tags:

views:

470

answers:

3
+1  Q: 

ASP.NET Forms Authentication via Querystring

Hello StackOverflow brain trust,

I currently have an ASP.NET 3.5 SP1 running on IIS 7. I have enabled forms authentication using .NET Membership and setup some folders that are restricted according to roles I have created. For instance, if an anonymous visitor tries to access the file h t t p://www.mydomain.com/restricted/foo.txt, he/she will be redirected to a login page, as expected. So far so good.

What I would like to do is provide access to protected files by allowing visitors to specify their login credentials in a query string, something alone the lines of:

http://www.mydomain.com/foo.txt?user=username&pass=pwd

Is this possible at all? Any insights are greatly appreciated!

Victor

A: 

you should be able to write an http module that intercepts the request and authenticates the user based on the querystring. However, just for the sake of completeness, I'd like to question whether it's a good idea to provide users their username and (in particular) password in plaintext.

Joel Martinez  2009-07-22 17:15:28
Thanks for the quick answer, Joel. I've never written an http module before, but I will pursue that route and let you know how it works!
 2009-07-22 17:21:50
Incidentally, I figured someone would raise the question of security :-) I don't really intend to share this functionality with most users of the site. The goal is to simply allow a widget on my site to access the file (it takes a URL as input), and the user role I'm specifying for this widget is very restrictive, so no crucial data is exposed. I figured this would at least provide some degree of security to the files used by the widget, though I admit that it certainly isn't foolproof.
 2009-07-22 17:22:45
A: 

You could easily create a download page that would authenticate the user and then forward them to the requested file. Something like navigating to Download.aspx?user=username&pass=pwd&file=foo.txt.

This however is NOT recommended. You should never require users to pass login information via a URL.

Dan  2009-07-22 17:17:04
Appreciate the feedback, Dan! See my comment above regarding security. My real dilemma is that I need to pass a URL that my widget can access (it would be ideal to pass a local path, but since it's a 3rd party widget, it has to be a web url).
 2009-07-22 17:26:35
A: 

A secondary answer based on comments you've made to other questions is that you could simply put your download page in a directory. The subfolder could have a web.config that allows unauthenticated users access to the contents within :-)

something like:

<configuration>
   <system.web>
      <authorization>
         <allow users="*" />
      </authorization>
   </system.web>
</configuration>
Joel Martinez  2009-07-22 17:46:10

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps