I have used asp.net membership for some time, but this time due to certain requirement we cant use asp.net membership. So i have to implement a simple login system where we have to validate uses and give them access to website section and on other side also block access to certain folder also so that logged in users can only access contents of these folders.
block access to following folders
/English/
/French/
/Images/
User should be able to access contents of these folders only if they are logged in. I am setting a simple session variable when user logs in successfully. Let us session["UserLoggedIn"] = true.
With asp.net membership we can block access to folders from web.config. But i am not sure how i can do it with custom loggin.
Any pointer in this regarding would be help full.
I'm not too sure if this will work for you, but I have done something similar to this in the past (see user Isaac's answer for a bit of guidance): Securing a web folder with out membership roles defined
Basically, upon the login event you could assign the session a variable of "English" or "French" (note I'm not in VS right now so my code might be roughly what you're looking for):
void protected OnLogin()
{
if(UserIsAuthenticated)
{
Session["English"] = true;
}
}
and then in the Global.asax file you should be able to reference that variable if the user is authenticated:
void Application_BeginRequest(object sender, EventArgs e)
{
if(Request.PhysicalPath.Contains("English")
{
if(!((bool)Session["English"]))
//Not "English" user - redirect to login or unauthorized page
}
}
Again, my code is mostly taken from the link I gave you, if that doesn't work I can fish around some of my projects to see exactly what I've done in the past.
Additionally you could use Visual Studio 2012 and use the ASP.NET Web Configuration Tool and try to work your user database into working with it, I've seen people do it - it is a bit complicated because you have to code a bit in the web.config file, but is more likely secure I am guessing. This MSDN article might help some as well: http://www.asp.net/web-api/overview/security/external-authentication-services.
Rewritten my previous question without confusing code samples.
This is what i'm trying to achieve (or have done so far)
I created a webapplication to be viewed at www.myschool.com
I want to use subdomains so different schools can login to their personal school database (no central db)
I have 2 subfolders in my webapplication "school1" and "school2"
When a school visits www.myschool.com/school1 it should load the webapplication in the root folder by using the connectionstring provided in web.config from it's subfolder (school1 has web.config, school2 has web.config)
When www.myschool.com is entered (no subdomain) it should show the database "school1" as default
The databases are sqlserver databases and I use EF with .edmx file "SchoolModel" wich contains the entity model for the individual school databases, those have equal tabbles, fields, ... .
What currently happens:
When visiting www.myschool.com it shows the application with database from default school1
When entering www.myschool.com/school1 it just shows HTTP Error 403.14 - Forbidden because that folder only contains a web.config with another connectionstring for that specific school.
In the end a school (school1 or school2) should be able to enter school1.myschool.com or school2.myschool.com to view the webapplication loaded with content of it's personal database.
Using central database to serve both is not an option in this particular application.
Thanks for helping me setting this up
our team just work on a project which works on an Automation system. we use ASP.NET technology.here is my Question:
We have some users that could access to some Official letter on a Directory.for example here is a link: 192.168.1.1/home/Documents/1/Example.DOC
each user have it's own user and password and they are on local office network. if a user could use the link above so he can copy and paste it on browser and access to files. we need some solution that denied users to access file directly in our server.so our application should get the file from directory and return it as new link to user.so if the user copy/paste it again he can not get the file because the virtual link has absolute. what solution do you recommend? Thanks all.
User handler (.ashx) to return a file. The handler can check if user has permission for file. If the file should be downloaded only once lazy method (without some file ticket system) is to limit download availability to just few minutes - i.e. make a redirect to .ashx from your page and add symmetrically encrypted timestamp
Response.Redirect(#"/GetFile.ashx?Timestamp=[Symmetrically Encrypted Current Date and Time]&FileName=Example.doc");
And in handler check if timestamp is valid (not older than few minutes) and serve the file.
I've had a login I have used so far to login while I was opening c# solution.
For some time, suddenly VS hadn't asked me for my user credentials and later I discovered
that I am under: "Admin" account when checking in the files ...
I have no idea How I could change the user name for my previous one ...
Can anyone give ma a hint How I could do it?
Thanks
check in all files that you check outed using Admin account. Then go to File/Source Control / Change Source Conrol and Unbind the project.
After unbinding, bind project. While binding VS askes you VSS user name.
I already have a User table in my primary application database with an email address (which will act as the user name) and a password. I would like to authenticate using my database instead of the default authentication database (ASPNETDB).
Questions:
Is this a bad idea? Is it a huge can of worms to use my own DB for authentication?
How much work am I adding by doing this? I already have code for hashing the password and a query that will check if the email and password match the DB. So, I wouldn't be starting from scratch.
What would I need to do to use my database instead of ASPNETDB? I'm hoping this can be described in a few simple steps, but if not, could you point me to good source?
Update
I'm still looking for a little more detail here on my third question. Do I need to write my own MembershipProvider? What changes do I need to make to my web.config file? Will the [Authorize] attribute still work if I write my own solution? Can I use the automatically-generated AccountController with some minor modifications or do I basically need to rewrite the account controller from scratch?
It's quite simple, you need to derrive MembershipProvider and implement the ValidateUser method. Take a look at this post. I'm using custom membership provider with Postgres and MVC just fine.
I'll answer your updated questions:
Do I need to write my own MembershipProvider?
If you (a) want to continue using Forms Authentication, and (b) have an authorization table structure that doesn't follow the same conventions as the ASPNETDB, then yes. If you don't need FormsAuth (see below), then you can do away with the MembershipProvider entirely, but I wouldn't recommend it. Or, if you're using the exact same security tables as ASPNETDB but just want to point it to a different database, you can continue using the default provider and simply change its configuration.
What changes do I need to make to my web.config file?
If you are using your own custom MembershipProvider, then you need to register it in the <providers> section of the <membership> element and change the defaultProvider property. If you are using the standard AspNetSqlProvider then you probably just need to change the connection string.
Will the [Authorize] attribute still work if I write my own solution?
Yes, if you stick to Forms Authentication (either use the AspNetSqlProvider or write and register your own membership provider). No, if you abandon Forms Authentication (again, not recommended).
Can I use the automatically-generated AccountController with some minor modifications or do I basically need to rewrite the account controller from scratch?
You should rewrite the AccountController anyway - don't leave demo code in a production app. But if you must - yes, the AccountController will work under the same conditions as above.
No. And I would suspect most people do not trust that cruddy mechanism
Not much at all, especially since you have the table already.
Take a look at this for example: http://forums.asp.net/t/1250726.aspx
Hi ,
Just follow these simple steps :
First, you can delete the .mdf file in App_Data folder. Since we don’t need any of these tables.Then, we need to update the default connection string in the web.config to point to our database.
<connectionStrings>
<add name=”DefaultConnection” connectionString=”Data Source=SERVER\INSTANCENAME;Initial Catalog=DBNAME;Integrated Security=True” providerName=”System.Data.SqlClient” />
</connectionStrings>
Third, Open Nuget Package Manager and write the following commands:
Enable-Migrations
Add-Migration Init
Update-Database
Check out your database, all ASP.NET membership tables with Prefix Asp have been create and then you can test it out by running your application and execute membership actions such as Signing up or Signing in to your application.
Created tables after running above commands:
AspNetRoles
AspNetUserClaims
AspNetUserLogins
AspNetUserRoles
AspNetUsers
__MigrationHistory
Source : https://blogs.msmvps.com/marafa/2014/06/13/how-to-create-asp-net-mvc-authentication-tables-in-an-existing-database/
We're doing exactly this in one of our applications, and find it quite simple. We have an authentication service (called from the controller) that handles the mechanics of hashing the entered password to see if it is a match, then simply returns a bool for a method we call "IsValidLogon".
In our case, the purpose was to keep the management of what should be a pretty trivial task as lightweight as possible.
We bascially ignored ASPNETDB entirely. If we get a valid response from our user/password check, we simply call the standard FormsAuthentication.RedirectFromLoginPage(username, createCookieBool);
Hope that helps.
just building the same, so answer to 1 must be NO :)
I'm using the standard asp.net forms authentication, where i use the FormsAuthentication.RedirectFromLoginPage(username, createCookieBool) method to log a user in.
I gave a user a unique guid (you can use any other user id) and i'm storing it in the UserName parameter along with the username (to display on the masterpage: Html.Encode(Page.User.Identity.Name.Split("|".ToCharArray())[1]))
In each controller/method in which i must know which user is logged on (via User.Identity.Name, split the string and get the userguid).
Also i decorate those routines with the [Authorize] attribute.