I have a webforms application configured to use forms authentication. It works on my development machine but since I configured it on IIS, I get a ReturnUrl on my login page with the application name, Upon logging in I get back to the same login page logged in but without the returnUrl. Logging in again redirects me to the correct page finally
How can I stop this ReturnUrl appearing on my login page?
http://localhost/myApp/login.aspx?ReturnUrl=%2MyApp%2f
I have checked directory permissions & allowed all users on login page with authorization tag in my web.config but it does not work. Some of my web.config
<authentication mode="Forms">
<forms name="MyAuthCookie" timeout="30" loginUrl="login.aspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
.
.
.
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
Add defaultUrl tag and give the name of page where you want to redirect after login.
Suppose you want login and redirect to "xyz.aspx" page then you have to add below code in web.config file
Note: don't give loginUrl tag.
<authentication mode="Forms">
<forms name="MyAuthCookie" timeout="30" defaultUrl="xyz.aspx"></forms>
</authentication>
<authorization>
Related
I have an ASP.NET WebForms application that was installed on IIS6 and working fine for quite some time. We are attempting to move that application to an IIS7 site, and the forms authentication is not working.
I am NOT using the Microsoft out of the box login control.
I am redirected properly to the login page. When I enter the credentials, the logging indicates that the credentials were correct. The code then redirects to the ReturnUrl query string value as expected. The cookie appears to be correctly created in the browser.
However, when the browser GET's the ReturnUrl, it redirects again to the login page.
web.config entry for the protected page:
<location path="HomeScreen.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="trm_members" />
<allow roles="trm_clients" />
<deny users="*" />
</authorization>
</system.web>
</location>
web.config entry for authentication:
<authentication mode="Forms">
<forms name=".ASPNETAUTH" loginUrl="Account-Registration/Account-Login.aspx" protection="None" timeout="30" />
</authentication>
I am using FormAuthencation in my current web application with ASP.NET 4.5. I have placed a check on Login page if (User.Identity.IsAuthenticated){ } then redirect to main page , but strange without even login i am getting User.Identity.IsAuthenticated = true i do not understand why that giving true.
Web.Config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" name=".ASPNETAUTH" defaultUrl="~/Account/Welcome.aspx" protection="All" timeout="30" path="/"></forms>
</authentication>
Thanks
Ravi Mittal
If this is published in IIS, you need to disable anonymous access via IIS (you can see how to do that on this page).
It would also help to make sure the <authorization> section of your web.config has something like this:
<authorization>
<deny users="?"/>
</authorization>
This will block "unauthorized" users from your app.
I have web application using master pages. I want the login page to be the first page to display when a user navigates to this site. The login page is a content page. When I use the Asp.Net demos and the configuration web site the provide for setting security, my application doesn't render any of the styles. Is there a better tutorial to lock down an entire web application and how to use security?
You need to allow anonymous access to your resources (CSS, JavaScript etc.) in your web.config file. If you don't, then they'll not be served until you log in.
Have a read of Setting authorization rules for a particular page or folder in web.config
Example:
<configuration>
<location path="mystyles.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
If you have used form authentication then just add following section in your web.config
<location path="App_Themes"> (location of your style resource)
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
so style would have anonymous access. for automatically redirect anonymous user to login page
you have to add login url as per below
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" protection="All" path="/" timeout="30"></forms>
</authentication>
I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.
I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
<authorization>
<deny users="?" />
</authorization>
This specifies that all unauthenticated users are denied access to pages in your application. The authorization element is part of the system.web configuration section.
When you set something in IIS with authentication ( in your case form authentication). It also change your mapped project webconfig file with the same settings. That's why you see same information in both modules.