Thanks for your reply Hernan.

I can't believe Authentication and Authorization are mixed...

If I want to identify/authenticate a user (for example to retrieve his
settings from the server, let's say), the only way is to direct him to
a page which denies him access for him to be presented with a login
page. I'm surpised there is no way to force everybody to authenticate
(through forms authentication) and then leave the authorization doing
what it does best: "authorize" or not access to it to the page.

Hi!,

well, actually that's exactly what you do.

I wouldn't say rhar auth and aurthz are mixed. I'd say that forms auth lets
you do that, but does not restrict you to only doing that.

I mean, you can use forms auth to manage 'Sessions' in your webapp. and it
works great (is very convenient), if any user wants to access some page of
your app before authenicating (before establishing a valid session, AFTER
authentication) he/she is redirected to the login page (you can customize
this behavior). That saves you from adding a call to a function to check the
session inside every page of your application.
Then, once a user is logged on, based on the user's credenials you can use
ROLES (role security) to perform authorization tasks inside your webapp,
according to the logic of your webapp.

so, auth and authz are conviniently separated. Then, you have millions of
other auth and authz options that can complicate things, but you can code
your app very cleanly.

bye~

"bob biris" <bobbiris (AT) hotmail (DOT) com> wrote