I am trying to use Forms Authentication for the first time. This is what I have in my web.config:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="Login" slidingExpiration="true" timeout="30" path="/">
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
The website I am working on doesn't actually need any authentication because the page should be accessible without logging in. So that's why I'm allowing all users. I am very new to this so there's probably something obvious I'm doing wrong, but all pages seem to redirect to Login.aspx, even though I'm allowing all users.
All help is very much appreciated. Thanks.
UPDATE:
As one answer directed, I changed the code to the below (changed * to ?) but I still have the same problem:
<authorization>
<allow users="?" />
</authorization>
Asterisk stands for any authenticated user which does not include anonymous users. Use question to allow anonymous users:
<allow users="?" />
I came at this page having the same problem, and see that 5 years later this has never been properly answered.. You needed to specify the following in web.config:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Meaning that you deny access to all anonymous users, and allowing access to all authenticated users.
Related
I have a parent website (developed like 5 yrs before) say (sky) which I host in IIS7/IIS7.5 and configure it to use Form authentication and anonymous authentication. The web.config with entries as follows:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="480" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="~/Home" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="cloud">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now I have a child website (developed 2 days ago) say (cloud) which I host under sky and configure it to use Windows authentication and anonymous authentication. Its own web.config has the following entries.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false" />
When I access sky/, I end up on the login form, which is expected. I enter the username/pass and I can browse the parent website absolutely fine.
Unfortunately, when I access sky/cloud/, a username/password prompt box shows up, I enter the correct creds, but it does not authenticate and I cannot browse the child website. It repeatedly throws the creds box.
I switched the priority of authentication provider to do NTLM first over Negotiate on cloud, still no luck.
Why does the new site need to be under the parent site? Gotta blame branding here :(
Any idea's on getting this working would be appreciated.
In my web config, I've specified:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/SignIn.aspx" defaultUrl="~/Secure/Default.aspx" timeout="20" requireSSL="false"/>
</authentication>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
I assumed that no matter what page I tried to browse to initially, the asp.net framework would automatically redirect me to the signin page, but this is not the behavior I'm experiencing. Am I missing something?
You should revert the authorization element so that it disallows anonymous users first.
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
You have allow users = *, remove that line because it by default logs in every user. login url will be hit when a user is not authenticated but you are by default authenticating all the users.
I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?
The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms">
<forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?"/>
</authorization>
You need to use the <location> element to apply settings to a specific path, then add an <allow /> for non-logged-in users.
For example:
<location path="PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="Presentation/Display/PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
This allows anonymous users to view your password recovery page. You might want to do the same for the directory where your CSS and/or image resources are stored, in case they are required by your login page and/or your recovery page.
Use Location:
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users