I have the below in my web config file on a forms authenticated web site, but it does not allow a user to navigate to that page unless they login.
<configuration>
<connectionStrings>
<remove name="******"/>
<add name="*******" *******"/>
<add name="*****" *******"/>
</connectionStrings>
<location path="About.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
ASP.net web forms 4 site. NOTE *** hide original data
Your Question it not clear .But again Enable From Authentication by adding this line
<system.web>
<!--Session state Time Out-->
<sessionState timeout="60" />
<!--My authontication module-->
<authentication mode="Forms">
<forms name="PROJECTNAME.ASPXAUTH" loginUrl="~/Login.aspx" protection="All" path="/" timeout="60"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
and It will secure the web application.If you want to access any particular folder then create a folder and add Web.config file.and in web.cofig file
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<!--Defualt access grant sa=11,admin=12-->
<allow roles="admin"/>
<!--Order and case are important below-->
<deny users="*"/>
</authorization>
</system.web>
</configuration>
prevent access of users of role other than admin
and create role by
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
1, // Ticket version
Convert.ToString(user.UserID), // Username associated with ticket
DateTime.Now, // Date/time issued
DateTime.Now.AddMinutes(60), // Date/time to expire
false, // "true" for a persistent user cookie
Convert.ToString(user.RoleID), // User-data, in this case the roles
FormsAuthentication.FormsCookiePath);// Path cookie valid for
// Encrypt the cookie using the machine key for secure transport
string hash = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(
FormsAuthentication.FormsCookieName, // Name of auth cookie
hash); // Hashed ticket
// Set the cookie's expiration time to the tickets expiration time
if (ticket.IsPersistent) cookie.Expires = ticket.Expiration;
// Add the cookie to the list for outgoing response
Response.Cookies.Add(cookie);
Related
I have to use SQL Server to store session data and forms auth for logging in. Something weird is going on where the session is ending and I lose all session data but the forms auth isn't kicking them to the login page. Here is my web config set up for this:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="2880" path="/" protection="All"
defaultUrl="Default.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<sessionState mode="SQLServer" customProvider="AppFabricCacheSessionStoreProvider"
sqlConnectionString="" timeout="30" allowCustomSqlDatabase="true">
<providers>
<!-- specify the named cache for session data -->
<add name="AppFabricCacheSessionStoreProvider"
type="Microsoft.ApplicationServer.Caching.DataCacheSessionStoreProvider"
cacheName="dev-advisorlynx" sharedId="OrionShared"/>
</providers>
</sessionState>
Forms auth is managed by the forms authentication cookie. Session state is managed by the ASP.NET_SessionID cookie. You could be losing one and not the other.
Check the cookie traffic using HTTP watch or by checking the IIS logs. They may be scoped differently for whatever reason (e.g. they may have a different domain or path, or one of them may be expiring).
I would like to use State Server for sessionState.
This works fine for all session variables but not for authentication. What must I do to store authentication in State Server so I can use a farm of Webservers? My web.config looks like..
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="20" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<sessionState mode="StateServer" stateConnectionString="tcpip=localhost:42424" cookieless="false" timeout="20" />
<machineKey validationKey="F2FCB9C6C8F045A198D4885C6E...
I'm unclear about what you mean by "store authentication in State Server".
Authentication Is never stored in session variables, and it's a poor practice to do so. Authentication is stored on the users local computer in the form of an encrypted cookie (either non-persistent or persistent), and therefore is inherently immune to any webfarm issues so long as your machinekey is specified in common on all servers.
Session and FormsAuthentication are to different systems in .NET.
I have an Generic Handler where I would like to auto-login based on some querystrings.
But then I set FormsAuthentication.SetAuthCookie(user.Name, false), but HttpContext.Current.User.Identity.IsAuthenticated return false, and I can't redirect because of the limits set in web.config.
So how do I set FormsAuthentications in an .ashx-file?
To perform a login using the FormsAuthentication module, you may want to just use the RedirectFromLoginPage static method, which, under the covers:
prepares the authentication token;
encrypts it;
adds it to the cookie collection of the response;
performs the redirect to the required page (or the default one, as per your web.config).
Here is a short prototype for your handler:
public void ProcessRequest(HttpContext context)
{
// TODO: Determine the user identity
var username = context.Request.QueryString["username"];
FormsAuthentication.RedirectFromLoginPage(username, true);
}
If you are not comfortable by the way this method performs its job, you may do each activity in a manual way:
prepare a FormsAuthenticationTicket with the user name;
encrypt it by way of the Encrypt method;
add it to the response Cookies;
issue a redirect.
Have you tried adding it as a location path in the web.config?
<configuration>
<location path="foo.ashx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location >
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
I have an ASP.NET MVC application using forms authentication. Here's the line of code where I create the auth token:
FormsAuthentication.SetAuthCookie(username, true);
My web.config contains:
<system.web>
<machineKey validationKey="{unique key}" decryptionKey="{unique key}" validation="SHA1" decryption="AES" />
<authentication mode="Forms">
<forms loginUrl="~/account/" timeout="2880" />
</authentication>
...
</system.web>
<location path="my">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Despite the parameter for the persistent cookie being set to true, my users get logged out after a few days of inactivity.
The app is deployed to AppHarbor, but I experienced the same behavior when it was hosted on a dedicated server.
What am I missing that would cause users to get logged out sporadically?
Your timeout is set to 2880 minutes, which is 48 hours?
timeout is used to specify a limited lifetime for the forms authentication session. The default value is 30 minutes. If a persistent forms authentication cookie is issued, the timeout attribute is also used to set the lifetime of the persistent cookie.
http://msdn.microsoft.com/en-us/library/ff647070.aspx
I can not make it clear about how the asp.net's authentication work,I set the following configuration according to the help document and google:
<configuration>
<!--
Login.aspx and the random_code_img.aspx does not need authentication
But excluding the above files,all the page are protected.
-->
<location path="Login.aspx">
</location>
<location path="random_code_img.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
..........
</system.web>
</configuration>
Now in the login.aspx.cs:
Within the method loginButton_click:
if (Membership.ValidateUser(username, password))
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1,
username,
DateTime.Now,
DateTime.Now.AddMinutes(30),
isPersistent,
"",
FormsAuthentication.FormsCookiePath);
// Encrypt the ticket.
string encTicket = FormsAuthentication.Encrypt(ticket);
// Create the cookie.
Response.Cookies.Add(new HttpCookie(FormsAuthentication.FormsCookieName, encTicket));
// Redirect back to the protected URL.
Session["havelogined"] = "1";
HttpContext.Current.Response.Write("<script>location.replace('Default.aspx')</script>");
}
else{
//do something
}
However in the login.aspx,after I enter the name and password,then click the login button,I was redirected to Default.aspx in the address bar of the browser,but I can not see the content of the Default.aspx,I just see:
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2................
So I wonder how does the asp.net's authentication know if I am logined or not? Can I repace these notice with some readable information?
Also,
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
What does the "users" here mean?
I do not think they are the registered users in my database.
HTTP 401.2 status code corresponds to "No Authentication method configured". I'll need more info to confirm. If I had to guess I'd say you are missing the <forms> tag under the <authentication> tag.
If you haven't already found this article, you might try this link which talks about how to fully setup forms authentication - http://msdn.microsoft.com/en-us/library/xdt4thhy.aspx
the
<allow users="*"/>
means allow all users. In essence it is instructing ASP.NET to allow all users (authenticated or unauthenticated) access to random_code_img.aspx
BTW:
<deny users="?"/>
means don't allow unauthenticated users.
Hope this helps.
Inside your loginButton_click method, after you validate your user, you can simply use
FormsAuthentication.RedirectFromLoginPage
See here for more information and example . http://msdn.microsoft.com/en-us/library/ka5ffkce.aspx