i have a simple website with asp.net membership authentication, so some reason which ever password i type for any user just logs me in. Whether i type fffffffff or 55555555 as the password for any user, am just loggedin.
The wasn't behaving this way just 1 day back. Any ideas what could be wrong, or where i should start troubleshooting from?
Make sure you have:
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
in your Web.config and not:
<allow users="*"/> or <allow users="?"/>
to ensure that you're not allowing anonymous access.
check the webconfig as see if you have the code to prevent anonymous users loggin in and to redirect them....
Related
I have created 2 folders in my asp.net project. (Account and AdminFolder)
I want to restrict the Register.aspx page to Admin users only.
My Login.aspx page is in the Account folder and I have included a web.config in that folder with the following code;
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
I have placed the Register.aspx file in the AdminFolder with the following web.config code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
In testing this approach out, I have tried to launch the application by going directly to the Register.aspx file. As expected, I am redirected to the Login.aspx page.
The url showing up in the browser is
http://localhost:49319/Account/Login.aspx?ReturnUrl=%2fAdminFolder%2fRegister.aspx
I login as an Admin user and I can see that I am logged in as my header hyperlink changes to logout. (I can also navigate to other files in Account to confirm I am logged in) However, the application remains at the login page instead of redirecting to the Register.aspx page.
I expected to be redirected to the Register.aspx page when login was successful.
Even once I am logged in as Admin user, I am unable to navigate directly to the Register.aspx page. I am redirected to Login.aspx.
I confirmed (by way of my Sql Server database) that the user in my test case is in the Admin role.
Can anyone nudge me in the right direction here? Thanks in advance for you time and consideration.
Try Changing your web.config in AdminFolder to:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Typically that is the RoleName as it appears in the DB.
I see my error. I was allowing Admin role and then denying all roles (which would include Admin). I should have used the following in AdminFolder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Thanks for all the feedback.
I have a smart-card enabled website where in IIS, Anonymous Authentication is disabled, SSL is enabled.
The IIS root also has Anonymous Authentication disabled, but Active Directory Client Certificate Authentication enabled.
Static Content role service is also installed.
In the web.config, I have
<authorization>
<deny users="?"/>
</authorization>
Following that, I have
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In both the css and images folders, I also have web.config's consisting of:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I use an AppPool running with a custom identity, let's say APUser
On the web server for those folders, I have permissions set to read for APUser, IUSR, Anonymous Logon, Users, IIS_IUSRS, and Everyone.
The url is in trusted sites on the browser.
Initially, the images and css return error 500 (using network capture with dev tools). After logging in, they show fine.
Same issue running on the server itself.
If I enable Anonymous Authentication in IIS, disable Active Directory Client Certificate, and change deny users="?" to allow users="*", everything works fine.
What am I missing to disable Anonymous Authentication, but still show images/css?
web.config authorization settings works sequentially. That is since you are denying unauthenticated users by using following, it does not read anymore of your config.
<authorization>
<deny users="?"/>
</authorization>
Read here.
Remarks At run time, the authorization module iterates through the
and tags until it finds the first access rule that fits
a particular user. It then grants or denies access to a URL resource
depending on whether the first access rule found is an or a
rule. The default authorization rule in the Machine.config file
is so, by default, access is allowed unless
configured otherwise.
Change it so that they come before your deny unauthenticated user part.
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
From "Allow" on MSDN here
"users
Required String attribute.
A comma-separated list of user names that are denied access to the resource. A question mark (?) denies anonymous users and an asterisk (*) indicates that all users are denied access."
Now, I take it that there's an error in there and they want to say "allow".
So you want <allow users="?,*" />
Under Group Policy for "Impersonate a client after authentication", add IIS_IUSRS
My website should have some parts that can only be seen when the user is authenticated, some parts that are visibile to everyone.
The forms authentication always redirects the user to the login page no matter what page is visited. Does that mean I should not use forms authentication? How can I solve this issue?
Use <location> element in web.config to set which pages are protected. You need to remove the authorization from the whole web site set it for each protected page in the <location> element.
A common approach is to place all protected pages in a separate folder and specify the location path to that folder.
Another one is to have a class which inherits System.Web.Page and at the Init event to redirect the user to some page, if is not authenticated. Every page should then inherit this page.
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
For me, the problem was the MachineKey. It's required to decrypt/encrypt the cookie if you are doing that (for example: a web farm). Because the app couldn't decrypt the cookie, even though it was getting passed back and forth, the app acted like the cookie wasn't even there. Adding this setting to web.config fixed it for me:
<machineKey compatibilityMode="Framework20SP2" validationKey="some_hard_coded_long_key" decryptionKey="another_hard_coded_long_key" validation="SHA1" />
See this article for more on the machinekey.
I have a folder inside my web application which requires a login. In web.config I have the following:
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
I can't login, it displays always the login dialogbox even the credentials are correct.
Anyone any ideas ?
Here was the answer:
iis 7 disable windows auth
I am working on Asp.net Application where I have 4 roles in my application. 1. Admin 2. User 3. Reseller 4. Affiliate. And I am Using Form Authentication for this everything was working fine for single role(User). But now i have 4 roles and I am not getting how to manage this. I have 4 folders for different Users.
If i login with reseller account and if i change the url for user then its allowing me to access user part also. But i don't want this. I need in my app that user can access only his access area. Means If your reseller logged in then he can only access reseller pages or same folder nothing else.
Please help me to find this solution.
You can use the web.config to set the permission or you can also get more granular and decorate the class or method you want to lock down like this:
[PrincipalPermissionAttribute(SecurityAction.Demand, Role = #"Administrators")]
All of this is part of the role manager that you can set up. Start by reading this article that explains what to do.
There's two things to look at here. First of all, restricting access to each folder by role ought to be straightforward enough if you use <location> elements in your web.config e.g.
<location path="Resellers">
<system.web>
<authorization>
<allow roles="Reseller"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<allow roles="User"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
...
Also in your individual pages, you can call the IsUserInRole function to check whether your user is in the correct role to access the page.
You might want to get hold of a copy of Beginning ASP.NET Security, it's got great information on how to do this.
You need to set the appropriate authentication settings in a web.config file for each folder you are restricting access to, i.e.
<authorization>
<deny users="?" />
<allow roles="Administrators" />
<deny users="*" />
</authorization>
Will allow access only to validated users with the role of "Administrators".
In each of the folders you have to place a web.config file that restricts access to the role in question. For example, in the resellers folder you have a web.config containing:
<authorization>
<deny users="*"/>
<allow roles="Resellers"/>
</authorization>
And so on for the other folders.
use like below code:
<location path="Users">
<system.web>
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>