My website should have some parts that can only be seen when the user is authenticated, some parts that are visibile to everyone.
The forms authentication always redirects the user to the login page no matter what page is visited. Does that mean I should not use forms authentication? How can I solve this issue?
Use <location> element in web.config to set which pages are protected. You need to remove the authorization from the whole web site set it for each protected page in the <location> element.
A common approach is to place all protected pages in a separate folder and specify the location path to that folder.
Another one is to have a class which inherits System.Web.Page and at the Init event to redirect the user to some page, if is not authenticated. Every page should then inherit this page.
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
For me, the problem was the MachineKey. It's required to decrypt/encrypt the cookie if you are doing that (for example: a web farm). Because the app couldn't decrypt the cookie, even though it was getting passed back and forth, the app acted like the cookie wasn't even there. Adding this setting to web.config fixed it for me:
<machineKey compatibilityMode="Framework20SP2" validationKey="some_hard_coded_long_key" decryptionKey="another_hard_coded_long_key" validation="SHA1" />
See this article for more on the machinekey.
Related
I am baffled by this. I have a master page on top of a few pages, one of them is a login page. Here is a sample of web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
...
<location path="~/Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
From Default.aspx, I access About.aspx which requires a login. The About.aspx never gets hit, instead Login.aspx gets hit, then Site.master, then login again, then site.master again, and finally login.aspx, and master.aspx. Three times! ... Login-> Master are being hit 3 times! ... now... if I change the line of code from Web.config from
<location path="~/Account/Login.aspx">
to
<location path="Account">
Login->Master only get hit once. There is nothing else besides login.aspx/cs/designer in the Account folder. Why is this happening? I would like to control pages in the Account folder when I add more and not just lift the access to them all, but even
<location path="Account/Login.aspx">
(removed "~/") didn't do anything. Any help would be greatly appreciated.
You should allow all access to your MasterPage similar to how you allow anyone access to your Login page.
It will not be served up on it's own and doesn't need to be secured since the page that uses it should be locked down. Normally I have the root unsecured which has the login pages, master pages, about etc. I then have a secured area that has pages that use the master page from the root.
In my web application I want the anonymous user to browse only the login page, and It's OK now but it appears without style!
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="Style">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Any help!
From this article:
Images and CSS files
Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login page you cannot see images(if any) and css(if any) applied to your login page controls.
In that case you can add a web.config to the images and css folder and allow access to everyone to that folder. So your web.config in images folder should look as below:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
The most popular answer of:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
..is correct.. but if this fails to work then you need to verify that the Authentication is setup as you expect and that the user under which Anonymous is configured to run has read access to all of the folders you need.
NOTE: If you have multiple web.configs you may need to check each folder with its own web.config.
Check the Web Application
Open the "IIS/Authentication" for your web application and click "edit" on the entry marked "Anonymous Authentication".
If a specific user is specified then ensure that the specified user has access to your folders.
If "Application pool identity" is set then you will need to check the application pool configuration.
Check the Application Pool
Find the Application Pool for your app and click on "Advanced Settings" and search for the item named "Identity".
If the identity is "ApplicationPoolIdentity" then the group you will need to give access to your files to "IIS_IUSRS".
For more information on "IIS_IUSRS" please see: http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/
use
<allow users="*" />
for styles folder, so every user can use the style.
using
<location path="admin">
<system.web>
<authorization>
<deny users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
you can allow access to Admin folder for only authenticated users.
I am working on Asp.net Application where I have 4 roles in my application. 1. Admin 2. User 3. Reseller 4. Affiliate. And I am Using Form Authentication for this everything was working fine for single role(User). But now i have 4 roles and I am not getting how to manage this. I have 4 folders for different Users.
If i login with reseller account and if i change the url for user then its allowing me to access user part also. But i don't want this. I need in my app that user can access only his access area. Means If your reseller logged in then he can only access reseller pages or same folder nothing else.
Please help me to find this solution.
You can use the web.config to set the permission or you can also get more granular and decorate the class or method you want to lock down like this:
[PrincipalPermissionAttribute(SecurityAction.Demand, Role = #"Administrators")]
All of this is part of the role manager that you can set up. Start by reading this article that explains what to do.
There's two things to look at here. First of all, restricting access to each folder by role ought to be straightforward enough if you use <location> elements in your web.config e.g.
<location path="Resellers">
<system.web>
<authorization>
<allow roles="Reseller"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<allow roles="User"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
...
Also in your individual pages, you can call the IsUserInRole function to check whether your user is in the correct role to access the page.
You might want to get hold of a copy of Beginning ASP.NET Security, it's got great information on how to do this.
You need to set the appropriate authentication settings in a web.config file for each folder you are restricting access to, i.e.
<authorization>
<deny users="?" />
<allow roles="Administrators" />
<deny users="*" />
</authorization>
Will allow access only to validated users with the role of "Administrators".
In each of the folders you have to place a web.config file that restricts access to the role in question. For example, in the resellers folder you have a web.config containing:
<authorization>
<deny users="*"/>
<allow roles="Resellers"/>
</authorization>
And so on for the other folders.
use like below code:
<location path="Users">
<system.web>
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?
The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms">
<forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?"/>
</authorization>
You need to use the <location> element to apply settings to a specific path, then add an <allow /> for non-logged-in users.
For example:
<location path="PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="Presentation/Display/PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
This allows anonymous users to view your password recovery page. You might want to do the same for the directory where your CSS and/or image resources are stored, in case they are required by your login page and/or your recovery page.
Use Location:
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
<authorization>
<deny users="?" />
</authorization>
This specifies that all unauthenticated users are denied access to pages in your application. The authorization element is part of the system.web configuration section.
When you set something in IIS with authentication ( in your case form authentication). It also change your mapped project webconfig file with the same settings. That's why you see same information in both modules.