I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.
Related
I have a parent website (developed like 5 yrs before) say (sky) which I host in IIS7/IIS7.5 and configure it to use Form authentication and anonymous authentication. The web.config with entries as follows:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" timeout="480" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="~/Home" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="cloud">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now I have a child website (developed 2 days ago) say (cloud) which I host under sky and configure it to use Windows authentication and anonymous authentication. Its own web.config has the following entries.
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
<identity impersonate="false" />
When I access sky/, I end up on the login form, which is expected. I enter the username/pass and I can browse the parent website absolutely fine.
Unfortunately, when I access sky/cloud/, a username/password prompt box shows up, I enter the correct creds, but it does not authenticate and I cannot browse the child website. It repeatedly throws the creds box.
I switched the priority of authentication provider to do NTLM first over Negotiate on cloud, still no luck.
Why does the new site need to be under the parent site? Gotta blame branding here :(
Any idea's on getting this working would be appreciated.
I have an ASP.NET WebForms application that was installed on IIS6 and working fine for quite some time. We are attempting to move that application to an IIS7 site, and the forms authentication is not working.
I am NOT using the Microsoft out of the box login control.
I am redirected properly to the login page. When I enter the credentials, the logging indicates that the credentials were correct. The code then redirects to the ReturnUrl query string value as expected. The cookie appears to be correctly created in the browser.
However, when the browser GET's the ReturnUrl, it redirects again to the login page.
web.config entry for the protected page:
<location path="HomeScreen.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="trm_members" />
<allow roles="trm_clients" />
<deny users="*" />
</authorization>
</system.web>
</location>
web.config entry for authentication:
<authentication mode="Forms">
<forms name=".ASPNETAUTH" loginUrl="Account-Registration/Account-Login.aspx" protection="None" timeout="30" />
</authentication>
Today I moved my application from a server with IIS6 to a new one with IIS7.5 (windows server 2008 R2).
The odd thing is that I cannot access the default document although it has been set in the default documents section. The file is the "deault.aspx" and when I try to access the page with ip I am getting http://[IP]/login.aspx?ReturnUrl=%2f, but it works fine If I access it directly.
This is the settings from web.config
<authentication mode="Forms">
<forms protection="All" loginUrl="login.aspx" name="CookieName" timeout="49200" requireSSL="false"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've already tried to solve this with some of the suggestions that are written here [ Forms Authentication Ignoring Default Document ]
, but with no luck.
I want to solve it by configure somehow the server and not the application.
Thanks
SOLUTION
I don't know if it is the correct one, but I change the mode of the application pool into classic instead of integrated.
Add the following to the web.config and it will allow you to access Default.aspx without requiring prior authentication. All other pages will require authentication.
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Just because a document is added as the default within the IIS configuration does not mean it bypasses the FormsAuthentication.
For me, removing the ExtensionlessUrl-* handler mappers in IIS Manager for the site in question did the trick. Even though all this does is adds the relevant entries to web.config that I had already tried with no luck.
I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
<authorization>
<deny users="?" />
</authorization>
This specifies that all unauthenticated users are denied access to pages in your application. The authorization element is part of the system.web configuration section.
When you set something in IIS with authentication ( in your case form authentication). It also change your mapped project webconfig file with the same settings. That's why you see same information in both modules.
I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users