Asp. NET security Certification (ii) Flexible use of forms authentication of deny and allow and protection. htm files

Source: Internet
Author: User
Tags config parent directory root directory
Asp.net| Security

On the other hand, simply say the use of form forms authentication. Perhaps we think it is too simple for those in the inner master should be "water", "Little Kiss". Today we have to order the pattern: there are six doors, rejected Leaf gu City, the East gate is not windy, blowing snow surname Simon, ribbon as a voucher, decisive battle the Forbidden City.

V. Web.config scope of Action

When you create a new project, Vs.net creates a fixed Web.config in the project root directory. In addition to the project root directory, you can create web.config in either directory, provided that the application-level nodes can only appear in the web.config of the root directory. As for which is the application level node, this problem, in fact, I am not very clear, hehe. Computer is not my invention, Microsoft is not I created, C # is not my final decision, Immortal also have not know, so I do not know is normal. That being said, as long as it doesn't complain, that's right.

Remember the following two points about the scope of the Web.config setting:

1. The Web.config settings will be used for all the files in the directory and all the things under their subdirectories (Inheritance: Child with parent last name)

2, the Web.config settings under the subdirectory will overwrite the settings inherited by the parent directory (overwrite: The magistrate is inferior to the current management)

To ask you a question: Is there a configuration file that is larger than the root directory web.config? The third part will tell.

Vi. learning to refuse and skillfully use permission

Back to our first round of the new test project "Formtest", since to be validated, according to international practice, there must be a username and password. Then, these users are the administrator to build their own database, or user registration, Administrator audit good. As long as not the average fool, all know to choose the latter. You still don't say, my company also really has individual project is the administrator connects to the database to build the account number, belongs to the more special fool, we do not study him, or honestly add two pages--registration page (register.aspx) and Audit page (auditing.aspx).

The problem is finally coming to the surface, when you do register.aspx, want to visit it suddenly feel wrong, how to return to the login page? You look closely at the Web site, is not become: Login.aspx? Returnurl=register.aspx. How to do, the user is because there is no account to access the registration page AH? (This is pure nonsense, there are accounts who still run to register.) I often say to my colleagues: "The way is to come out!!" ”

1, create a new directory public, used to store some common files, such as calendar, script ah ...

2. In Solution Explorer, right-click the directory public and add a Web.config

3, the above web.config of the contents of all deleted, leaving only the following can be:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<system.web>

<authorization><allow users= "*"/></authorization>

</system.web>

</configuration>

Finally cut to the chase, it's not easy. Based on the "overriding" principle, we know that the above web.config will replace the <authorization> node settings in the root Web.config, namely:

<allow users= "*"/> replace <deny users= "?" ></deny>

Annotation: "Allow" means the permission, "*" means all users;

"Deny" refuses to mean; "?" Represents an anonymous user;

Therefore, files that are in the public directory allow everyone to browse, including unauthenticated users. Drag register.aspx in, and no one will stop you from browsing anymore.

In addition to registering the page, we also mentioned an audit page (auditing.aspx), audit permissions are generally in the hands of the administrator or supervisor, and do not want others to browse this page (the truth is often in the hands of a few people, which is also impossible), how to do? "The way is people want to come out drop" hehe ... Create a new administrator's directory Managesys, and add another web.config in this directory. The contents are as follows:

<?xml version= "1.0" encoding= "Utf-8"?>

<configuration>

<system.web>

<authorization>

<allow users= "Admin"/>

<deny users= "*"/>

</authorization>

</system.web>

</configuration>

Now the question is how to know who is "Admin", the question is a bit like "my soles have a hole"--heaven knows, you do not know I know. Less gossip (if there is a good fee, I have to write a few words of power, alas ... Do you remember me at the end of the first part? What, forget it! Punish you go back to see 100 times, remember to come back again. Stop, come back! The thought of your memory, I do not trust, the first part of the browsing site is http://blog.csdn.net/cityhunter172/archive/2005/11/06/524043.aspx, back to the site is http:// Blog.csdn.net/cityhunter172/archive/2005/11/13/528463.aspx

Well, no matter what the bad guys are, guys, keep looking down.

System.Web.Security.FormsAuthentication.SetAuthCookie (this. Txt_username.text,false); Through validation, cookies are issued

I have stressed before, to note that the first parameter is important, to what extent? Speaking of this, I am afraid the earth people know--it is the basis of allow and deny. If this is the "Admin" that the user fills out here. Txt_username.text = "Admin"; Then enter the system, he will be able to access the Managesys directory of the Web page, and other unauthorized people are shut out.

In order to consolidate the above, to save a homework for everyone: This project has two departments, each of which has a specific page for users to browse the use of the department, how to use Web.config to achieve results? Again, the answer is in part three.

[1] [2] [3] Next page



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.