-1

I wish to require a popup window for users to type, to access my website. For the username and password, I was hoping to have a few hardcoded names/passwords in some file. I was told that Digest Authorisation could be used to do this.

If I've got a standard ASP.NET website, where can I define the usernames / password?

Note that this username/password only 'unlocks' the site, but doesn't log them INTO the site. they will need their website username/password for that.

halfer
  • 19,824
  • 17
  • 99
  • 186
Pure.Krome
  • 84,693
  • 113
  • 396
  • 647

2 Answers2

1

Depending on your access to the machine, a really simple option is a program called IISPassword, some providers have this installed, which allows you to use apache style .htaccess .htpassword files.

Once this is installed, setting up takes about 5 mins, just find a unix crypt function to handle the passwords, and it just works, don't have to touch aspnet at all.

Have only used this on IIS 5 and 6, but might work on 7.

Hope that helps.

seanb
  • 6,969
  • 2
  • 33
  • 34
  • This requires the ability to install an ISAPI filter. It does not claim to be compatible with IIS 7. Link: http://www.iistools.com/en/iispassword.html – tvanfosson Nov 18 '08 at 02:29
  • If i use a product like IISPassword, does that mean that after i've 'unlocked' the website, then i will still have to manually forms auth into the website, for pages that require u to be logged in? (this is what we want). ??? – Pure.Krome Nov 18 '08 at 02:48
  • From my experience, yes, has been a few years since I used it like that, so test it. We used to use it on our test servers, so pre-release stuff didn't get seen by the public. Once they have unlocked it, it means they're past that ISAPI filter, but not the forms auth. – seanb Nov 18 '08 at 02:54
  • kewlies! that helps heaps. And was this the _only_ way you could 'lock' a site down, that you guys found? – Pure.Krome Nov 18 '08 at 04:29
  • Not the only way, but one of the easiest, could look at more network admin kinda ways, VPNs, ACLs, that sorta thing, but I only really know enough to be dangerous in those areas. Stopped looking when we found something that worked well enough for testing. – seanb Nov 18 '08 at 04:48
1

I think that your users will not appreciate having to enter two passwords to use your site. I think you would be better served to stick with the web site login as the sole means to access the site and simply redirect non-logged in users to the logon page. You may also want an "about us" page that is publicly available for potential future users if your site is public.

You can find a pretty comprehensive guide to authentication in ASP.NET here. According to the article, Digest Authentication requires that you store user ids/passwords in Active Directory.

tvanfosson
  • 524,688
  • 99
  • 697
  • 795
  • thanks for the comment. The 'users' are our testing team, who access the site externally. We want to lock down the ENTIRE SITE to someone who might stuble across it randomly. It's got our dev stuff on there. So the 'user not appreciate' thing is not a concern. – Pure.Krome Nov 18 '08 at 02:46