I developed a web application having LDAP authentication. So when I load my login page for the initial time, it won't take any CSS styles and when I login to the system, the inner page designes are perfectly OK. And when I logout, it navigates to login page and now the login page design is perfectly ok and it loads all the CSS files perfectly.
If I clear the history and refresh the login page, the login page won't load perfectly. The CSS files will not load perfectly.
Before integrating LDAP to the application, it works perfectly for all the time.
Can anybody come up with a solution, please?
setting in webconfig
<authentication mode="Forms">
<forms loginUrl="syslogin.aspx" name="adAuthCookie" timeout="10" path="/">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<identity impersonate="true"/>
updated webconfig
<location path="img">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I wrote this code to access the image from the folder "img" which I set as background of a div and it's actually the logo. But it won't work.
Regards,
Sivajith
Add a <location> Rule in your web.config to allow anonymous users to your static ressources, if all your styles, scripts, images etc. are in the /static directory, use:
<location path="/static">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Related
I am baffled by this. I have a master page on top of a few pages, one of them is a login page. Here is a sample of web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
...
<location path="~/Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
From Default.aspx, I access About.aspx which requires a login. The About.aspx never gets hit, instead Login.aspx gets hit, then Site.master, then login again, then site.master again, and finally login.aspx, and master.aspx. Three times! ... Login-> Master are being hit 3 times! ... now... if I change the line of code from Web.config from
<location path="~/Account/Login.aspx">
to
<location path="Account">
Login->Master only get hit once. There is nothing else besides login.aspx/cs/designer in the Account folder. Why is this happening? I would like to control pages in the Account folder when I add more and not just lift the access to them all, but even
<location path="Account/Login.aspx">
(removed "~/") didn't do anything. Any help would be greatly appreciated.
You should allow all access to your MasterPage similar to how you allow anyone access to your Login page.
It will not be served up on it's own and doesn't need to be secured since the page that uses it should be locked down. Normally I have the root unsecured which has the login pages, master pages, about etc. I then have a secured area that has pages that use the master page from the root.
My website should have some parts that can only be seen when the user is authenticated, some parts that are visibile to everyone.
The forms authentication always redirects the user to the login page no matter what page is visited. Does that mean I should not use forms authentication? How can I solve this issue?
Use <location> element in web.config to set which pages are protected. You need to remove the authorization from the whole web site set it for each protected page in the <location> element.
A common approach is to place all protected pages in a separate folder and specify the location path to that folder.
Another one is to have a class which inherits System.Web.Page and at the Init event to redirect the user to some page, if is not authenticated. Every page should then inherit this page.
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
For me, the problem was the MachineKey. It's required to decrypt/encrypt the cookie if you are doing that (for example: a web farm). Because the app couldn't decrypt the cookie, even though it was getting passed back and forth, the app acted like the cookie wasn't even there. Adding this setting to web.config fixed it for me:
<machineKey compatibilityMode="Framework20SP2" validationKey="some_hard_coded_long_key" decryptionKey="another_hard_coded_long_key" validation="SHA1" />
See this article for more on the machinekey.
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?
The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms">
<forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?"/>
</authorization>
You need to use the <location> element to apply settings to a specific path, then add an <allow /> for non-logged-in users.
For example:
<location path="PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="Presentation/Display/PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
This allows anonymous users to view your password recovery page. You might want to do the same for the directory where your CSS and/or image resources are stored, in case they are required by your login page and/or your recovery page.
Use Location:
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users
I've been trying to add the ASP.NET toolkit to my web application and I can get the demo site to work but I can't seem to implement any of the controls in my application. After playing around with it for a while, I think I've found the problem. In my web.config, I have:
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
If I change it to:
<authorization>
<allow roles="Users"/>
</authorization>
Then everything works wonderfully. Is there a set of permissions I need to include to get the Toolkit to work?
Thanks!
What errors are you seeing?
Have you checked that scripts are being delivered correctly to the browser (Firebug makes it very easy to see all the called scripts, and their contents for example)?
If you're calling a page method, have you checked the responses coming back from your pages (once again, Firebug is your friend here - the console will show you the AJAX requests being sent and the responses from the servers).
I've just set up a quick test harness with an autocomplete extender from the AjaxToolkit on a page that is locked down in a similar way to how you describe, and it all worked fine - how have you configured the ToolkitScriptManager?
Had problem with IE 8.0 and AjaxControlToolkit.AjaxFileUpload
with the authorization configuration:
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
Solution was to define in web.config:
<location path="AjaxFileUploadHandler.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="CombineScriptsHandler.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web> </location>
If the file where you instance AjaxFileUpload is in a folder in the website ex) foobar must the location be: <location path="foobar/CombineScriptsHandler.axd">
<location path="foobar/AjaxFileUploadHandler.axd">