I was wondering if it is possible to use two different formsauthentification logins with the following directory structure:
/default.aspx
/login.aspx
/web.config
/subdirectory/sublogin.aspx
/subdirectory/subdefault.aspx
/subdirectory/web.config
The web.config in the root contains the following settings:
<authentication mode="Forms">
<forms protection="All" slidingExpiration="true" loginUrl="~/login.aspx" path="/"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
What I want to achieve is, that all directories except 'subdirectory' are protected by the login.aspx in the root. 'subdirectory' has its own login.aspx (sublogin.aspx)
How would the correct content of the web.config in subdirectory look like?
The <authentication> web.config section can only be defined in machine.config or in the application's root web.config. It cannot be specified in sub-folders of your application.
What you can do, however, is create another ASP.NET application that happens to exist within the other application. Then each one can have its own authentication settings. In this case they will be separate applications, though, which might cause other problems.
Related
Using ASP.NET 2.0, IIS 7.
I have an ASP.NET application using forms authentication setup as follows in web.config :
<authentication mode="Forms">
<forms name=".ASPXAUTH_LIVE" loginUrl="Login.aspx" defaultUrl="~/Default.aspx" protection="All" timeout="1440" path="/" requireSSL="true" slidingExpiration="true" cookieless="UseDeviceProfile"/>
</authentication>
There are two IIS virtual directories mapped to the one physical directory. Since they map to the same physical directory, they both use the cookieName : ".ASPXAUTH_LIVE".
Is there some way to get the two virtual directories to use different cookie names ? I know I could make multiple copies of the physical directory, and change the name attribute in the web.config, but I'd rather not have to maintain multiple physical directories.
I cannot guarantee this will be of any assistance, but my first instinct would be to override the defaults for each virtual directory by adding a <location> element to your site's root web.config:
<location path="Path/To/Virtual/Directory">
<system.web>
<authentication>
<forms name=".ASPXAUTH_LIVE2" />
</authentication>
</system.web>
</location>
At first blush I expect this to fail miserably, but if nothing else it's an idea to test. I apologize for not trying the configuration myself but this would require a bit of work on my part to configure a working test project.
Many thanks in advance. When running the ASP.NET Development Server, everything is working fine. However, when I deploy my asp.net application to the production server (IIS 7.0 integrated mode, fresh install), my location tags in my web.config file are being ignored.
Case in point: I'm using forms authentication, and when the user arrives at my login.aspx page, the external css & js files are not being loaded...even though I have specified that those files should be available to all users (auth'd or not). However, once the user is logged in, the files do in fact load.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<authorization>
<deny users="?" /> <!-- Restrict anonymouse user access -->
</authorization>
And the exception to my css file...
<location path="Styles/xtools.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've verified that the path to the css file is accurate. Any suggestions?
Thanks, --Dan
--EDIT
Forgot to mention, I have tried creating a web.config file in the targetted folder as well...still not working.
Just got it. It wasn't enough to give IIS_IUSRS permissions on the folders containing the app ...I needed to give IUSR permissions, as well.
Problem solved. Thanks, ben f!
In my application there are two sub folders which needs to be authenticated. In my application web.config, i have given like this
<authentication mode="Forms">
<forms loginUrl="Customer/My Accounts/Default.aspx" name="formsauth1"
/>
</authentication>
This will work for only one sub folder having the path Customer/My Accounts/Default.aspx but I need to authenticate another sub folder having path Arab/Customer/My Accounts/Default.aspx. I want to know how to identify both the folders and how to authenticate them by modifying the above said code
You want to set the loginUrl equal to your login page, not the restricted page.
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name="formsauth1" />
</authentication>
Then in the sub folders you want to create a web.config in each with the following:
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
So what will happen is that when an unauthenticated user tries to access those sub folders, the <authorization> element will deny them and redirect them to the loginUrl. After they log in, they'll be returned to the original page they were trying to access.
I have one asp.net web application.
It is using two membership provider.
Two sign-in pages one for each provider.
Now i have two folders in root Folder1 & Folder2
Folder1 uses 1st membership provider
Folder2 uses 2nd membership provider
I got almost everything working including signin, create user etc in both provider.
Only issue is in Form authentication i can define only one loginpath. So when session expires or need login to access secure pages. it can only redirct to one sign in page.
Also that section can't be defined by location. by application only.
How can i get folder2 to use 2nd sign in page?
if there is anything i can define by location?
See How to override/change FormsAuthentication LoginUrl in certain cases
It appears from various people researching, that you cannot tell FormsAuthentication to have two different Login pages. But there is nothing preventing you from creating some base page class or other code in your two folders that can determine which login page to direct to. Or, I think that the Application_BeginRequest event fires before the FormsAuthentication module fires, so you could examine requests before they get redirected by FormsAuthentication. Either way though, you would be forced to allow anonymous users to Folder1 and Folder2, which is not ideal.
You need to use the <location> element in your web.config. You can use the <location> tag to apply authorization settings to an individual file or directory.
<location path="/root">
<system.web>
<authentication mode="Forms" >
<forms name="LoginForm" defaultUrl="default.aspx"
loginUrl="/root/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="/root/admin">
<system.web>
<authentication mode="Forms" >
<forms name="formName" defaultUrl="login.aspx"
loginUrl="/root/admin/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
MSDN
For centralized administration,
settings can be applied in the
Machine.config file. The settings in
the Machine.config file define
machine-wide policy and can also be
used to apply application-specific
configuration using <location>
elements. Developers can provide
application-configuration files to
override aspects of machine policy.
For ASP.NET Web applications, a
Web.config file is located in the
application's virtual root directory
and optionally in subdirectories
beneath the virtual root.
If you would like 1 login location and different access levels you might want to use roles.
<location path="/root">
<system.web>
<authorization>
<allow roles="admin,root" />/*admin, root is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
<location path="/root/admin">
<system.web>
<authorization>
<allow roles="admin" />/*admin is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
Users can belong to more than one
role. For example, if your site is a
discussion forum, some users might be
in the role of both Members and
Moderators. You might define each role
to have different privileges on the
site, and a user who is in both roles
would then have both sets of
privileges.
You can access all these element at
the code level if you would like to
manipulate the roles/authentication
programmatically
Page.User.Identity.Name
Page.User.Identity.IsAuthenticated
Page.User.Identity.AuthenticationType
Page.User.IsInRole("string");
Additional Links
Using 2 Membership Providers in asp.net
4 Guys From Rolla Tutorial
The ASP.NET web.config File Demystified
I'm working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application.
I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application.
I put the following into the root applications web.config:
<location path="ccnet">
<system.web>
<authentication mode="Forms">
<forms loginUrl="/default.aspx" timeout="5000"/>
</authentication>
<authorization>
<allow users="?"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
However, the Forms Authentication does not appear to be working, it does not redirect back to the login page when I access that application directly.
I have a feeling I have the <allow> and <deny> tags set wrong. Can someone clarify?
You might also need to put path="/" in the
That was it!
So, Summary, inorder todo this;
In root web.config add:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
This must be done because by default it is "AutoGenerate,IsolateApps".
Second, you must name the form Auth cookie the same in both, I did this all in my root, using the location tag:
<authentication mode="Forms">
<forms name="ccAuth" loginUrl="/default.aspx" path="/" timeout="5000"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Finally:
<location path="ccnet">
<system.web>
<authentication mode="Forms">
<forms name="ccAuth" loginUrl="/default.aspx" path="/" timeout="5000"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Thanks everyone for your help. This was a stumper.
FormsAuthentication encrypts the tokens that it gives to the user, and by default it encrypts keys different for each application. To get Forms Auth to work across applications, there are a couple of things you need to do:
Firstly, set the Forms Auth "name" the same on all Applications. This is done with:
<authentication mode="Forms">
<forms name="{name}" path="/" ...>
</authentication>
Set the "name" to be the same in both applications web.configs.
Secondly, you need to tell both applications to use the same key when encrypting. This is a bit confusing. When I was setting this up, all I had to do was add the following to both web.configs:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
According to the docs, thats the default value, but it didnt work for me unless I specified it.
You might also need to put path="/" in the <forms tag(s) I think. Sorry, its been a while since i've done this
That does not work, it still allows all users, (Authenticated or not) to access.
I would think you could even omit the allow tag, as it's redundant. Just:
<deny users="?"/>
Where does that code sit Jonathan? In my experience I have a login control and in the OnAuthenticate event I would set Authenticated to false...
If CustomAuthenticate(Login1.UserName, Login1.Password) Then
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
Else
e.Authenticated = False
End If
But that's using the Microsoft Way
you are allowing all unauthenticated. You might be looking for something like this
<deny users="?"/>
What is the file extension for this cruise control application? If it is not a file type that ASP.NET is registered to handle (e.g. jsp, java, etc), then ASP.NET will not act as an authentication mechanism (on IIS 5 and 6). For example, for static html files, unless you have wildcard mapping implemented, IIS does all the authentication and authorization and serves up the file without involving the ASP.NET isapi extension. IIS7 can use the new integrated pipeline mode to intercept all requests. For IIS6, you'll want to look at Scott Gu's article on the matter.
None of the above suggestions worked for me. Turns out in the root web.config set:
<forms loginUrl="/pages/login.aspx" enableCrossAppRedirects="true"...
and make sure that both the root and child app have in system.web
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1"/>
which turns off the IsolateApps default.
Then everything just worked!