Securing Web Pages

[HardCode]

Suppose I create a new Web Application in VS.NET 2003. I want the first page to be a login page. All pages in the app require the users to be logged in.

 

Say one page is http://www.mysite.bla/payroll.aspx. Supposed someone types this page in the address bar, without ever logging in. What is the standard way of checking if a user is properly logged in so that they cannot just get creative and type pages in the address bar to bypass the login.

[PlausiblyDamp]

Best thing to do is look at Forms Authentication within the .Net framework - does exactly waht you're after.

[HardCode]

Yes, I found the QuickStart Guide at Microsoft's GoDotNet ( http://samples.gotdotnet.com/quickstart/aspplus/ ) while Google'ing for Forms Authentication. Thanks Damp!

[HardCode]

There is a lot of technical talk in MSDN about authentication methods. I just want to make sure I understand Windows mode. If I set the application to Digest and Windows authentication (in IIS management console, right-click the application, select Properties, Directory security tab, Edit button, and uncheck anonymous access and Basic authentication, leaving only Digest and Integrated Windows), then is this true:

 

The application and its pages, that is part of a web site open to the public, will ONLY be accessible to people on my company's Windows domain? Outsiders will not be able to access this application at all?

 

Would it be more security-conscious to instead create a new Web Site on this server and host my intercompany Web Application under that?

 

It may be wise to mention that while this server is part of the internal WAN (I access it by internal IP), it is not a part of the Domain that we log in to. It is in a "red zone" between the external firewall and then an internal firewall. When I remote-desktop to the machine, I log in with a separate local machine account. Will this affect Windows authentication?

 

Microsoft isn't know for plain English :(

Edited September 23, 2004 by HardCode