I have implemented forms authentication using the below mentioned code. My login URL is "Login.aspx". With these settings my site images do not get loaded on login.aspx.
However if I comment the authorization section the images are displayed.
<authentication mode="Forms">
<forms name="TBHFORMAUTH" defaultUrl="~/User/Default.aspx" loginUrl ="~/Login.aspx" cookieless="AutoDetect" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Why this behaviour?
You can add a separate Web.config file to the Images folder that does not need user control. The Web.config file should only contain the following to give full access:
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Another approach is if all pages that are limited by usercontrol are located in a sub folder (i.e. Users), then you can give full access in the main Web.config. and have a separate Web.config in the Users folder containing:
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Related
I want to add enable/disable asp.net mvc website feature, to achieve this I just replace web.config content to
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="maintenance.htm"></forms>
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
<location path="server">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I also have put maintenance.htm into website root.
But when I try then navigate to site, i don't see my maintenance.htm, instead I receive
status "Aborted" in Firebug, and Firefox displays a message:
This is for production environment. On local, app just continue process web.config as a normal and displays YSOD saying that it could not find some keys in web.config (it assume that they exist)
I also try to just add app_offline.htm as a simpler solution, but result is the same.
What can cause such behavior?
I have created default master page site with login and register option.
When you create default page you get three menu option i.e HOME ABOUTUS CONTACTUS.
I have added one more menu option i.e ADMIN.
whenever someone clicks ADMIN they are suppose to login mandatory.
How can I do it?
currently anyone can surf all menu pages without login.
I want to make it compulsory.
please help, basically I need member only page
You can use the location config to specify the path of either a folder or page, see below for example and link to Microsoft details.
http://msdn.microsoft.com/en-us/library/ff648345.aspx
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="https://myserver/mywebapp/secure/Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="true"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<!-- Deny access to unauthenticated users -->
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
<!-- Allow unrestricted access to the folder with the login page -->
<location path="secure">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Add this section in your application web.config file, to deny access to all unauthenticated users to the location admin_page.aspx
<configuration>
<location path="admin_page.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Read this for more information about Control Authorization Permissions in an ASP.NET Application
I was searching for some solution but can't find one. There is this and this ones but can't found and answer there. Im developing an asp.net application on ASP.NET development server. I have the following web.config in my root asp.net folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="4df5d465h"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
My image folder is together my main web.config at root asp.net application folder.
Inside the image folder I put the following web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="*"/>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I put role attribute after to see if its work.
I wrote the main web.config in this way too:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="3D45C7D8B0B0C"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="~/image">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
But the login page never can load the images
In design mode, inside visual studio editor, the image load in login.aspx page then image tag must be ok.
What I'm doing wrong?? Thanks a lot.
#nico, thanks a lot for format my question. No im not rewriting nothing. Its most simple and default asp.net application possible. Its default template asp.net application with an link on Default.aspx and a simple login.aspx page, its a test project, the login form works but the image doesn't load.
#Chris_Lively, yes there is a web.config in image folder, its web.config with <'allow roles='*'>, i checked, the folder is named image\ , the src of image tag point to image\ its getting me crazy
Your config file contains error - 'roles'-tag cannot use asterisk, you should define specific role name (allow element) or dont use it at all.
You'll see error message 'Parser Error Message: Authorization rule names cannot contain the '*' character' in fiddler.
I think it was reason of your problem.
the following web.config file is placed in a specific sub-folder on a website. It will allow the user John.Doe to access the pages inside the folder but will deny anonymous users
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="John.Doe" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Is it possible to replace users in the following web.config file with certain session variable
for example getting the day(sunday, monday, etc) from date and storing it in session("DayVar")
then the code should be something like this for the subfolder monday
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow session("DayVar")="monday" />
<deny session("DayVar")<>"monday"/>
</authorization>
</system.web>
</configuration>
is this doable ?
This is not something that is built into the framework.
You could handle this via a custom base page or similar to implement that type of restriction.
All the users have to do the login before access to my site.
So i insert this code in web.config file:
<authentication mode="Forms">
<forms name="login" loginUrl="~/Login.aspx" defaultUrl="~/index.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
It works but the login page is rendered without images..
How can i do?
thanks
You need to modify the security on your image directory to allow unauthenticated users access. You can do that one of two ways:
1) You can add another Web.Config to the image directory that contains:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
2) Update the Web.Config in your root directory with a location-specific rule:
<location path="images/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Either change should fix the problem.