Securing static files

  • Thread starter Jon Haakon Ariansen
  • Start date
J

Jon Haakon Ariansen

Hi,

In short my problem is securing static pages, so that unauthorized
(anonymous) people doesn't get access to these files. You'll find a
detailed description below.

I have a websolution that is made in Dotnet 2.0. The solution send the user
to a correct module based on the users credentials. The users credentials
are compared with username and password in MS SQL database which provide the
right path to where the user is going. Thus the solution uses Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html) calling Flash
modules.

One of my problems (not the biggest) is that the user keeps getting throwed
out and have to log on again - several times. We need to get the application
to be more presistant when the user has logged on. I'm not sure why the user
have to log on all the time, but my guess is that when the user uses the
flash module, IIS is not aware that the user is still logged on and when the
user finally requests a new page there's been a timeout. In this case I have
to find a solution to make the user beeing loged in. I guess I can use a
cookie for this, but then I guess the user will always come to the same
module. The user has to be presented the login page on startup each time,
because the user might try another module.

My biggest problem is after associating aspnet_isapi.dll with htm/html in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some modules end
on ".asp" and these files show okey, though ASP is associated as well with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.

Hope there is some who can help me with this.

Kind regards,

Jon Haakon
 
J

Jon Haakon Ariansen

Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I almost
don't know what to ask.. :]

If I insert in Web.config:

<httpHandlers>

<add path="*.htm" verb="*"

type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>



then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do something to
allow the user to open htm files?



In advance thanks!



Jon Haakon
 
D

Dominick Baier [DevelopMentor]

the first thing is to register aspnet_isapi as Wildcard mapping - after that
_all_ files are treated like asp.net content - and authentication and authorization
settings apply.

Have you done that to this point?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:

<httpHandlers>

<add path="*.htm" verb="*"

type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>

then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do something
to allow the user to open htm files?

In advance thanks!

Jon Haakon

if it is IIS6 - i would recommed setting up a Wildcard handler

read here first - and if you have questions feel free to post

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET2
0.aspx
Click to expand...
Click to expand...
 
J

Jon Haakon Ariansen

Yes, I have done this.

Dominick Baier said:
the first thing is to register aspnet_isapi as Wildcard mapping - after
that _all_ files are treated like asp.net content - and authentication and
authorization settings apply.

Have you done that to this point?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:

<httpHandlers>

<add path="*.htm" verb="*"

type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>

then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do something
to allow the user to open htm files?

In advance thanks!

Jon Haakon

if it is IIS6 - i would recommed setting up a Wildcard handler

read here first - and if you have questions feel free to post

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNET2
0.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

In short my problem is securing static pages, so that unauthorized
(anonymous) people doesn't get access to these files. You'll find a
detailed description below.

I have a websolution that is made in Dotnet 2.0. The solution send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html) calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps getting
throwed out and have to log on again - several times. We need to get
the application to be more presistant when the user has logged on.
I'm
not sure why the user have to log on all the time, but my guess is
that when the user uses the flash module, IIS is not aware that the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution to
make
the user beeing loged in. I guess I can use a cookie for this, but
then I guess the user will always come to the same module. The user
has to be presented the login page on startup each time, because the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,

Jon Haakon
Click to expand...
Click to expand...
Click to expand...
 
D

Dominick Baier [DevelopMentor]

ok -

you can now verify, e.g. by putting a breakpoint in Application_BeginRequest,
that asp.net handles all requests now.

This means that if a user tries to access a .htm file (or whatever) - he
will be redirected to the login page and he has to authenticate first.

Is that what you want?

ps. and btw - make sure you have unchecked the "verify that file exists"
box in the wildcard mapping dialog.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, I have done this.

the first thing is to register aspnet_isapi as Wildcard mapping -
after that _all_ files are treated like asp.net content - and
authentication and authorization settings apply.

Have you done that to this point?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>

<add path="*.htm" verb="*"

type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>

then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do something
to allow the user to open htm files?

In advance thanks!

Jon Haakon

"Dominick Baier [DevelopMentor]"

if it is IIS6 - i would recommed setting up a Wildcard handler

read here first - and if you have questions feel free to post

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNE
T2 0.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

In short my problem is securing static pages, so that unauthorized
(anonymous) people doesn't get access to these files. You'll find
a detailed description below.

I have a websolution that is made in Dotnet 2.0. The solution send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html)
calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps
getting
throwed out and have to log on again - several times. We need to
get
the application to be more presistant when the user has logged on.
I'm
not sure why the user have to log on all the time, but my guess is
that when the user uses the flash module, IIS is not aware that
the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution to
make
the user beeing loged in. I guess I can use a cookie for this, but
then I guess the user will always come to the same module. The
user
has to be presented the login page on startup each time, because
the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
Click to expand...
Click to expand...
Click to expand...
 
J

Jon Haakon Ariansen

Hi Dominick Baier,

Thank you very much for your tips! I really appreciate it!

It seems like I have found a solution to my problem now.
I've added:

<httpHandlers>
<add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
</httpHandlers>

to web.config and I can access the html files.
But it depends how for how long I can access them. The html files calls on
flash files which runs client-side. When the enduser is logged in,
periodially
they are kicked back to the login page.
This might perhaps be caused by Session timeout. I'm not sure. Is there a
why to make the login period more persistant? But it can't be so persistant
that
the user is automatically logged in if the user has used the program before.
The user may log in with other credentials (username/password).

Thank you so much for your help Dominick!!

Kind regards,

Jon Haakon


Dominick Baier said:
ok -
you can now verify, e.g. by putting a breakpoint in
Application_BeginRequest, that asp.net handles all requests now.

This means that if a user tries to access a .htm file (or whatever) - he
will be redirected to the login page and he has to authenticate first.

Is that what you want?

ps. and btw - make sure you have unchecked the "verify that file exists"
box in the wildcard mapping dialog.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, I have done this.

the first thing is to register aspnet_isapi as Wildcard mapping -
after that _all_ files are treated like asp.net content - and
authentication and authorization settings apply.

Have you done that to this point?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>

<add path="*.htm" verb="*"

type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>

then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do something
to allow the user to open htm files?

In advance thanks!

Jon Haakon

"Dominick Baier [DevelopMentor]"

if it is IIS6 - i would recommed setting up a Wildcard handler

read here first - and if you have questions feel free to post

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASPNE
T2 0.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

In short my problem is securing static pages, so that unauthorized
(anonymous) people doesn't get access to these files. You'll find
a detailed description below.

I have a websolution that is made in Dotnet 2.0. The solution send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html)
calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps
getting
throwed out and have to log on again - several times. We need to
get
the application to be more presistant when the user has logged on.
I'm
not sure why the user have to log on all the time, but my guess is
that when the user uses the flash module, IIS is not aware that
the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution to
make
the user beeing loged in. I guess I can use a cookie for this, but
then I guess the user will always come to the same module. The
user
has to be presented the login page on startup each time, because
the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
Click to expand...
Click to expand...
Click to expand...
 
D

Dominick Baier [DevelopMentor]

why did you have to add the handlers to web.config? should also work without
them.

It's not the session - it's the authentication timeout - you can set the
timeout in the <forms> element in web.config.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Dominick Baier,

Thank you very much for your tips! I really appreciate it!

It seems like I have found a solution to my problem now. I've added:

<httpHandlers>
<add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
</httpHandlers>
to web.config and I can access the html files.
But it depends how for how long I can access them. The html files
calls on
flash files which runs client-side. When the enduser is logged in,
periodially
they are kicked back to the login page.
This might perhaps be caused by Session timeout. I'm not sure. Is
there a
why to make the login period more persistant? But it can't be so
persistant
that
the user is automatically logged in if the user has used the program
before.
The user may log in with other credentials (username/password).
Thank you so much for your help Dominick!!

Kind regards,

Jon Haakon

ok -
you can now verify, e.g. by putting a breakpoint in
Application_BeginRequest, that asp.net handles all requests now.
This means that if a user tries to access a .htm file (or whatever) -
he will be redirected to the login page and he has to authenticate
first.

Is that what you want?

ps. and btw - make sure you have unchecked the "verify that file
exists" box in the wildcard mapping dialog.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, I have done this.

"Dominick Baier [DevelopMentor]"

the first thing is to register aspnet_isapi as Wildcard mapping -
after that _all_ files are treated like asp.net content - and
authentication and authorization settings apply.

Have you done that to this point?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>
<add path="*.htm" verb="*"

type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>

then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do
something to allow the user to open htm files?

In advance thanks!

Jon Haakon

"Dominick Baier [DevelopMentor]"

if it is IIS6 - i would recommed setting up a Wildcard handler

read here first - and if you have questions feel free to post

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASP
NE T2 0.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

In short my problem is securing static pages, so that
unauthorized (anonymous) people doesn't get access to these
files. You'll find a detailed description below.

I have a websolution that is made in Dotnet 2.0. The solution
send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses
Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html)
calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps
getting
throwed out and have to log on again - several times. We need to
get
the application to be more presistant when the user has logged
on.
I'm
not sure why the user have to log on all the time, but my guess
is
that when the user uses the flash module, IIS is not aware that
the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution
to
make
the user beeing loged in. I guess I can use a cookie for this,
but
then I guess the user will always come to the same module. The
user
has to be presented the login page on startup each time, because
the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
Click to expand...
Click to expand...
Click to expand...
 
J

Jon Haakon Ariansen

Well, that was what it took to make the solution work.
I got a tips:
http://support.microsoft.com/?kbid=909641

You mentioned that I could make a breakpoint in Application_BeginRequest.
From what I have found out it is restricted access to variables here. I
don't think session variables work here. Therefore the other solution seemed
like a better solution.

Thanks for your tip!

Jon Haakon

Dominick Baier said:
why did you have to add the handlers to web.config? should also work
without them.

It's not the session - it's the authentication timeout - you can set the
timeout in the <forms> element in web.config.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Dominick Baier,

Thank you very much for your tips! I really appreciate it!

It seems like I have found a solution to my problem now. I've added:

<httpHandlers>
<add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
</httpHandlers>
to web.config and I can access the html files.
But it depends how for how long I can access them. The html files
calls on
flash files which runs client-side. When the enduser is logged in,
periodially
they are kicked back to the login page.
This might perhaps be caused by Session timeout. I'm not sure. Is
there a
why to make the login period more persistant? But it can't be so
persistant
that
the user is automatically logged in if the user has used the program
before.
The user may log in with other credentials (username/password).
Thank you so much for your help Dominick!!

Kind regards,

Jon Haakon

ok -
you can now verify, e.g. by putting a breakpoint in
Application_BeginRequest, that asp.net handles all requests now.
This means that if a user tries to access a .htm file (or whatever) -
he will be redirected to the login page and he has to authenticate
first.

Is that what you want?

ps. and btw - make sure you have unchecked the "verify that file
exists" box in the wildcard mapping dialog.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, I have done this.

"Dominick Baier [DevelopMentor]"

the first thing is to register aspnet_isapi as Wildcard mapping -
after that _all_ files are treated like asp.net content - and
authentication and authorization settings apply.

Have you done that to this point?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions. I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>
<add path="*.htm" verb="*"

type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>

then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do
something to allow the user to open htm files?

In advance thanks!

Jon Haakon

"Dominick Baier [DevelopMentor]"

if it is IIS6 - i would recommed setting up a Wildcard handler

read here first - and if you have questions feel free to post

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithASP
NE T2 0.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

In short my problem is securing static pages, so that
unauthorized (anonymous) people doesn't get access to these
files. You'll find a detailed description below.

I have a websolution that is made in Dotnet 2.0. The solution
send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database which
provide the
right path to where the user is going. Thus the solution uses
Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html)
calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps
getting
throwed out and have to log on again - several times. We need to
get
the application to be more presistant when the user has logged
on.
I'm
not sure why the user have to log on all the time, but my guess
is
that when the user uses the flash module, IIS is not aware that
the
user is still logged on and when the user finally requests a new
page
there's been a timeout. In this case I have to find a solution
to
make
the user beeing loged in. I guess I can use a cookie for this,
but
then I guess the user will always come to the same module. The
user
has to be presented the login page on startup each time, because
the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however some
modules end
on ".asp" and these files show okey, though ASP is associated as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
Click to expand...
Click to expand...
Click to expand...
 
D

Dominick Baier [DevelopMentor]

Not sure if i understand that - but if it works for you - thats fine.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Well, that was what it took to make the solution work. I got a tips:
http://support.microsoft.com/?kbid=909641

You mentioned that I could make a breakpoint in
Application_BeginRequest. From what I have found out it is restricted
access to variables here. I don't think session variables work here.
Therefore the other solution seemed like a better solution.

Thanks for your tip!

Jon Haakon

why did you have to add the handlers to web.config? should also work
without them.

It's not the session - it's the authentication timeout - you can set
the timeout in the <forms> element in web.config.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Dominick Baier,

Thank you very much for your tips! I really appreciate it!

It seems like I have found a solution to my problem now. I've added:

<httpHandlers>
<add path="*.htm" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.html" verb="*" type="System.Web.StaticFileHandler" />
<add path="*.asp" verb="*" type="System.Web.StaticFileHandler" />
</httpHandlers>
to web.config and I can access the html files.
But it depends how for how long I can access them. The html files
calls on
flash files which runs client-side. When the enduser is logged in,
periodially
they are kicked back to the login page.
This might perhaps be caused by Session timeout. I'm not sure. Is
there a
why to make the login period more persistant? But it can't be so
persistant
that
the user is automatically logged in if the user has used the program
before.
The user may log in with other credentials (username/password).
Thank you so much for your help Dominick!!
Kind regards,

Jon Haakon

"Dominick Baier [DevelopMentor]"

ok -
you can now verify, e.g. by putting a breakpoint in
Application_BeginRequest, that asp.net handles all requests now.
This means that if a user tries to access a .htm file (or whatever)
-
he will be redirected to the login page and he has to authenticate
first.
Is that what you want?

ps. and btw - make sure you have unchecked the "verify that file
exists" box in the wildcard mapping dialog.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Yes, I have done this.

"Dominick Baier [DevelopMentor]"

the first thing is to register aspnet_isapi as Wildcard mapping -
after that _all_ files are treated like asp.net content - and
authentication and authorization settings apply.

Have you done that to this point?

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hello,

Thank you for very fast feedback.
I've read the page, but as you said - I have lot's of questions.
I
almost
don't know what to ask.. :]
If I insert in Web.config:
<httpHandlers>
<add path="*.htm" verb="*"
type="System.Web.HttpForbiddenHandler" validate="True" />

</httpHandlers>

then files with extention .htm will now be shown - correct?

But if the user's credentials is verified, do I have to do
something to allow the user to open htm files?

In advance thanks!

Jon Haakon

"Dominick Baier [DevelopMentor]"

if it is IIS6 - i would recommed setting up a Wildcard handler

read here first - and if you have questions feel free to post

http://www.leastprivilege.com/ProtectingNonASPNETResourcesWithA
SP NE T2 0.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi,

In short my problem is securing static pages, so that
unauthorized (anonymous) people doesn't get access to these
files. You'll find a detailed description below.

I have a websolution that is made in Dotnet 2.0. The solution
send
the
user
to a correct module based on the users credentials. The users
credentials
are compared with username and password in MS SQL database
which
provide the
right path to where the user is going. Thus the solution uses
Form
authentication to verify the user.
The desination after login is mostly static pages (htm/html)
calling
Flash
modules.
One of my problems (not the biggest) is that the user keeps
getting
throwed out and have to log on again - several times. We need
to
get
the application to be more presistant when the user has logged
on.
I'm
not sure why the user have to log on all the time, but my
guess
is
that when the user uses the flash module, IIS is not aware
that
the
user is still logged on and when the user finally requests a
new
page
there's been a timeout. In this case I have to find a solution
to
make
the user beeing loged in. I guess I can use a cookie for this,
but
then I guess the user will always come to the same module. The
user
has to be presented the login page on startup each time,
because
the
user might try another module.
My biggest problem is after associating aspnet_isapi.dll with
htm/html
in
IIS I'm not able to view
htm/html at all. I get "Page cannot be displayed", however
some
modules end
on ".asp" and these files show okey, though ASP is associated
as
well
with
asp_isapi.dll.
I've tried to find a solution based on this article:
http://msdn.microsoft.com/msdnmag/issues/05/11/SecureWebApps/
but I'm not sure if it's the best for me.
Hope there is some who can help me with this.
Kind regards,
Jon Haakon
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Static code analysis tool 0
How to Convert Apple Mail MBOX Files to Outlook MSG? 4
Securing files 2
How do I Exchange MBOX Files in PST format? 3
Securing TableAdapters/xds files 0
Securing web.config appSettings - *** warning - long post *** 0
UploadRAR.com Remote File Copy - Copy files from other UploadRAR users 0
'securing' cookies/login info 5

Members online

Total: 70 (members: 3, guests: 67)
Robots: 488

Forum statistics

Threads
473,995
Messages
2,570,226
Members
46,815
Latest member
treekmostly22

Latest Threads

Top