I have created default master page site with login and register option.
When you create default page you get three menu option i.e HOME ABOUTUS CONTACTUS.
I have added one more menu option i.e ADMIN.
whenever someone clicks ADMIN they are suppose to login mandatory.
How can I do it?
currently anyone can surf all menu pages without login.
I want to make it compulsory.
please help, basically I need member only page
You can use the location config to specify the path of either a folder or page, see below for example and link to Microsoft details.
http://msdn.microsoft.com/en-us/library/ff648345.aspx
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="https://myserver/mywebapp/secure/Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="true"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<!-- Deny access to unauthenticated users -->
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
<!-- Allow unrestricted access to the folder with the login page -->
<location path="secure">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Add this section in your application web.config file, to deny access to all unauthenticated users to the location admin_page.aspx
<configuration>
<location path="admin_page.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Read this for more information about Control Authorization Permissions in an ASP.NET Application
I have an ASP.NET 4.5 / C# site where I am trying to do the following. When users hit the root of the site, www.blah.com, they should be redirected to Default.aspx. This page is open and does not require login. There is a link on this page if they would like to login. However, I need to automatically redirect them to login if they try to access other pages. Some are open to all and some are not. I'm cool with assigning permissions via roles per page or per folder. The issue I have is with Default.aspx.
If a user comes to my site by typing: www.blah.com/Default.aspx then the page comes up with no redirect for a login.
If a user comes to my site by typing: www.blah.com/Admin.aspx then they are redirected to login.
My life is good so far, but...
If a user comes to my site by typing: www.blah.com then they are redirected to login instead of just loading Default.aspx. Here is the relevant web.config.
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
<system.web>
I assume my specific permission on Default.aspx overrides the generalized deny. Again, this appears to work. The issue I have is the automatic redirect to Default.aspx when someone hits the root of my site, www.blah.com.
As always, thanks!
update
I have moved everything into one of 3 directories: _public, _private, _admin. Let's not worry about _admin for now. Here is how my web.config is set up:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
.
.
.
<location path="_public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="_private">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
.
.
.
<forms name=".ASPXFORMSAUTH" loginUrl="~/_public/Login.aspx" defaultUrl="~/_private/landingPage.aspx" slidingExpiration="true" path="/" />
I am still doing something wrong. Shouldn't my users come to ~/_public/Default.aspx when they hit www.blah.com? Now it is telling me I don't have a default page specified.
Also, regarding the defaultUrl property of the forms tag. How does this tie in with the DestinationPageUrl of my login control?
Thx!
update
I updated the paths in the location tag to "~/folder" instead of "folder". Now instead of an error is just keeps taking me to the login screen. I don't have another authorization tag in the root of web.config, but I am handling the subfolders from the main web.config instead of putting a separate file in each subfolder.
Thank you all for the detailed replies. They were all very helpful and let me to a better overall solution. However, the root of my issue was something very small and annoying. Take a look at my default page again:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
Notice the path in the value. I experimented with this and found that if I lead with a tilde or a forward slash that this value is completely ignored. Once I specified it as "_public/Default.aspx" everything else fell into place and worked as expected.
I did change a few things up though. I am using three subfolders for pages: _public, _private, and _admin. _public is for anyone, _private is for anyone authenticated, and _admin is for those with special privs. I want to mention that I DO NOT have any Default.aspx file in the root of my website whatsoever. To verify the way I was specifying the path in the web.config was wrong, I have tried switching it back with exactly the same failure.
I'm curious if anyone has spotted this, and do you see it as inconsistent? Most everywhere else in my web.config I can specify a path from root by beginning with a tilde.
So, my site acts as expected...anonymous users hitting public pages works fine. Hitting private or admin pages redirects to login. Once logged in, if you were trying to get to a specific page you go there...if not, you are redirected via the defaulturl in the forms tag. Most importantly, when you type in the name of the site with no page specified, you are taken to the default page...which should have been the simplest part of it all if not for the syntax issue. So there it is....doh!
I would recommend making a landing page that will be the result of the root URL being typed in by the user.
The issue you are seeing is that default.aspx is the default document for a root URL request in IIS and is also the defaultUrl for your Forms Authentication.
Create a Landing.aspx page that has whatever message you want, link to log-in, etc.
Now make this Landing.aspx be the first default document in IIS (make sure it is before default.aspx in the list) so that a root URL request will redirect to Landing.aspx and not get involved with the Forms Authentication at all.
Also, add a <location> entry in web.config to allow all users access to the Landing.aspx page:
<location path="Landing.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
If you want to restrict users to folders, you want to create *web.config*s inside each folder (which is a lot easier to maintain than added all in main web.config).
Note: for good design practice (in traditional ASP.Net), you want to place Admin.aspx inside a separate folder. Same for user pages too which required login.
Here is an example -
Main web.config
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<system.web>
Users/web.config
Deny anonymous access. In other words, user is required to login before accessing any pages inside User folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Admin/web.config
Deny everyone except users in Administrator role.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
try the following:
Create a folder for example admin and put the Login.aspx there
Set authentication to forms
<authentication mode="Forms">
<forms name="HIVLogin" loginUrl="~/admin/Login.aspx" timeout="20" protection="All"/>
</authentication>
then under system.web
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<allow users="Admin" />
<deny users="*" />
</authorization>
</system.web>
There is no need to write any code to set a page as your default page in ASP.NET. Got to Solution Explorer and right click on the page you like to set as default and click on Set As Start Page.
You need to add following mappings under section<system.web>.
<urlMappings enabled="true">
<add url="~/" mappedUrl="~/Default.aspx" />
</urlMappings>
This will redirect to default.aspx when you browse root url i.e www.domain.com or localhost.
Thanks.
I spent about 6 hours debugging the issue. Our website was working fine, and suddenly it started redirecting to login page instead of default page (unauthenticated). Our web.config included all authentication/authorization settings correctly.
<authentication mode="Forms">
<forms name="MyAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="default.htm" />
</files>
</defaultDocument>
...
</system.webServer>
<location path="default.htm">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
...
SOLUTION: You need to remove Extensionless URL feature from your website. Ref: https://support.microsoft.com/en-us/help/2526854/users-may-be-redirected-to-the-login-page-of-an-asp-net-4-application
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
After the fix, the website was back to normal.
So I have set up my web.config to authenticate forms. I have the two pieces of code in my web.config but it is acting strange. When you go to www.mysite.com it redirects to the login.aspx page but when you go to www.mysite.com/default.aspx it does not redirect. why is it doing this? I also have the default doc set as default.aspx
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880" defaultUrl="account/default.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
As clearly shown in the config file, you have allowed unauthenticated users to access "default.aspx" URL explicitly. There is no such thing for "/" URL. Note that it does not matter that they (might) end up pointing to the same physical file on disk eventually. Only the URL matters for authorization purposes. You can clone your <location> tag and simply have another one for path="/" that allows access to all users, regardless of their authentication status.
I wanted to use FormsAuthentication to secure my static files as well on my site, so I followed the instructions located here http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/ under title "Enabling Forms Authentication for the Entire Application".
Now though, when I try to visit the site by going directly to http://www.mysite.com I get redirected to http://www.mysite.com/Login.aspx?ReturnUrl=%2f instead of it using my DefaultDocument I have set. I can go to my default document by just visiting http://www.mysite.com/Home.aspx without any issues because it is set to allow anonymous access.
Is there something I need to add into my web.config file to make iis7 allow anonymous access to the root? I tried adding with anonymous access but no such luck.
Any help would be much appreciated.
Both Home and the Login form allow anonymous.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Login form is set as the loginUrl
<authentication mode="Forms">
<forms protection="All" loginUrl="Login.aspx">
</forms>
</authentication>
Default document is set as Home.aspx
<defaultDocument>
<files>
<add value="Home.aspx" />
</files>
</defaultDocument>
I have not removed any of the iis7 default documents. However, Home.aspx is first in the priority.
Take a look: Allowing anonymous access to default page
Did you try this:
<authorization>
<allow users="?" />
</authorization>
I think that will fix it.
Redirect user to Login Page dependent on the Folder they are in. I have a web application with the root directory which is used by all users and the admin site.
For people that would require the authenticated functionality of the site, they would require to login and be redirected to root/login.aspx. However, when an Admin needs to login to the root/admin/ section of the site, I want them to be redirected to the login form on root/admin/login.aspx
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I have this file in the root/admin directory. I have tried adding the following line but it is giving an error.
<authentication>
<forms defaultUrl="default.aspx" loginUrl="default.aspx"></forms>
</authentication>
Basically I am trying to overwrite the defaulturl and loginurl that exists in the main app.
You need to use the <location> element in your web.config. You can use the <location> tag to apply authorization settings to an individual file or directory.
<location path="/root">
<system.web>
<authentication mode="Forms" >
<forms name="LoginForm" defaultUrl="default.aspx"
loginUrl="/root/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="/root/admin">
<system.web>
<authentication mode="Forms" >
<forms name="formName" defaultUrl="login.aspx"
loginUrl="/root/admin/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
MSDN
For centralized administration,
settings can be applied in the
Machine.config file. The settings in
the Machine.config file define
machine-wide policy and can also be
used to apply application-specific
configuration using <location>
elements. Developers can provide
application-configuration files to
override aspects of machine policy.
For ASP.NET Web applications, a
Web.config file is located in the
application's virtual root directory
and optionally in subdirectories
beneath the virtual root.
If you would like 1 login location and different access levels you might want to use roles.
<location path="/root">
<system.web>
<authorization>
<allow roles="admin,root" />/*admin, root is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
<location path="/root/admin">
<system.web>
<authorization>
<allow roles="admin" />/*admin is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
Users can belong to more than one
role. For example, if your site is a
discussion forum, some users might be
in the role of both Members and
Moderators. You might define each role
to have different privileges on the
site, and a user who is in both roles
would then have both sets of
privileges.
You can access all these element at
the code level if you would like to
manipulate the roles/authentication
programmatically
Page.User.Identity.Name
Page.User.Identity.IsAuthenticated
Page.User.Identity.AuthenticationType
Page.User.IsInRole("string");
Tutorials
4 Guys From Rolla Tutorial
The ASP.NET web.config File Demystified