When I copy my URL and paste in other browser, the page opens which should not happen. This shows lack of security. I want the forms authentication. How to do that?
If you set cookieless="true" (or UseDeviceProfile and browser has cookies disabled) in your web.config file, authentication information is appended to the URL and this url will be valid across other browsers. If you use cookies to identify users, then only the current browser will have the user authenticated.
You need to set this up in your web.config file:
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
As described in this MSDN article.
Forms Authentication is not a newly added concept in asp.net 3.5. It is tried and tested technique in existence from asp.net 1.0. There are lot of books and tutorials available to show you how to do this. The simplest way you can achieve this is using membership provider models such as SqlMembershipProvider. Models provide you ready-made infrastructure which you can use for authentication.
Related
I have a c# app that is hosted on Azure. I have configured the app to use external authentication via a user's Microsoft account, which works ok. However, when I add the authorization node in the web.config file, which defines 'deny users="?"', it makes no difference - a user can seemingly browse the site whether they are logged in or not. They can log in with their MS account if they choose, and that works fine.
So looking into this, I discovered the authorization feature in Azure, which allows me to use Azure Active Directory and enforce authentication for the site via the Azure management portal, which also works fine. But now I don't have access to my role definitions.
So as I am now a little confused, my first question is, does anyone know why the authorization element in the web.config had no effect?
And secondly, am I right in thinking that the external auth provider in the application is totally separate and independent of the Azure authentication provider, and so is there an advantage to using one system over the other? OWIN can use roles, that's an advamtage - is there an advantage to using Azure auth - apart from ease of switching on/off?
Relevant config sections
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="60" defaultUrl="~/" protection="All"/>
</authentication>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
</system.webServer>
</configuration>
You are mixing modes of Authorization. Since you are using OWIN and c#, I'll assume your app is an MVC app. You should read through the detailed articles and samples at Getting Started with Asp.Net Identity. The samples are easy to walk through and to deploy to Azure for testing different Authentication/Authorization methods.
I am a fresher in ASP.NET. I have one issue about the forms authentication, I have a web application(HPE) with forms authentication, which is already deployed into IIS,
There is a Eligibility web site in the web server,which is developed in classic ASP, it uses forms authentication. That main web site has link to web applications such as HPE,CHDP,BCCDP etc. When i click a HPE link, I would redirect to HPE application, i set the HPE ticket timeout to be 20 minutes(the same with main site).
When i stay in the HPE for over 20 minutes (doing something to keep HPE ticket valid), i click side bar CHDP link (which points to CHDP application), it would directly goes to timeout page instead of CHDP app. Are there any ways that i can go to other pages in main site while i stay in HPE application for 20 minites?
Below is the authentication part for HPE in web.config
<system.web>
<authentication mode="Forms">
<forms name=".HPEAUTH" loginUrl="Logout.aspx?go=login" timeout="20" defaultUrl="/Eligibility/Cookiemonster.asp" requireSSL="false" protection="All" path="/" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Sorry that i didn't find any web.config file in the Eligibility(main site) directory. Any idea or though would be greatly appreciated.
To use the same authentication cookie across multiple applications, you will have to ensure that the machineKey section of your web.config file is set to the same thing on all apps.
From MSDN:
The following example shows the Authentication section of a Web.config
file. Unless otherwise noted, the name, protection, path,
validationKey, validation, decryptionKey, and decryption attributes
must be identical across all applications. Similarly, the encryption
and validation key values and the encryption scheme and validation
scheme used for authentication tickets (cookie data) must be the same.
If the settings do not match, authentication tickets cannot be shared.
For information about how to generate values for the validationKey and
decryptionKey attributes, see How To: Configure MachineKey in ASP.NET
2.0. (This topic applies to ASP.NET version 2.0 and to later versions.)
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
ASP.NET: I have created a website with login authentication. Before the user can visit any of the pages in it he needs to login first. How do I prompt the user to login first before he can view any of the contents of the website?
The Examining ASP.NET's Membership, Roles, and Profile series is a good starting point. It covers all the security part of ASP.NET and your required stuff, Login before visiting the page via LoginUrl as your login page. starting doing this How To: Use Forms Authentication with SQL Server in ASP.NET 2.0
Some setting to be made in web.config and then handle of these things on code behind.
<forms name=".ASPXAUTH" loginUrl="login.aspx"
defaultUrl="default.aspx" protection="All" timeout="30" path="/"
requireSSL="false" slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
Add the following element under the element in the Web.config file. This allows all authenticated users to access your Web site.
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>`
code behind
if (Membership.ValidateUser(username, password))
{
// User has supplied valid credentials
// In the following method call, the second Boolean parameter
// determines whether a persistent authentication cookie
// is created.
FormsAuthentication.RedirectFromLoginPage(username, rememberMeIsChecked);
}
Reference:
Starting ASP.NET Forms Authentication
ASP.NET Authentication
Explained: Forms Authentication in ASP.NET 2.0
Try to do this in your web.config
If we want to deny access to anonymous users, configure the Authorization section in the following manner,
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
For more info look here
This is huge subject to cover on posting code example here so I would recommend following steps.
Use asp.net mvc3, learn how membership provider work, customize it if to fit your needs, user role provider to assign users to specific groups which you will use to protect specific area of site.
Create roles and assign them to user and after that you can secure pages using decorated [Authorize] attributes or secure for selected users like this
[Authorize(Roles = "Admin, Super User")]
Use your web.config in configuration system.web section to indicate what membership and role provider is used in app.
This is short info, but I hope that you have concise mental picture now.
I'm developing a public web site in vs2010,
can I keep the authentication as windows authentication and just enable anon access
or should I leave it with the default forms authentication.
The site will NOT require any type of logging in mechanism...so really I dont see a point in forms authentication, but most users will not have windows authentication either.
So I am confused, in my asp.net web.config file what authentication do I use for a public website?
I also asked this question which is kind of related: developing site in vs2010 but changed to local IIS and prompts
But I am not having any luck with this :(. The site when using local IIS keeps prompting for a user name and password (See the stackoverflow question I posted above), ive checked the app pools, the security, and the permissions and it still prompts me for a user name and password. It prompts me about 10 times and if I keep cancelling out of it the page comes up but the images are not displayed nor is the CSS rendered. So it looks like it prompts for each image on the site, but all folders inherit from the parent and I've added Network, Network service, ASPNET user, the default app pool user...I dont know what else to do.
So two issues:
1) What do I specify in my web config for a public site
2) How do I get rid of this prompting!
Thanks
You don't need to specify specify any authentication. Just deploy it as is, with the Web.Config out of the box.
<authentication mode="None" />
Go here for more reading.
Because it is prompting you with a login dialog, try using an authorization element in your web.config file with any authentication you like. Use "*" to allow access to all users by default. Refer to this article for more detail.
<authorization>
<allow users="*" />
</authorization>
Your web.config file has two sections that control requests for login. These are
<authentication> ... </authentication>
and
<authorisation> --- </authorization>
Authorization controls who can access what, and Authentication determines how the credentials of a particular user are established to see if they have the correct authorization to access your site.
An example of their usage might be
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="40320" cookieless="UseCookies" slidingExpiration="true" />
</authentication>
which allows access to all users to the root of my applications and their credentials are determined using forms authentication.
Other parts of your site are allowed to have alternate authorization requirements through the use of a location tag in your web.config
However, neither section is required if no part of your site requires this functionality. However, you should be aware that there other places that this might be determined. There is a file called machine.config that determines the settings for the machine. Your web.config has priority over the machine.config, but if the authorization and authentication settings are made in the machine.config and not in you web.config then the machine.config wins.
Hope that helps. If you can post your web.config that might help us to point you in the right direction.
I want, when I type http://localhost/Admin, to take me to the page http://localhost/Something/Login.aspx. How can I do this?
What you are looking for is called Forms Authentication. A very short introduction follows.
You need to create a login page that makes a call like this, after verifying the identity of the user:
FormsAuthentication.RedirectFromLoginPage(userName);
Then you need to wire up the login page in the web.config file:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Something/Login.aspx" />
</authentication>
</system.web>
Furthermore, you will need to tell the framework that all URLs below ~/Admin/ requires the user to be authenticaticated. This can be done by adding an another web.config file within that folder:
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
Read the article linked above, or search the web for "ASP.NET forms authentication" and you will soon be on the right track.
EDIT 1 - If all you want to do is really to "make a redirect to a specific URL", then this is sufficient:
Response.Redirect("~/Something/Login.aspx")
From the URLs you mention in the your questions, it seems that you are trying to enforce some kind of authentication/authorization scheme. If this is true, forms authentication is a better answer.
EDIT 2 - If you want to rewrite, not redirect, requests from ~/Admin to ~/Something/Login.aspx you can do so by mapping a URL mapping in your root web.config file
<system.web>
<urlMappings>
<add url="~/Admin/Default.aspx" mappedUrl="~/Something/Login.aspx"/>
</urlMappings>
</system.web>
In most setups, the web server will only pass the request to ASP.NET if the requested URL ends with a known suffix, such as .aspx. On approach to trick the web server to pass requests for ~/Admin to ASP.NET, is to use the "default document" feature in the web server. For this to work, you must add an empty file named Default.aspx in the ~/Admin folder.