0

I am developing an ASP.NET website. I am planning to use Forms authentication in order to guarantee authentication/authorization, but I am facing two problems regarding the authorization:

  1. I know how to set in the web config that the authenticated users are allowed to visit a webpage (say myPage.aspx). But I do not know how to define that UserA is able to access myPage to retrieve his information, not UserB's information. I was thinking about generating a token when the user authenticates, so I am able to check to whom this token belongs to and verify if this information is available to him. What do you think about this approach? Does the Form Authentication generates a token like that? (I couldn't find any mention about it in my research). If not, could I adapt the Form authentication mechanisms in order to generate or would I need to write everything on my own?

  2. I would like to access webservices, and these should only return information if the user is logged. For this reason, I would like to use the same token explained above. What do you think about it? Is it a good approach?

I am asking this because I have no experience on designing authentication/authorization mechanisms, any help/hint would be appreciated.

Improve this question

1 Answer 1

Reset to default
1

Regarding question one, after forms authentication occurs in an ASP.Net web forms app, the user's identity is exposed as a FormsIdentity object in the Page.User.Identity property. This object has a Name property which contains the username that a user use to log into your site. You can use this value to restrict what a user can access. For example, let's say you have a table in your database with user information containing the following fields:

userId int
userName varchar(25)
...more fields containing user information...

You can restrict a user to only access information from the row in this table in which the userName equals the Page.User.Identity.Name property, either directly if you are using direct ADO.Net or via your query to your ORM-mapped (i.e. nHibernate or EF) domain object.

Regarding question two, the FormsIdentity object exposed by Page.User.Identity has a boolean "IsAuthenticated" property. You can use this to restrict access to your web service as follows:

if(Page.User.Identity.IsAuthenticated)
{
     //Call your web service in a secure manner
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

That is great, I will surely try that. Just one question: if I know my friends's username, can't I somehow login with my account but change the username value to my friend's one?
No I don't believe that is possible. I believe the asp.net pipeline extracts the contents of the encrypted ASP.Net authentication cookie that it generates upon a successful login and uses that to populate the Page.User.identity object. Since this cookie is encrypted it is not possible to tamper with it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.