctness recommends you use the provided login controls over
your home grown remedies.

--
________________________
Warm regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Professional VSTO.NET - Wrox/Wiley
The O.W.C. Black Book with .NET
www.lulu.com/owc, Amazon
Blog: http://www.msmvps.com/blogs/alvin
-------------------------------------------------------

Hi all,

I am pretty new to asp.net; I've done lots of classic asp, but am just
beginning to get my mind wrapped around .net.

What I'd like to do is include some code that tests if a user is logged
in, on each and every page, and redirects the user to a login page if
s/he's not logged in. The login page will also take care of some
standard setup, such as choosing/populating a user profile. I used to
use <!-- #include ... --> for this, but I understand that's not the way
to do it in .net.

I am not interested in using the .net 2.0 login controls, because our
university already has some standard tools for authentication against
university-wide (non-Microsoft) LDAP.

What is the best practice approach for this? I've read various threads
on this forum about .ascx user controls. I think I want to override
page_load() -- is that correct? But the page_load() subroutine will
also often need to perform some page-specific tasks. Is there an
approach that uses master pages?

It seems like one of those cases where there are a hundred ways to do
something, but various ways may have some advantages or disadvantages.

Thanks for any helpful advice.

-- Ned

 

[Paul]

I'm sure you could get the ASP.NET2.0 login controls to work with an
external LDAP because they are developed using providers, which you can
extend / override with your own versions (which would be able to communicate
with the external LDAP).

However, I was originally won over by this security model when I read up on
the changes in 2.0. Using them in one project, but then an additional
requirement to implement some functionality in a windows application came
up. At that point it appeared to me that Microsoft had broken another best
practise. These membership providers seem fairly tightly coupled into
ASP.NET, requiring another security implementation for windows forms. I
would have thought m/s should have provided security base classes that were
independant of application type, then UI classes in both windows and web
that use these base providers. Maybe that wouldn't be possible, or I've
missed how easy it would be to include my own version of this - but it
seemed a short coming to me at the time.

Hope that helps,

- Paul.

I titled my post best practices because I want to know what the best
practices are, given my situation. Maybe I'm wrong, and the asp.net
login controls would work against an external LDAP -- if so, please
correct me.

Does anyone else have any advice that is actually helpful? I would
genuinely appreciate it.

-- Ned

Then you shouldn't have titled the thread best practice. Best
practice/correctness recommends you use the provided login controls over
your home grown remedies.

--
________________________
Warm regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Professional VSTO.NET - Wrox/Wiley
The O.W.C. Black Book with .NET
www.lulu.com/owc, Amazon
Blog: http://www.msmvps.com/blogs/alvin
-------------------------------------------------------

Hi all,

I am pretty new to asp.net; I've done lots of classic asp, but am just
beginning to get my mind wrapped around .net.

What I'd like to do is include some code that tests if a user is logged
in, on each and every page, and redirects the user to a login page if
s/he's not logged in. The login page will also take care of some
standard setup, such as choosing/populating a user profile. I used to
use <!-- #include ... --> for this, but I understand that's not the way
to do it in .net.

I am not interested in using the .net 2.0 login controls, because our
university already has some standard tools for authentication against
university-wide (non-Microsoft) LDAP.

What is the best practice approach for this? I've read various threads
on this forum about .ascx user controls. I think I want to override
page_load() -- is that correct? But the page_load() subroutine will
also often need to perform some page-specific tasks. Is there an
approach that uses master pages?

It seems like one of those cases where there are a hundred ways to do
something, but various ways may have some advantages or disadvantages.

Thanks for any helpful advice.

-- Ned

 

[Guest]

Ned,

There is nothing wrong with building your own custom user authentication
into the application. I have been doing it for years I'm my web apps. The
downside is that you will have more code to write to make it truly secure.

Instead of using includes, make use of Master Pages in ASP.Net 2.0. You can
have a master page that contains general content that is used across the site
(navigation, header, footer, etc). This master page can also server as the
place for you validation routine.

If you do not require validation across the entire site, know that you can
have more than one master page (apparently they can even be nested).

If master pages does not work for you. The next best solution might be to
create a User Control (similar to Scriplets in classic ASP). In this case,
you would place the validation routine in the user control and then embed the
user control into any pages that require authentication.

Best of luck,
--
Steven Land

I titled my post best practices because I want to know what the best
practices are, given my situation. Maybe I'm wrong, and the asp.net
login controls would work against an external LDAP -- if so, please
correct me.

Does anyone else have any advice that is actually helpful? I would
genuinely appreciate it.

-- Ned

Then you shouldn't have titled the thread best practice. Best
practice/correctness recommends you use the provided login controls over
your home grown remedies.

--
________________________
Warm regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
Professional VSTO.NET - Wrox/Wiley
The O.W.C. Black Book with .NET
www.lulu.com/owc, Amazon
Blog: http://www.msmvps.com/blogs/alvin
-------------------------------------------------------

Hi all,

I am pretty new to asp.net; I've done lots of classic asp, but am just
beginning to get my mind wrapped around .net.

What I'd like to do is include some code that tests if a user is logged
in, on each and every page, and redirects the user to a login page if
s/he's not logged in. The login page will also take care of some
standard setup, such as choosing/populating a user profile. I used to
use <!-- #include ... --> for this, but I understand that's not the way
to do it in .net.

I am not interested in using the .net 2.0 login controls, because our
university already has some standard tools for authentication against
university-wide (non-Microsoft) LDAP.

What is the best practice approach for this? I've read various threads
on this forum about .ascx user controls. I think I want to override
page_load() -- is that correct? But the page_load() subroutine will
also often need to perform some page-specific tasks. Is there an
approach that uses master pages?

It seems like one of those cases where there are a hundred ways to do
something, but various ways may have some advantages or disadvantages.

Thanks for any helpful advice.

-- Ned