securing pages without windows login

[Dan August]

Hi all,

Does anyone know of a way to, programmatically with script at the server,
reset the current user's security context from the IUSR_ account to a
different one? Ideally, what we'd do is anyone who is already logged in as
a customer through our ASP page login (setting customer-specific session
variables), we'd programmatically impersonate them as a different windows
account (switching them from the anonymous IIS account they start off as).
Bottom line is that we don't want them to have to login a 2nd time to get to
these new pages.

We've got other non-asp files that I cannot simply put behind an ASP-based
login, which is why we need to lock the directory down behind Windows
security.

Any thoughts would be appreciated! thanks,

Dan

 

[Mark Schupp]

http://support.microsoft.com/default.aspx?scid=kb;en-us;248187

 

[Dan]

thanks, exactly what I was looking for .. I thought I had exhausted the MS
knowledge base, but you've proven me wrong

Dan

 

[Tom Kaminski [MVP]]

thanks, exactly what I was looking for .. I thought I had exhausted the MS
knowledge base, but you've proven me wrong

That will change the security context of the ASP page but I'm not sure it
will handle the non-asp files.

To protect the static files, place them outside of your root path and use an
ASP with ADODB.Stream and Response.BinaryWrite (or appropriate text file
methods) to serve the files to the user after they've passed your ASP
authentication scheme.

http://support.microsoft.com/support/kb/articles/q276/4/88.asp