Can a web user can be logged on as an account other than IUSR_?

[steves]

Hello,

We are developing a web application written in classic ASP, which will
end up running on Windows 2000 server.

The site has a public side (the login page and related images), and a
private side (a series of ASP scripts which check session variables to
make sure the current user has logged in before delivering their
content).

As part of the private side of the site, there are a number of images
and other documents (PDFs, Powerpoint presentations, CSS files etc.).
Although securing these is not vital, it would be nice if people who
hadn't logged in couldn't access them.

Although we can restrict non-authenticated users from accessing the ASP
scripts (with an If ... End If wrapper around the content), I can't see
an easy way of preventing access to non-ASP files.

Is there any way of using ASP so that a user (for the duration of their
session) uses an account other than IUSR_MachineName? If we could do
this, then the web folders containing the semi-private content could be
set up so that IUSR_Machinename doesn't have access.

Alternatively, does anyone have any suggestions on how to restrict
access to certain parts of a website using IIS/ASP.

Thanks,

Steve.

 

[Thomas]

just disable anonymous access (in iis management console) for the folder
containing the private files.

that should do the job: anyonmous surfers will be presented with a login
box, while already authenticated ones can browse the files. of course this
only works when using windows authentication.

an interesting (and free) component in this case might be IISPassword
(http://www.troxo.com/products/iispassword/), which enables you to use a
unix-like .htaccess security system.

- thomas

 

[Steve]

Hello,

Thanks for your reply.

We are not using Windows authentication (this will be a website with
some 800 or so users), so we are using a method where by the user logs
in using a form with their username and password (not a windows user
account password), which is then checked in a database and a session
cookie created.

What I really want is a piece of code that will automatically (and
without intervention) login a website visitor in to the server under a
second account (eg. authenticated_webuser) once they have successfully
been validated by my code.

We had thought of simply redirecting logged in users to
http://user:[email protected]/myscript.asp once they had successfully
logged in, where user and pass are a standard username and password for
all visitors who have logged in. However, http://user:pass no longer
seems to be supported (and was it ever supported in browsers other than
IE?). Never the less, it's a good illustration of what I'm trying to
achieve.

Thanks for the IISPassword tip. I looked at it, but I really need
something that can integrate security with session cookies.

Steve.

 

[Tom Kaminski [MVP]]

Hello,

We are developing a web application written in classic ASP, which will
end up running on Windows 2000 server.

The site has a public side (the login page and related images), and a
private side (a series of ASP scripts which check session variables to
make sure the current user has logged in before delivering their
content).

As part of the private side of the site, there are a number of images
and other documents (PDFs, Powerpoint presentations, CSS files etc.).
Although securing these is not vital, it would be nice if people who
hadn't logged in couldn't access them.

Although we can restrict non-authenticated users from accessing the ASP
scripts (with an If ... End If wrapper around the content), I can't see
an easy way of preventing access to non-ASP files.

Place the non ASP files outside of the web root path and use an ASP with
ADODB.Stream and Response.BinaryWrite to send them to the users after you
have verified their username and password. Use this example but send the
appropriate mime-type:
http://www.aspfaq.com/show.asp?id=2161

 

[Joe Iano]

It can be done with an ISAPI filter:
http://www.flicks.com/prod.htm#authnx

Hello,

Thanks for your reply.

We are not using Windows authentication (this will be a website with
some 800 or so users), so we are using a method where by the user logs
in using a form with their username and password (not a windows user
account password), which is then checked in a database and a session
cookie created.

What I really want is a piece of code that will automatically (and
without intervention) login a website visitor in to the server under a
second account (eg. authenticated_webuser) once they have successfully
been validated by my code.

We had thought of simply redirecting logged in users to
http://user:[email protected]/myscript.asp once they had successfully
logged in, where user and pass are a standard username and password for
all visitors who have logged in. However, http://user:pass no longer
seems to be supported (and was it ever supported in browsers other than
IE?). Never the less, it's a good illustration of what I'm trying to
achieve.

Thanks for the IISPassword tip. I looked at it, but I really need
something that can integrate security with session cookies.

Steve.

 

[Steve]

Thanks for your replies everyone.

I found another method which seems to work well too...

http://www.isapirewrite.com/

This is an ISAPI filter (the lite version of which is freeware) which
lets you rewrite URLs before they are passed to IIS.

So you can get it to dynamically change requests for:

mysite.com/private/images/foo.jpg

to

mysite.com/deliverfile.asp?file=images/foo.jpg

(for example)

I did a quick test, and it seems to work well. The config file allows
the use of regular expressions, so its pretty powerful. Posting here
in case it's of use to others.

Steve.