I'm building a solution that uses Windows authentication. However, the
Windows users that are allowed to login and use the application are defined
in a custom user store. If a user is successfully authenticated by Windows,
access should be denied to if the user isn't in the custom user store.

Using roles to authorize the users would be a good solution, but the fact
is, that the web application uses both asp.net and classical asp. What other
options could be used? I'm thinking of a custom SessionStateUtility that only
issues a new session after the authenticated user is located in the user

Another option could be the use of a custom "authentication cookie" that is
issued after the user is located in the user store. This cookie should then

You can write an HttpModule that handles AuthorizeRequest (or in global.asax
for a start)

in this event you can check your userstore and see if the user is in the
allowed list.

This event gets called on every request - once you have this working, you
can think about optimizations, like a cookie or a flag in the cache...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

[quoted text, click to view]