ASP Folder security wont accept anything but "everyone" goup

what kind of authentication are you using for your site, windows or anonymous?

also, what version of iis are you running?

iis7 and anonymous for the default website, application, and folder in application.

disagree 100% with Scott's suggested. why write code for a feature that already exists and just needs a proper configuration in IIS to work??

you need to turn off anonymous access and turn on windows authentication - http://technet.microsoft.com/en-us/library/cc754628(v=ws.10).aspx

after that make sure you have the desired users set to access the folder in the website

Well it is a good thing you don't disagree less than 100%, then you would be wishy washy.

It really depends on what you are doing.

I have personally never  used that method and was taught it was not very secure.  Even in that link BM provided

Windows authentication is not appropriate for use in an Internet environment, because that environment does not require or encrypt user credentials.

If this is closed to the outside and only people on an internal network can get to it, probably fine. But there are better ways to deal with this.

Alright alright, no fighting. lol. Scott, I intend on using your method in the near future. Looking for something kinda quick and ugly now. Need to get a hold of all the pages I have done a make a better plan. Big Monty, I will try that in the next couple of hours. Get back soon.

Experts Exchange is moving fast today

Well it is a good thing you don't disagree less than 100%, then you would be wishy washy.

why scott, I think that's the nicest thing you ever said to me! :)

I was assuming it was for an internal app because of the mention of windows apps. I agree if it's for external use it isn't very secure

I installed windows authentication and set the folder. I gave myself permission, went to the page, it asked for my credentials and then let me in. Great... but it would be nice if it knew who I was logged in as on the computer and did not ask for my credentials.

Asking too much?

i guess some more details of your app would be helpful. are you using active directory? is it an external or internal app?

All you are doing is setting folder permissions.

That is where having a log in system is really what you need and not windows security.  


You can do this by using a database of login users or you can use the active directory but the idea is still the same.  You put the security on the page.

What I do is create a separate security page and add it to the top of each page as an include file.

<!--#include file="security.asp"-->

Select allOpen in new window

My security asp file will read the current page http://classicasp.aspfaq.com/files/directories-fso/how-do-i-get-the-name-of-the-current-url/page.html and the session or cookie of the "logged in" user.

I have a database table of each page and the user group I assigned then.  If they are on a page they are not supposed to be, they get redirected.  But my navigation is also based on the user so it would be hard for the wrong user to end up on a page they shouldn't be on.

If you look at the link about gathering the url information. You can use one of the items below to read if you are currently on the invoice folder just by the url.  Then use that to determine if the user is allowed or not.

    Response.Write Request.ServerVariables("SCRIPT_NAME") & "<br>" 
    Response.Write Request.ServerVariables("PATH_INFO") & "<br>" 
    Response.Write Request.ServerVariables("URL") & "<br>" 

Select allOpen in new window

You don't have to use a database.  You can just hard code the data to the security.asp page if you just have a few users.  Doing this via a db will be easier to manage for many users or frequent changes.  

YOu could just create a dictionary as your db on the security page http://www.w3schools.com/asp/asp_ref_dictionary.asp

' assume logged in user  is princeservice and required access level is level_red
session("user") = "princeservice"


Set d=Server.CreateObject("Scripting.Dictionary")
d.Add "padas","Level_red"
d.Add "Big Monty","level_blue"
d.Add "princeservice","level_green"

if d.Item(session("user") ) <> "Level_red" then
   response.redirect "somepage.asp"
end if

Select allOpen in new window

Like I said, there are many ways to do this by using the AD, a db or coded on page.  But you do need to have the  page security on the page to make it smooth. More coding for you, but easier on the users.

I can see using the login page and will. Problem is I am dealing with several people who will be accessing these pages 20-30 times a day and they will get aggravated if they have to log in all the time. That why it seemed so much easier just to allow or deny them when they click a link.

This is an internal app only. I am basically writing reports from data in a sql server database. The data in the database is supplied by a program we use called Jobboss. We find it faster and easier to get the data we want and formatted they way we want with asp pages rather than using the Jobboss builtin reporting (Crystal Reports).

Yes I use active directory.

Right now I am handling security by only giving the asp link to people who should be accessing the report. Anybody who gets the link can access the data. I would at least like to narrow it down to being able to access the data based on the credentials they used to login to their computer. That is why I don't understand why we are having to put in the credentials again.

if you need to get this up and running quickly, you can look into querying active directory using ldap. keep in mind this can be a complicated subject for new users, especially if you're not familiar with the inner workings of AD. Besides several good threads here on EE (just do a search in the Classic ASP zone for "ldap" and you'll get a bunch of results), you can follow this tutorial as well:

http://www.serverwatch.com/tutorials/article.php/1476961/Accessing-Active-Directory-via-Active-Server-Pages-Part-1.htm

if you only have 20-30 people for a small internal app, you may consider just building your own login system. You can always create a cookie on their system that will remember their user info (if you don't want them to keep having to log in), and will probably take you less time to bang out than using ldap, depending on your skills.

For time out problems, using a cookie solves this issue.  If you use a session, you can set the session time out http://www.w3schools.com/asp/asp_sessions.asp  to whatever you want.

Session.Timeout=30 '30 minutes

Select allOpen in new window

The gotcha on this is the idle time out.    You know, the 5 minutes when you are staring at the screen thinking about what to type, then you go to town and spend another 5 minutes typing something into a wysiwyg only to get bonked with not being logged in.   You can't set the idle time out in code as far as I know. You have to set it in iis app pool.  http://technet.microsoft.com/en-us/library/cc771956(v=ws.10).aspx

With cookies you can set it for hours, days, weeks  http://www.w3schools.com/asp/asp_cookies.asp

Response.Cookies("user")="princeservice"
Response.Cookies("user").Expires=dateadd("d",5,date) ' 5 days from now

Select allOpen in new window

With an internal function, I wouldn't worry about encrypting the cookies, but if there is even the possibility this can be seen or used outside, you would want to hash or encrypt.