Develop Reference

Login page not redirecting properly

I have created 2 folders in my asp.net project. (Account and AdminFolder)
I want to restrict the Register.aspx page to Admin users only.
My Login.aspx page is in the Account folder and I have included a web.config in that folder with the following code;
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
I have placed the Register.aspx file in the AdminFolder with the following web.config code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
In testing this approach out, I have tried to launch the application by going directly to the Register.aspx file. As expected, I am redirected to the Login.aspx page.
The url showing up in the browser is
http://localhost:49319/Account/Login.aspx?ReturnUrl=%2fAdminFolder%2fRegister.aspx
I login as an Admin user and I can see that I am logged in as my header hyperlink changes to logout. (I can also navigate to other files in Account to confirm I am logged in) However, the application remains at the login page instead of redirecting to the Register.aspx page.
I expected to be redirected to the Register.aspx page when login was successful.
Even once I am logged in as Admin user, I am unable to navigate directly to the Register.aspx page. I am redirected to Login.aspx.
I confirmed (by way of my Sql Server database) that the user in my test case is in the Admin role.
Can anyone nudge me in the right direction here? Thanks in advance for you time and consideration.

Try Changing your web.config in AdminFolder to:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Typically that is the RoleName as it appears in the DB.

I see my error. I was allowing Admin role and then denying all roles (which would include Admin). I should have used the following in AdminFolder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Thanks for all the feedback.

UI design is not working(CSS is not loading)

I developed a web application having LDAP authentication. So when I load my login page for the initial time, it won't take any CSS styles and when I login to the system, the inner page designes are perfectly OK. And when I logout, it navigates to login page and now the login page design is perfectly ok and it loads all the CSS files perfectly.
If I clear the history and refresh the login page, the login page won't load perfectly. The CSS files will not load perfectly.
Before integrating LDAP to the application, it works perfectly for all the time.
Can anybody come up with a solution, please?
setting in webconfig
<authentication mode="Forms">
<forms loginUrl="syslogin.aspx" name="adAuthCookie" timeout="10" path="/">
</forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<identity impersonate="true"/>
updated webconfig
<location path="img">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I wrote this code to access the image from the folder "img" which I set as background of a div and it's actually the logo. But it won't work.
Regards,
Sivajith

Add a <location> Rule in your web.config to allow anonymous users to your static ressources, if all your styles, scripts, images etc. are in the /static directory, use:
<location path="/static">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

implement form authentication on some pages not all pages

I want to implement form authentication on some pages not all pages.
In my application many other pages are there which I want make as public like contact us, about us and all.
For some pages I want to implement form authentication.
Please help me on this.
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>

If you had a directory called "Administration" which contained all the administration pages, you could add the following to your web.config:
<location path="Administration">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Then only users in the role "Admin" can access the pages in the "Administration" directory. The path can also be substituted for a specific page rather than a directory if required.

You can create different directories for different pages. For example those pages that you want to make public to every one can be in one folder and put a web.config file on that folder allowing to all users.

Try Something like that
<configuration>
<location path="test.aspx">
<system.web>
<authorization>
<allow users="?"/>
<deny users="*" />
<authorization>
</system.web>
</location>
</configuration>
Check For More knowledge
Hope it works for you.

Access Rules on individual pages ASP.net

I am using site map for navigation in my website. Is there any way that I could imply access rules on specific pages based on individual user, not on roles based. Each user will have its access right to each page.
I have explored access rules security, its implying on individual user but on folder based, not page based.
I don't want to create new table in database that will have each page path info.

You can use a <location> element in web.config to specify users per-page.
<configuration>
<location path="JohnsPage.aspx">
<system.web>
<authorization>
<allow users="John" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
This works based from the username the user is logged in as. If you're using integrated windows authentication don't forget you might need to specify the domain too like <allow users="DOMAIN\John" />

You can confugure it in web.config as follows:
<?xml version="1.0"?>
<configuration>
<location path="AnyUserPage.aspx">
<system.web>
<authorization>
<allow users="AnyUser" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>

Problem in login page in asp.net

I have created a login page. In this page i used div tag which is mapped with images for good design purposes. i have enabled the forms authentication in web.config.
So finally images i mapped in div is not appearing in the login page.
please help me!

If the images are not meant to be protected and should be visible on all pages, then I would add a location tag in the main web.config:
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

Add a web.config file to your images directory containing the following:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
This will allow your login page, which is usually viewed by unauthenticated users, to show images.

I assume the images are not displaying due to access? Where do the images exist? If they exist in a directory that is locked down to forms authentication, the pictures cannot display.
Try adding a web.config file to your images directory and to allow public access to these files.
Here is what the web.config should contain:
<?xml version="1.0"?>
<configuration>
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<!-- Your normal web.config stuff here -->
</system.web>
</configuration>
Also check your IIS settings for the application in general to make sure you are allowing anonymous access.
EDIT: Make sure to move your images to a folder that does not require authorization. If you have them in the same directory as your secured aspx pages then you won't be able to access them.
EDIT 2: Included the info provide by Thomas and Sky Sanders as it included a better solution. See comment threads on answers for more information.