i have
<system.webServer>
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".TEST" timeout="15">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<location path="images">
<system.web>
<authorization>
<deny users ="?" />
</authorization>
</system.web>
and in this images folder i have a web.config with
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
in IIS authentication is set to Form Authentication and Annoynomous so user can get to login page.
It is working correctly if you haven't logged in and try to browse the images folder. Once you are logged in, it let you browse to that images folder. However when you are logged out, it doesn't delete the session and still let you browse the images folder. The code below should have killed all sessions but it apparently doens't do so. Please let me know if i miss something. Thank you
FormsAuthentication.SignOut()
Session.RemoveAll()
Session.Abandon()
For Each key As String In Request.Cookies.AllKeys
Dim cookie As New HttpCookie(key)
cookie.Expires = DateTime.UtcNow.AddDays(-7)
Response.Cookies.Add(cookie)
Next
FormsAuthentication.RedirectToLoginPage()
Related
IIS Keeps Redirecting me to Login.aspx when I set Default.aspx as default page. In my dev environment its working fine, I get to the right page, but as soon as I publish and try from the IIS server login.aspx always comes first.
I have made sure anon users are allowed :
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
And its set as default url (further down the config) :
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Default.aspx"></forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
I even set the default page in IIS, but it resets it every time on publish.
Try adding the Authenticated User to the security property of the web folder in IIS. Give the modify privilege (Read, Write, Modify, List Folder Content, Read & execute) to this user.
This of course should only be a temporary situation to verify that you have a permission issue. You should consider setting proper permissions for site users.
//Peace
I spent about 6 hours debugging the issue. Our website was working fine, and suddenly it started redirecting to login page instead of default page (unauthenticated). Our web.config included all authentication/authorization settings correctly.
<authentication mode="Forms">
<forms name="MyAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="default.htm" />
</files>
</defaultDocument>
...
</system.webServer>
<location path="default.htm">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
...
SOLUTION: You need to remove Extensionless URL feature from your website.
Ref: https://support.microsoft.com/en-us/help/2526854/users-may-be-redirected-to-the-login-page-of-an-asp-net-4-application
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
After the fix, the website was back to normal.
I have multiple aspx pages in my web site but i want to secure only one page.I used the asp.net membership and role manager but it require user name and password for all pages but i want to secure only a single page.please any one can help me how can i do this in vb.net with asp.net .I have used the following code in web.config but it applies on all pages which i dnt want
<authorization>
<allow users="sml" />
<deny users="?" />
<deny roles="users" />
</authorization>
<roleManager enabled="true" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="9820" defaultUrl="Food.aspx" cookieless="AutoDetect" >
</forms >
</authentication >
<location path="ProtectedPage.aspx">
<system.web>
<authorization>
<allow roles="sml" />
<deny users="*" />
</authorization>
</system.web>
</location>
you can use URL Authorization for that
<location path="page.aspx" />
<authorization>
<allow users="Bob" />
<deny users="*" />
</authorization>
</location>
check http://msdn.microsoft.com/en-us/library/ff649337.aspx
Try to modify your web.config. as mentioned below.
<secureWebPages>
<files>
<add path="Default.aspx" secure="Insecure" />
<add path="Admin/MoreAdminStuff.aspx" secure="Ignore" />
<add path="Legal/Copyright.aspx" secure="Ignore" />
<add path="Lib/PopupCalendar.aspx" secure="Ignore" />
</files>
<directories>
<add path="/" recurse="False" />
<add path="Admin" />
<add path="Admin/Info" secure="Insecure" />
<add path="Members/Secure" recurse="True" />
</directories>
Refer http://www.codeproject.com/Articles/7206/Switching-Between-HTTP-and-HTTPS-Automatically-Ver for more details.
Here's my problem...
I have a website running in II7 integrated pipeline mode and I want to enable forms auth on the entire website apart from the '/secure/' directory which contains the login form.
My web config currently looks something like this...
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="secure/login.aspx" protection="All" path="/" timeout="999999" slidingExpiration="true" enableCrossAppRedirects="true">
<credentials passwordFormat="Clear">
<user name="user1" password="xxxxxx"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="user1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="secure">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<!--Enabling Forms Authentication for the Entire Application-->
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
</configuration>
When I visit the website URL I just get an endless loop of redirects. I've tried putting the location specific auth rules above the system.web section but this had no effect.
Any ideas?
Cheers,
Robin
Access permissions are hierarchical. That is if you are forbidden to access some parent, you are forbidden to access all of its children, no matter what permissions are set to children.
You can move login form to the root directory and set permissions for the form - it will work.
I'm probably missing something easy here, but I've never done this before, so I thought I'd ask the Stackers.
I've implemented Windows Authentication on my ASP.NET app (IIS 7.5). I have rules for both the application (system.web) and IIS (system.webServer) that deny anonymous users, deny built in admins, and allow members of "Demolitions Repayment".
The trouble is, I am a built in admin AND in "Demolitions Repayment", but I'm locked out. Is it a matter of precedence?
<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off" defaultRedirect="~/errors/Unknown.htm" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<deny roles="BUILTIN\Administrators" />
<allow roles="gc\Demolitions Repayment" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
<add accessType="Deny" roles="BUILTIN\Administrators" />
<add accessType="Allow" roles="gc\Demolitions Repayment" />
</authorization>
</security>
</system.webServer>
Try denying all users (authenticated and not authenticated) and then grant only a certain role:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?,*" />
<allow roles="gc\Demolitions Repayment" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?,*" />
<add accessType="Allow" roles="gc\Demolitions Repayment" />
</authorization>
</security>
</system.webServer>
I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).
We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.
I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.
Here are the relevant bits of my current configuration:
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
...
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
...
</system.webServer>
<location path="admin">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" roles="SysAdmins,AppAdmins" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="SysAdmins,AppAdmins"/>
</authorization>
</system.web>
</location>
</configuration>
I believe this configuration currently blocks everyone. I've done similar configurations that block no one.
I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.
UPDATE
Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.
Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:
Added <deny users="?" /> to the first authorization block
Switched the order of <allow> and <deny> in location-specific authorization block
Removed <system.webServer> location-specific authorization blocks
To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.
Please let me know if that works for you!
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow roles="SysAdmins,AppAdmins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="js">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>