ASP.NET Page Unauthorization for common pages - asp.net

I am developing a web application which has form based authentication. All pages needs to be authenticated except AboutUs and ContactUs pages.
I configured everything correct except AboutUs and ContactUs pages. Since I am denying all users in authorization section, application is redirecting even if the customer browse AboutUs and ContactUs pages.
Configuration Rules
<authentication mode= "Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" timeout="20" protection="All" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Could you please let me know how can I tell asp.net to remove these pages for authorization??
Thanks,
Mahesh

Try this:
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH"
protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for
those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the AboutUs.aspx page
only. It is located in the same folder as this configuration file. -->
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to the ContactUs.aspx
page only. It is located in the same folder as this configuration file. -->
<location path="ContactUs.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

Related

asp.net Forms Authentication restrict access to folder

I have a website contains following structure, it will be deploy to Azure Web App:
~\Home\Files\(kk.jpg) (ff.pdf) (aa.xls)....
~\Home\Download.aspx
~\LogIn.aspx
~\Web.config
Rules:
Only login users can see anything in the "Home" directory.
Especially, I want to restrict any un-login users access any file in the "\Home\Files\" directory.
Here is my web.config file:
<system.web>
<authentication mode="Forms">
<forms name=".SCKi" loginUrl="LogIn.aspx" protection="All" path="/" timeout="30" requireSSL="true" />
</authentication>
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
</system.web>
Can any one help me apply the rules?
You need to lock access on specific folders using location tag in web.config.
<location path="Home/Files">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
This will come under configuration tag
You are allowing everyone in:
Change to this:
<allow users="?" />
E remove the deny option

using RedirectFromLoginPage on different pages

Im using a login and a database to check if a user is in there then send the user to my "locked" page.
It workes nice and all but only from Default.aspx, but the user kan click around to other pages but the form is on all my pages until the user logs in.
How do i change this to work on all my pages, that includs when the user wants to log off:
<authentication mode="Forms">
<forms loginUrl="Default.aspx" defaultUrl="inloggad/rosta.aspx">
<credentials passwordFormat="Clear">
</credentials>
</forms>
</authentication>
You have to create the roles such as customer, admin and then add the following in your web.config.
<location path="/">
<system.web>
<authorization>
<allow roles="Administrators" />
<allow roles="customers" />
<deny users="*" />
</authorization>
</system.web>
</location>

How to have compulsory login in asp.net for paticular page

I have created default master page site with login and register option.
When you create default page you get three menu option i.e HOME ABOUTUS CONTACTUS.
I have added one more menu option i.e ADMIN.
whenever someone clicks ADMIN they are suppose to login mandatory.
How can I do it?
currently anyone can surf all menu pages without login.
I want to make it compulsory.
please help, basically I need member only page
You can use the location config to specify the path of either a folder or page, see below for example and link to Microsoft details.
http://msdn.microsoft.com/en-us/library/ff648345.aspx
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="https://myserver/mywebapp/secure/Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="true"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<!-- Deny access to unauthenticated users -->
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
<!-- Allow unrestricted access to the folder with the login page -->
<location path="secure">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Add this section in your application web.config file, to deny access to all unauthenticated users to the location admin_page.aspx
<configuration>
<location path="admin_page.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Read this for more information about Control Authorization Permissions in an ASP.NET Application

forms authentication asp.net vb

I have a log in page which is the home page so is located at www.domainname.com
when someone goes to this page it adds a returnurl to the string so they are at:
www.domainname.com/default.aspx?ReturnUrl=%2f so when they log in they get returned to http://www.domainname.com/, which is the login page again, so to access the site they have to login twice.
Does anyone know how to fix this? I think a fix to this would be to allow everyone access to the home page - http://www.domainname.com/ as well as http://www.domainname.com/default.aspx but i'm not sure how to acheive this.
I want all user roles to be denied access to every page apart from the home page before they login, i also have an admin/cms section that only Admin roles can access but everyone can access the cms login page.
I currently have this in my web.config
<authentication mode="Forms">
<forms protection="All" loginUrl="default.aspx" defaultUrl="~/home/" />
</authentication>
<authorization>
<allow roles="Admin, User"/>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="cms/default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="cms">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Well i seemed to have done it a bit by luck.
I just changed
<authentication mode="Forms">
<forms protection="All" loginUrl="default.aspx" defaultUrl="~/home/" />
</authentication>
To
<authentication mode="Forms">
<forms protection="All" loginUrl="/" defaultUrl="~/home/" />
</authentication>
You should send them to the page you want them to default to. What you should do is create the login page on a seperate page (login.aspx) for instance and then make the default.aspx page the home page. Then when they go to default.aspx they will be redirected to login.aspx?ReturnURL=%2f .
Yes, we can use the above solution. One problem here is when we are using SEO implementation. To achieve your requirement, you can use URLRewrite.
http://weblogs.asp.net/scottgu/archive/2010/04/20/tip-trick-fix-common-seo-problems-using-the-url-rewrite-extension.aspx

Allow access for unathenticated users to specific page using ASP.Net Forms Authentication

I am using ASP.Net Forms Authentication. My Web.config looks like this.
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
So currently every aspx page requires authentication.
I want to allow access to even unauthenticated users to a specific page named special.aspx.
How can I do this?
Take a look at the example on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Put the following in your web.config:
<location path="special.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register.aspx"> //path here is path to your register.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>
</system.web>
</location>
For more detail follow the below link
http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Allow everyone to access a particular page
Sometimes you want to allow public access to some page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your special.aspx is in your site's root folder. In the web.config of your website's root folder you need to have following setup.
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="special.aspx"> //path here is path to your special.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to special.aspx
</authorization>
</system.web>
</location>
</configuration>

Resources