Develop Reference

my site (ASP.NET webForm ) log out with out user request

my site (ASP.NET webForm ) log out with out user request , user forced to login page and interrupt his work ? please advice ...
this line from my web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/XXXXXXX.aspx" timeout="2880" />
</authentication>

Try increasing the Session timeout value, by default this is 30 minutes.
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/XXXXXXX.aspx" timeout="2880"/>
</authentication>
<sessionState timeout="3000" />
</system.web>

ActiveDirectoryMembershipProvider always redirects to signin page

I'm trying to implement the ActiveDirectoryMembership provider so I can use forms authentication against active directory.
I can browse to the application, and be redirected to the signin page. If I enter the incorrect password I get the correct error. If I enter the correct password it redirects me to the default url (/Secure/Default.aspx), but immediately get redirected back to the signin page. I can see the two redirects because I'm using fiddler. So I know for sure that it is authenticating against AD correctly, but still taking me back to the signin page. I also know that the browser does accept cookies, because I built a test page in the application to prove that. I've included the web.config and relevant code below, just can't figure out what I am missing...
Edit:
I have found that if I specify UseUri instead of UseCookies, everything starts working. But I have validated that I can store data in a cookie on one page, and retrieve it on another page, so why wouldn't it work for the authentication piece?
Edit 2
I've also removed my code from the signin page and used the standard login control, same problem.
Web.config file:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/FormsAuth"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<!-- Deny unauthenticated users will cause automatic redirect to the sign in page when using forms authentication. -->
<deny users="?"/>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
Signin page:
bool bIsValid = System.Web.Security.Membership.ValidateUser(txtUsername.Text, txtPassword.Text);
//Authenticate the user credentials against the default membership provider specified in configuration
if (bIsValid)
{
System.Web.Security.FormsAuthentication.SetAuthCookie(txtUsername.Text, true);
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);
}
else
{
//display error
....
}

The cookie issue (and likely the login issue) is due to the fact that you are setting the cookie path to be /FormsAuth. That means the cookie is only valid for that URL path and will be discarded otherwise. Also, your <authorization> section can be tweaked a bit as I have adjusted in the following full update of your partial Web.config:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
If the /Secure folder is truly the only folder you want to protect with the login, then the above works, but if you want to lock everything down except the login page, you simply need <deny users "?" /> in your main <authorization> section.

Encrypt credentials in web.config possible

I have this section of my web.config file.
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx">
<credentials passwordFormat="Clear">
<user name="test#hotmail.com" password="12345" />
</credentials>
</forms>
</authentication>
</system.web>
I have tried to encrypt this section, but I get the object not set to an instance of the object error. This is the path that I called in the encryption class: system.web/authentication/forms/credentials
Any solution please?
Thanks.

If you're using IIS, make sure your site ID in IIS is set to 1 (Advanced settings).

IIS7 Forms Authentication Doesn't Deny Image Access

I have a basic ASP.NET website set up in IIS7 with forms authentication enabled on the server. Just for grins, I deny everyone:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" defaultUrl="Test.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="*"/>
</authorization>
<compilation debug="true"/>
</system.web>
</configuration>
When I visit the default.aspx page, I get dutifully redirected to the Login.aspx page. However, I can browse to a .txt file or .png file on the root of the same site, and it displays it with no challenge.
This is odd, because in the Cassini dev server, access to those files is blocked. This only occurs once I publish to my IIS7 server.
I must be missing something in IIS7, but I can't figure it out for the life of me.
I have the site on it's own .NET 4.0 app pool with integrated mode enabled.
Forms Authentication is enabled at the server
On the Edit managed Module popup for the FormsAuthentication module, I tried unchecking the "invoke only for requests...", but that tosses some kind of strange error when I do so (assembly of some sort missing? This is a fresh server install with no frills, so I can't imagine what that's about).
Can anyone point me in the right direction on this?
Thanks!
Droidilate

first of all you have to use integrated pipeline and then add this in your web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="false">
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
</system.webServer>

Windows "forms" authentication - <deny users="?"> redirecting to foreign page!

Like the title states - I have a web.config file that looks like,
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="login" protection="All" timeout="30" loginUrl="login" defaultUrl="~/">
<credentials passwordFormat="Clear">
<user name="admin" password="password" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I want to do exactly what it says it should do... I want to deny all users who try to enter the site.
It works however, it redirects to a "Account/Login?ReturnUrl=%2flogin" url I have never heard of...
Is there a place I can change this?

I've seen this problem before. No doubt you're also getting this error:
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
And you're being redirected to "/Account/Login" which doesn't even exist. I believe it's some kind of default that get's pulled in due to using MVC components even if you're using an ASP.NET Forms website. Perhaps you have some Razor pages and the following was added to your web.config:
<appSettings>
<add key="webpages:Enabled" value="true" />
</appSettings>
Having this in there seems to be enough to mess up your login page as defined normally:
<authentication mode="Forms">
<forms loginUrl="login" timeout="43200"/>
</authentication>
I've solved this by adding an extra "loginUrl" key to appSettings:
<appSettings>
<add key="webpages:Enabled" value="true" />
<add key="loginUrl" value="~/Login.aspx" /><!-- Override default -->
</appSettings>

The loginUrl param does not have an absolute path, so the path get mixed with the relative folder the website is.
Solution:
loginUrl="~/login"
or
loginUrl="/login"

The problem is
loginUrl="login"
This is the URL to send unauthenticated users to. If the URL to your login page is "Login.aspx" then thats what you should set it too.
loginUrl="login.aspx"
The piece at the end, ReturnURL, is the address to redirect the user to if they successfully login.

The LoginUrl is created with the code UrlPath.Combine(HttpRuntime.AppDomainAppVirtualPathString, loginUrl);, so I'm guessing somehow your root of your website is set to "Application".
http://www.ureader.com/msg/15372322.aspx