I am baffled by this. I have a master page on top of a few pages, one of them is a login page. Here is a sample of web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
...
<location path="~/Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
From Default.aspx, I access About.aspx which requires a login. The About.aspx never gets hit, instead Login.aspx gets hit, then Site.master, then login again, then site.master again, and finally login.aspx, and master.aspx. Three times! ... Login-> Master are being hit 3 times! ... now... if I change the line of code from Web.config from
<location path="~/Account/Login.aspx">
to
<location path="Account">
Login->Master only get hit once. There is nothing else besides login.aspx/cs/designer in the Account folder. Why is this happening? I would like to control pages in the Account folder when I add more and not just lift the access to them all, but even
<location path="Account/Login.aspx">
(removed "~/") didn't do anything. Any help would be greatly appreciated.
You should allow all access to your MasterPage similar to how you allow anyone access to your Login page.
It will not be served up on it's own and doesn't need to be secured since the page that uses it should be locked down. Normally I have the root unsecured which has the login pages, master pages, about etc. I then have a secured area that has pages that use the master page from the root.
Related
I have created 2 folders in my asp.net project. (Account and AdminFolder)
I want to restrict the Register.aspx page to Admin users only.
My Login.aspx page is in the Account folder and I have included a web.config in that folder with the following code;
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
I have placed the Register.aspx file in the AdminFolder with the following web.config code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
In testing this approach out, I have tried to launch the application by going directly to the Register.aspx file. As expected, I am redirected to the Login.aspx page.
The url showing up in the browser is
http://localhost:49319/Account/Login.aspx?ReturnUrl=%2fAdminFolder%2fRegister.aspx
I login as an Admin user and I can see that I am logged in as my header hyperlink changes to logout. (I can also navigate to other files in Account to confirm I am logged in) However, the application remains at the login page instead of redirecting to the Register.aspx page.
I expected to be redirected to the Register.aspx page when login was successful.
Even once I am logged in as Admin user, I am unable to navigate directly to the Register.aspx page. I am redirected to Login.aspx.
I confirmed (by way of my Sql Server database) that the user in my test case is in the Admin role.
Can anyone nudge me in the right direction here? Thanks in advance for you time and consideration.
Try Changing your web.config in AdminFolder to:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Typically that is the RoleName as it appears in the DB.
I see my error. I was allowing Admin role and then denying all roles (which would include Admin). I should have used the following in AdminFolder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Thanks for all the feedback.
I developed a web application having LDAP authentication. So when I load my login page for the initial time, it won't take any CSS styles and when I login to the system, the inner page designes are perfectly OK. And when I logout, it navigates to login page and now the login page design is perfectly ok and it loads all the CSS files perfectly.
If I clear the history and refresh the login page, the login page won't load perfectly. The CSS files will not load perfectly.
Before integrating LDAP to the application, it works perfectly for all the time.
Can anybody come up with a solution, please?
setting in webconfig
<authentication mode="Forms">
<forms loginUrl="syslogin.aspx" name="adAuthCookie" timeout="10" path="/">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<identity impersonate="true"/>
updated webconfig
<location path="img">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I wrote this code to access the image from the folder "img" which I set as background of a div and it's actually the logo. But it won't work.
Regards,
Sivajith
Add a <location> Rule in your web.config to allow anonymous users to your static ressources, if all your styles, scripts, images etc. are in the /static directory, use:
<location path="/static">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
My website should have some parts that can only be seen when the user is authenticated, some parts that are visibile to everyone.
The forms authentication always redirects the user to the login page no matter what page is visited. Does that mean I should not use forms authentication? How can I solve this issue?
Use <location> element in web.config to set which pages are protected. You need to remove the authorization from the whole web site set it for each protected page in the <location> element.
A common approach is to place all protected pages in a separate folder and specify the location path to that folder.
Another one is to have a class which inherits System.Web.Page and at the Init event to redirect the user to some page, if is not authenticated. Every page should then inherit this page.
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
For me, the problem was the MachineKey. It's required to decrypt/encrypt the cookie if you are doing that (for example: a web farm). Because the app couldn't decrypt the cookie, even though it was getting passed back and forth, the app acted like the cookie wasn't even there. Adding this setting to web.config fixed it for me:
<machineKey compatibilityMode="Framework20SP2" validationKey="some_hard_coded_long_key" decryptionKey="another_hard_coded_long_key" validation="SHA1" />
See this article for more on the machinekey.
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?
The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms">
<forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?"/>
</authorization>
You need to use the <location> element to apply settings to a specific path, then add an <allow /> for non-logged-in users.
For example:
<location path="PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="Presentation/Display/PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
This allows anonymous users to view your password recovery page. You might want to do the same for the directory where your CSS and/or image resources are stored, in case they are required by your login page and/or your recovery page.
Use Location:
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users