I'm learning how to use the asp authentication, and I have created a test project for it. I have the Default page, the Login page and a Test folder with a Default page inside.
I want that Default page accesible for everyone (so, without authentication) and the "Test/Default.aspx" private. My "Web.config" is like this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="Empresas">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This way, when I access to the Test/Default.aspx page, I can enter even without authorization, and I don't know why. However, if I change "deny users=?" for "deny users=*", then I can't access even when I am authenticated, so the location tag is working correctly.
I change the password every time, just in case it was a cookies problem, but it isn't.
QUESTION: What is wrong in my web.config, or what do I have to do to create some pages privated?
Thank you very much in advance
how about allow users="?"
i.e. allow authenticated users
Related
I am baffled by this. I have a master page on top of a few pages, one of them is a login page. Here is a sample of web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
...
<location path="~/Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
From Default.aspx, I access About.aspx which requires a login. The About.aspx never gets hit, instead Login.aspx gets hit, then Site.master, then login again, then site.master again, and finally login.aspx, and master.aspx. Three times! ... Login-> Master are being hit 3 times! ... now... if I change the line of code from Web.config from
<location path="~/Account/Login.aspx">
to
<location path="Account">
Login->Master only get hit once. There is nothing else besides login.aspx/cs/designer in the Account folder. Why is this happening? I would like to control pages in the Account folder when I add more and not just lift the access to them all, but even
<location path="Account/Login.aspx">
(removed "~/") didn't do anything. Any help would be greatly appreciated.
You should allow all access to your MasterPage similar to how you allow anyone access to your Login page.
It will not be served up on it's own and doesn't need to be secured since the page that uses it should be locked down. Normally I have the root unsecured which has the login pages, master pages, about etc. I then have a secured area that has pages that use the master page from the root.
I am trying to use Forms Authentication for the first time. This is what I have in my web.config:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="Login" slidingExpiration="true" timeout="30" path="/">
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
The website I am working on doesn't actually need any authentication because the page should be accessible without logging in. So that's why I'm allowing all users. I am very new to this so there's probably something obvious I'm doing wrong, but all pages seem to redirect to Login.aspx, even though I'm allowing all users.
All help is very much appreciated. Thanks.
UPDATE:
As one answer directed, I changed the code to the below (changed * to ?) but I still have the same problem:
<authorization>
<allow users="?" />
</authorization>
Asterisk stands for any authenticated user which does not include anonymous users. Use question to allow anonymous users:
<allow users="?" />
I came at this page having the same problem, and see that 5 years later this has never been properly answered.. You needed to specify the following in web.config:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Meaning that you deny access to all anonymous users, and allowing access to all authenticated users.
I have the following ASP.NET Forms Authentication configuration:
<system.web>
<authentication mode="Forms">
<forms name="MembershipCookie"
loginUrl="Login.aspx"
protection="All"
timeout="525600"
slidingExpiration="true"
enableCrossAppRedirects="true"
path="/">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location
If an anonymous user visits the site and requests home.aspx should they be denied access and kicked to the Login.aspx page because the first rule <deny users="?" /> will match and further processing will stop?
The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by <location /> and hence the user will not be kicked out to Login.aspx .
If a user access Home.aspx then the second rule will be applied i.e.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The point to note here is: * tells that any authorized user (having any or no role assigned) could access the page, but ? tells unauthorized user could not access the page.
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?
The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms">
<forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?"/>
</authorization>
You need to use the <location> element to apply settings to a specific path, then add an <allow /> for non-logged-in users.
For example:
<location path="PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="Presentation/Display/PasswordRecovery.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
This allows anonymous users to view your password recovery page. You might want to do the same for the directory where your CSS and/or image resources are stored, in case they are required by your login page and/or your recovery page.
Use Location:
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
<authorization>
<deny users="?" />
</authorization>
This specifies that all unauthenticated users are denied access to pages in your application. The authorization element is part of the system.web configuration section.
When you set something in IIS with authentication ( in your case form authentication). It also change your mapped project webconfig file with the same settings. That's why you see same information in both modules.