Guys I am trying to use MSCaptcha in asp.net website. It is working perfectly but as soon as I add Forms authentication in web.config, the captcha image is not displayed.
Web.config before authentication (Captcha image shows up)
<system.web>
<httpRuntime targetFramework="4.5" />
<authorization>
<allow users="*" />
</authorization>
<httpHandlers>
<add verb="GET" path="CaptchaImage.axd" type="MSCaptcha.captchaImageHandler, MSCaptcha" />
</httpHandlers>
</system.web>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add name="MSCaptcha.captchaImageHandler" verb="GET" path="CaptchaImage.axd" type="MSCaptcha.captchaImageHandler, MSCaptcha" resourceType="Unspecified" />
</handlers>
Web.Config after forms authentication is added (Captcha image doesn't load)
<system.web>
<httpRuntime targetFramework="4.5" />
<authorization>
<deny users="?" />
<allow users="*" />
<allow users="GET" />
</authorization>
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="Default2.aspx"
protection="All" path="/" timeout="30" />
</authentication>
<httpHandlers>
<add verb="GET" path="CaptchaImage.axd" type="MSCaptcha.captchaImageHandler, MSCaptcha" />
</httpHandlers>
</system.web>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add name="MSCaptcha.captchaImageHandler" verb="GET" path="CaptchaImage.axd" type="MSCaptcha.captchaImageHandler, MSCaptcha" resourceType="Unspecified" />
</handlers>
Why is forms authentication causing issues for captcha? what should I do?
P.S this web-config file is not complete so it might look confusing.
You need to add LOCATION in your web.config :
<location path="CaptchaImage.axd">
<system.web>
<authorization>
<allow users="*">
</allow>
</authorization>
</system.web>
</location>
Related
this is my configuration for elmah in web.config
<location path="elmah.axd" inheritInChildApplications="false">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD"
path="elmah.axd"
type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<allow roles="Dev" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="ELMAH"
verb="POST,GET,HEAD"
path="elmah.axd"
type="Elmah.ErrorLogPageFactory, Elmah"
preCondition="integratedMode" />
</handlers>
</system.webServer>
But how do tell that I'm a Dev ? I'm using Session for cookies but I don't know how can i tell that i'm an admin or user
For security reasons i want to disable some http methods(e.x. OPTIONS,TRACE,HEAD) through application level. I want to do this for all files in directory "bundles/"
But this path is actually created by this
bundles.Add(new Bundle("~/bundles/Something").Include("~/Contents/Scripts/file.js"));
bundles.Add(new Bundle("~/bundles/Anything").Include("~/Areas/Import/Scripts/App/anotherfile.js"));
Fow now I tried this (in Web.config)
<system.web>
<httpHandlers>
<add path="bundles/" verb="OPTIONS,TRACE,HEAD" type="System.Web.HttpMethodNotAllowedHandler" />
</httpHandlers>
</system.web>
but it doesn't work
So, I want user gets 405 Method Not Allowed when making OPTIONS, TRACE, HEAD requests for any link like myapp.com/bundles/example
Thank you
I'd do this like that:
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
</authorization>
...
<httpHandlers>
<add path="bundles" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
</httpHandlers>
</system.web>
Try this
<add path="bundles" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
In my web.config in application is:
<authentication mode="Forms">
<forms loginUrl="app/Login.aspx" name=".ASPXFORMSAUTH" protection="All" slidingExpiration="true" timeout="10"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
In web.config in app folder is:
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<directoryBrowse enabled="false"/>
<defaultDocument enabled="true">
<files>
<clear/>
<add value="Default.aspx"/>
</files>
</defaultDocument>
<handlers accessPolicy="Read, Script, Execute"/>
<staticContent enableDocFooter="false">
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:00"/>
</staticContent>
<asp enableParentPaths="false" scriptLanguage="VBScript" bufferingOn="true">
<limits scriptTimeout="00:01:30"/>
<session allowSessionState="true" timeout="00:20:00"/>
</asp>
<security>
<authentication>
<anonymousAuthentication enabled="true" password="" userName="IUSR"/>
<basicAuthentication enabled="false" realm="" defaultLogonDomain=""/>
<windowsAuthentication enabled="false"/>
<digestAuthentication enabled="false" realm=""/>
</authentication>
</security>
<httpLogging dontLog="true"/>
</system.webServer>
</configuration>
This working, but I want to give access to my_public folder for anonymous users.
In my_public folder is site about.aspx.
In web.config in my_public folder is:
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<directoryBrowse enabled="false"/>
<defaultDocument enabled="true">
<files>
<clear/>
<add value="Default.aspx"/>
</files>
</defaultDocument>
<handlers accessPolicy="Read, Script, Execute"/>
<staticContent enableDocFooter="false">
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:00"/>
</staticContent>
<asp enableParentPaths="false" scriptLanguage="VBScript" bufferingOn="true">
<limits scriptTimeout="00:01:30"/>
<session allowSessionState="true" timeout="00:20:00"/>
</asp>
<security>
<authentication>
<anonymousAuthentication enabled="true" password="" userName="IUSR"/>
<basicAuthentication enabled="false" realm="" defaultLogonDomain=""/>
<windowsAuthentication enabled="false"/>
<digestAuthentication enabled="false" realm=""/>
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow roles="*"/>
</authorization>
</system.web>
</configuration>
When user go to my_public/about.aspx always is redirect to app/login.aspx.
User should redirect to my_public/about.aspx when is annonymus.
Change the authorization section on the public web.config to
<authorization>
<allow users="?"/>
</authorization>
This will allow anonymous access.
After adding <location> tag to web.config (ASP.NET 4) I got HTTP 500 Internal Server Error, when I remove <location> it works.
<?xml version="1.0"?>
<configuration>
<location path="man">
<system.web>
<authorization>
<allow users="man"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<configSections>
<section name="rewriter"
requirePermission="false"
type="Intelligencia.UrlRewriter.Configuration.RewriterConfigurationSectionHandler, Intelligencia.UrlRewriter" />
</configSections>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name=".ASPXAUTH"
loginUrl="Login.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="Login.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<httpModules>
<add name="UrlRewriter" type="Intelligencia.UrlRewriter.RewriterHttpModule, Intelligencia.UrlRewriter" />
</httpModules>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="UrlRewriter" type="Intelligencia.UrlRewriter.RewriterHttpModule" />
</modules>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
<rewriter>
<rewrite url="~/man/(.+)" to="~/man/$1" processing="stop" />
<rewrite url="~/man/^(/.+(\.gif|\.png|\.jpg|\.ico|\.pdf|\.css|\.js|\.axd)(\?.+)?)$" to="~/man/$1" processing="stop" />
<rewrite url="~/files/^(/.+(\.gif|\.png|\.jpg|\.ico|\.pdf|\.css|\.js|\.axd|\.pdf|\.doc|\.ppt)(\?.+)?)$" to="~/files/$1" processing="stop" />
<rewrite url="~/man/" to="~/man/default.aspx" processing="stop"/>
<rewrite url="~/style/(.+)" to="~/style/$1" processing="stop" />
<rewrite url="~/images/(.+)" to="~/images/$1" processing="stop" />
<rewrite url="^(/.+(\.gif|\.png|\.jpg|\.ico|\.pdf|\.css|\.js|\.axd)(\?.+)?)$" to="$1" processing="stop" />
<rewrite url="~/(.+)" to="~/default.aspx?pn=$1" />
</rewriter>
</configuration>
Location must come below configSections
i'm getting this "Unrecognized configuration section system.web/configuration when i set my admin,staff and user authentication .please help me with this.by here i provide the web.config code
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings>
<add name="ConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\ASPNETDB.MDF;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
<add name="ASPNETDBConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Se7en\Desktop\Personal\VIVA\1\App_Data\ASPNETDB.MDF;Integrated Security=True;Connect Timeout=30;User Instance=True" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
Visual Basic options:
Set strict="true" to disallow all data type conversions
where data loss can occur.
Set explicit="true" to force declaration of all variables.
-->
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
<credentials passwordFormat="Clear">
<user name="admin" password="password"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<compilation debug="true"/>
</system.web>
<location path="adminstrator">
<system.web>
<authorization>
<allow users="adminstrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="staff">
<system.web>
<authorization>
<allow users="staff"/>
<deny users="*"/>
<allow roles="adminstrator" />
</authorization>
</system.web>
</location>
<location path="user">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<!--
<authentication mode="Forms"/>
-->
<roleManager enabled="true"/>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/></assemblies></compilation>
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Generic"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Linq"/>
<add namespace="System.Xml.Linq"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
</namespaces>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
</system.web>
<!--
The system.webServer section is required for running ASP.NET AJAX under Internet
Information Services 7.0. It is not necessary for previous version of IIS.
-->
</configuration>
Try this:
<configuration>
<appSettings/>
<connectionStrings>
<add name="ConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\ASPNETDB.MDF;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
<add name="ASPNETDBConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=C:\Users\Se7en\Desktop\Personal\VIVA\1\App_Data\ASPNETDB.MDF;Integrated Security=True;Connect Timeout=30;User Instance=True" providerName="System.Data.SqlClient"/>
</connectionStrings>
<location path="adminstrator">
<system.web>
<authorization>
<allow users="adminstrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="staff">
<system.web>
<authorization>
<allow users="staff"/>
<deny users="*"/>
<allow roles="adminstrator" />
</authorization>
</system.web>
</location>
<location path="user">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<roleManager enabled="true"/>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
</assemblies>
</compilation>
<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID">
<namespaces>
<clear/>
<add namespace="System"/>
<add namespace="System.Collections"/>
<add namespace="System.Collections.Generic"/>
<add namespace="System.Collections.Specialized"/>
<add namespace="System.Configuration"/>
<add namespace="System.Text"/>
<add namespace="System.Text.RegularExpressions"/>
<add namespace="System.Linq"/>
<add namespace="System.Xml.Linq"/>
<add namespace="System.Web"/>
<add namespace="System.Web.Caching"/>
<add namespace="System.Web.SessionState"/>
<add namespace="System.Web.Security"/>
<add namespace="System.Web.Profile"/>
<add namespace="System.Web.UI"/>
<add namespace="System.Web.UI.WebControls"/>
<add namespace="System.Web.UI.WebControls.WebParts"/>
<add namespace="System.Web.UI.HtmlControls"/>
</namespaces>
</pages>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms">
<forms loginUrl="Login.aspx">
<credentials passwordFormat="Clear">
<user name="admin" password="password"/>
</credentials>
</forms>
</authentication>
<!--
The <customErrors> section enables configuration
of what to do if/when an unhandled error occurs
during the execution of a request. Specifically,
it enables developers to configure html error pages
to be displayed in place of a error stack trace.
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
<error statusCode="403" redirect="NoAccess.htm" />
<error statusCode="404" redirect="FileNotFound.htm" />
</customErrors>
-->
</system.web>
</configuration>