i created some pages in asp.net. but i want to allow the users only if he is login. how to do that. is there any controls available for that one.
Thank you
In the web.config there is a section below <system.web> where you can add:
<authorization>
<deny users="?" />
</authorization>
It is normal that you put pages that requires login in a certain sub-directory and thus you can put a new web.config in that folder with the above lines inside <system.web>, this will prevent unauthorized access.
MSDN has a great section about Forms Authentication that I recommend you to read.
Yes, you need a login page that uses Forms Authentication.
See details here
Related
I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.
I'm making a project on ASP.NET and I want that if the user is not registered with my site or not Login then he/she will not able to download. If I'm using session ID then I've to pass it on every link and page so is there a simple way to accomplish it?
If you're using the ASP.NET stock authentication system, you can just add a tag like this to your <system.web> element in web.config:
<authorization>
<deny users="?" />
</authorization>
StriplingWarriors answer will work for all unauthenticated users but if you are attempting to restrict specific users from doing/viewing specific things on the site (and assuming you are using the ASP.NET membership API to manage users) you can just check User.Identity.IsAuthenticated
i have a simple question
How to disable a folder with aspx pages in asp.net
Thw folder is "Administration" and i want to disable it that it cannot be called in browser by typing .../Administratin/edit.aspx, or that simple to redirect to a login page if we want to go to the administration part
First enable forms based authentication. This can be done for VB and C#.
Next you have to specify who will have access to what. This can be done in the web.config.
Apologies if these articles are a little out of date.
Use a locations element and config settings to restrict access to folders.
<location path="Administration">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
Change the NTFS security permissions on the Administration Folder for
<drive>:\intepub\wwwroot\...\Administration
and restrict access via that way.
You can also right click go to properties in IIS for the folder and remove various granular browsing permissions.
You can also edit the web.config and change permissions there.
Where should I type the authentication code in order to validate the users trying to login to the website.
I have used login control in my website. Also I would appreciate few examples of codes which are generally used in authentication code.
.net has templates for login pages, password recovery, etc.
simply google for it or go here:
http://msdn.microsoft.com/en-us/library/ms178329.aspx
http://www.c-sharpcorner.com/UploadFile/sushmita_kumari/Logincontrol101312006002845AM/Logincontrol1.aspx?ArticleID=c33d0072-8f7c-4958-a7dc-ca1809737193
Not 100% what you mean. If you're using a Login control they can already authenticate with that.
Do you mean authorization? You need to check users are authorized to access your site if it is restricted to logged in users only. Say you have a part of your site called "importantstuff" that only logged in users can access. i.e. www.yoursite.com/importantstuff/. You would put this in your web.config outside of the <system.web></system.web> tags:
<location path="importantstuff">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
This would prevent unauthenticated users from accessing anything in the "importantstuff" directory.
When using a gridview and not logged into a asp.net website, the java scrpit does not appear to work.
If I am logged in as a user, any pages with gridviews work fine.
The only error I'm getting when checking the javascript with Firebug is
'ReferenceError: DES_ValOnSubmit is not defined.'
This is a reference to a Peter Blum javascript function, but have no idea why it would fail for anonymous users, and it does for logged in users.
Thanks for any help.
I'm not sure what your authentication scheme might be, but if you are using the authorization tags in the web.config file, you might need to make an explicit exception for your javascript if you are denying the anonymous user to sections of your web site. Something like this:
<location path="MyScriptFolder/MyPeterBlumJS.js">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You can also just set the path to "MyScriptFolder" to allow all users access to your javascript as needed.