I have a log in page which is the home page so is located at www.domainname.com
when someone goes to this page it adds a returnurl to the string so they are at:
www.domainname.com/default.aspx?ReturnUrl=%2f so when they log in they get returned to http://www.domainname.com/, which is the login page again, so to access the site they have to login twice.
Does anyone know how to fix this? I think a fix to this would be to allow everyone access to the home page - http://www.domainname.com/ as well as http://www.domainname.com/default.aspx but i'm not sure how to acheive this.
I want all user roles to be denied access to every page apart from the home page before they login, i also have an admin/cms section that only Admin roles can access but everyone can access the cms login page.
I currently have this in my web.config
<authentication mode="Forms">
<forms protection="All" loginUrl="default.aspx" defaultUrl="~/home/" />
</authentication>
<authorization>
<allow roles="Admin, User"/>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="cms/default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="cms">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Well i seemed to have done it a bit by luck.
I just changed
<authentication mode="Forms">
<forms protection="All" loginUrl="default.aspx" defaultUrl="~/home/" />
</authentication>
To
<authentication mode="Forms">
<forms protection="All" loginUrl="/" defaultUrl="~/home/" />
</authentication>
You should send them to the page you want them to default to. What you should do is create the login page on a seperate page (login.aspx) for instance and then make the default.aspx page the home page. Then when they go to default.aspx they will be redirected to login.aspx?ReturnURL=%2f .
Yes, we can use the above solution. One problem here is when we are using SEO implementation. To achieve your requirement, you can use URLRewrite.
http://weblogs.asp.net/scottgu/archive/2010/04/20/tip-trick-fix-common-seo-problems-using-the-url-rewrite-extension.aspx
Related
Im using a login and a database to check if a user is in there then send the user to my "locked" page.
It workes nice and all but only from Default.aspx, but the user kan click around to other pages but the form is on all my pages until the user logs in.
How do i change this to work on all my pages, that includs when the user wants to log off:
<authentication mode="Forms">
<forms loginUrl="Default.aspx" defaultUrl="inloggad/rosta.aspx">
<credentials passwordFormat="Clear">
</credentials>
</forms>
</authentication>
You have to create the roles such as customer, admin and then add the following in your web.config.
<location path="/">
<system.web>
<authorization>
<allow roles="Administrators" />
<allow roles="customers" />
<deny users="*" />
</authorization>
</system.web>
</location>
I have created default master page site with login and register option.
When you create default page you get three menu option i.e HOME ABOUTUS CONTACTUS.
I have added one more menu option i.e ADMIN.
whenever someone clicks ADMIN they are suppose to login mandatory.
How can I do it?
currently anyone can surf all menu pages without login.
I want to make it compulsory.
please help, basically I need member only page
You can use the location config to specify the path of either a folder or page, see below for example and link to Microsoft details.
http://msdn.microsoft.com/en-us/library/ff648345.aspx
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="https://myserver/mywebapp/secure/Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="true"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<!-- Deny access to unauthenticated users -->
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
<!-- Allow unrestricted access to the folder with the login page -->
<location path="secure">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Add this section in your application web.config file, to deny access to all unauthenticated users to the location admin_page.aspx
<configuration>
<location path="admin_page.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Read this for more information about Control Authorization Permissions in an ASP.NET Application
I am using ASP.Net Forms Authentication. My Web.config looks like this.
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
So currently every aspx page requires authentication.
I want to allow access to even unauthenticated users to a specific page named special.aspx.
How can I do this?
Take a look at the example on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Put the following in your web.config:
<location path="special.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register.aspx"> //path here is path to your register.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>
</system.web>
</location>
For more detail follow the below link
http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Allow everyone to access a particular page
Sometimes you want to allow public access to some page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your special.aspx is in your site's root folder. In the web.config of your website's root folder you need to have following setup.
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="special.aspx"> //path here is path to your special.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to special.aspx
</authorization>
</system.web>
</location>
</configuration>
I am developing a web application which has form based authentication. All pages needs to be authenticated except AboutUs and ContactUs pages.
I configured everything correct except AboutUs and ContactUs pages. Since I am denying all users in authorization section, application is redirecting even if the customer browse AboutUs and ContactUs pages.
Configuration Rules
<authentication mode= "Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" timeout="20" protection="All" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Could you please let me know how can I tell asp.net to remove these pages for authorization??
Thanks,
Mahesh
Try this:
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH"
protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for
those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the AboutUs.aspx page
only. It is located in the same folder as this configuration file. -->
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to the ContactUs.aspx
page only. It is located in the same folder as this configuration file. -->
<location path="ContactUs.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
For the most part, my webapp requires authentication to do anything. There are a few pages, namely the homepage, that I'd like people to be able to access without authenticating.
Specifically, I'd like to allow anonymous access to these urls:
/home
/default.aspx
I'm using asp.net MVC and FormsAuthentication. Both urls point to the same view:
/home/index.aspx
Here is my current configuration in web.config.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Reading the documentation for the authorization tag, it says "Configures the authorization for a Web application, controlling client access to URL resources." It seems like I should be able to use the authorization tag to specify a url and allow access.
Something like:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<authorization url="/default.aspx">
<allow users="?" />
</authorization>
<authorization url="/home">
<allow users="?" />
</authorization>
I hate to answer my own question, but since I did end up figuring it out, I figure I'd share the knowledge.
Use the location tag and put the allow and deny tags in the correct order.
The location tag can be used to configure a specific url resource. In my case I wanted to configure a few urls and folders specifically.
This didn't work at first because I didn't have the allow/deny in the correct order. According to MSDN, "the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule."
In my case I needed to put all my public stuff first (default.aspx, home,styles, images, scripts) and then I put a deny on everything else. I left out the path on the last location tag. That makes it apply to all files and subfolders.
End result, a user can get to the homepage, pull up images and styles, but for everything else must log in.
Here's my web config file now:
<!--AUTHORIZATION AND AUTHENTICATION RULES-->
<location path="default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Home">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Styles">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!--END AUTHORIZATION AND AUTHENTICATION RULES-->