Asp.net and security - asp.net

I have an asp.net 3.5 website with using forms authentication and asp.net roles and membership. I have an image in folder images. In my web.config i give access to this folder
<location path="images">
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="*"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
I can see the image from a page in my root. When i traverse to a page(Page.aspx) one folder down, the image is not visible, i.e /Operational/Page.aspx.
How should i setup authorisation with regards to subfolders?

It can be a path issue. As I guess you settings are good you don't need to change it.
You can view the path in the browser and see if there path are correct or not.
You can use firebug or Firefox to check the path.

Related

Any non-valid user to the application can access the PDF help file by entering its absolute URL directly into the browser ASP.net

I have an ASP.net application with target framework 3.5. I have create a help file named UserGuide.pdf and provided a menu item on the page. when user clicks the help menu this PDF file is opening in the new tab of the browser. I use Windows Authentication for the same application.
My problem is, the .pdf file can be accessed directly by using the URL, and I have to stop it somehow. What is a quick way to do it?
There are probably other ways...
Since you already using user based authorization...it should be a snap.
But read about it an learn what all is involved Documentation
The web.config goes into the same folder as the documents...so you could possibly end up with several web.configs.
It will look something like this...again read the documentation.
(Using Admin role for example)
<?xml version="1.0"?>
<configuration>
<!-- this would be for just that one file -->
<location path="UserGuid.PDF">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!-- this would be for whole directory -->
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
**Note...if any mistakes are present...please feel free to correct.

how to access server resource for login page and home page when authentication mode is set to forms and protection is set to All

In my asp.net application ,in web.config file i have set authentication mode="forms" and protection="All".But after doing this i get access to login page without any image and css resources .I also need to access my home page without login.How can i do this kindly help.
In the web.config, you will need to add a location that allows all user to access the images and CSS files. Something like:
<location path="images">
<system.web>
<authorization>
<allow users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
That should sit under the root node of the config file.
You can do the same for the homepage, adjusting the value of path to the correct location.

asp.net Allow single page to be viewed without authorisation

Possibly a stupid question:
I have a site, developed by an outside company, which requires logon for all pages.
We'd like to add a single page to the site that DOESN'T require the user to be logged in...so they can click the link on the logon page to view "T&C's" type info.
Is this possible?
(ASP.Net 4.0 on IIS)
If you're using the ASP.Net membership providers you can specify this in the web.config file. Where for blocked pages you would expect:
<authorization>
<allow roles="granted"/>
<deny users ="*"/>
</authorization>
you can specify this per folder (or per page):
<location path="terms.aspx">
<system.web>
<authorization>
<allow users ="*"/>
</authorization>
</system.web>
</location>
to allow everyone access to this specific page.
Note that you can create a specific web.config in a folder in your website, these settings override the general web.config. This allows you to customize these settings per folder level.
Thanks to oɔɯǝɹ for pointing me in the right direction:
Added this after my node
<location path="terms.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Will this only have static content? Is it the asp.net application dealing with authentication?
If so you can just upload a .html file containing simple HTML (and your T&C) which will be served no problem to anyone requesting it.

How can you prevent Formsauthentication to block css and images?

I have a project containing an image, css and js folder.
I want to make sure no css, image or js is blocked when using formsauthentication.
I know you can do this with the locationtag in the web.config but I was wondering if you could do this otherweise?
this is how I do it right now:
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I'm using asp.net (c#) with iis 7.0.
Cheers,
M.
Set the folder permissions for your CSS/images directories, to allows anonymous access.
This is done in the web.config, not filesystem permissions.
It is a good practice to serve static resources such as images and css from a cookie-free domain.
I was seeking the same answer however in my case it is allowing access to CSS, Images and JS files by default. I think it only requires authentication if for ASPX (etc).
Also, I am using deny users "?" rather than "*"

Problem in login page in asp.net

I have created a login page. In this page i used div tag which is mapped with images for good design purposes. i have enabled the forms authentication in web.config.
So finally images i mapped in div is not appearing in the login page.
please help me!
If the images are not meant to be protected and should be visible on all pages, then I would add a location tag in the main web.config:
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Add a web.config file to your images directory containing the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
This will allow your login page, which is usually viewed by unauthenticated users, to show images.
I assume the images are not displaying due to access? Where do the images exist? If they exist in a directory that is locked down to forms authentication, the pictures cannot display.
Try adding a web.config file to your images directory and to allow public access to these files.
Here is what the web.config should contain:
<?xml version="1.0"?>
<configuration>
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<!-- Your normal web.config stuff here -->
</system.web>
</configuration>
Also check your IIS settings for the application in general to make sure you are allowing anonymous access.
EDIT: Make sure to move your images to a folder that does not require authorization. If you have them in the same directory as your secured aspx pages then you won't be able to access them.
EDIT 2: Included the info provide by Thomas and Sky Sanders as it included a better solution. See comment threads on answers for more information.

Resources