In my web.config I have this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
</authentication>
<sessionState timeout="20" />
</system.web>
<location path="admin">
<system.web>
<authorization>
<deny users="*"/>
<allow users="admin"/>
</authorization>
</system.web>
</location>
I have two problems:
In my admin path I want only the admin user to have access but I can't find a way to do this. How can I make only the admin user have access?
The user always gets logged out even if I try to use cookies so he shouldn't be logged out. In my login.aspx I have the folloing code when the user is valid:
FormsAuthentication.RedirectFromLoginPage(user, CheckBoxPersistCookie.Checked);
How can I make the user to stay logged in?
try putting the <allow> line over the <deny> line.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" protection="All" path="/" timeout="30"/>
</authentication>
<sessionState timeout="20" />
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
As I understand you have 30 mins timeout in your authentication cookie and 20 minutes in your session cookie. It seems that as session will expire in 20 minutes then it will be impossible to use authentication cookie too.
It is a little tricky if you want to leave user logged in. I know that it is possible to implement it using javascript and invisible iframe. You need to reload iframe every 5 minutes for example. Your session will be live and local cookies updated.
Related
Problem: Forms authentication appears setup correctly. When running the following lines, the application is redirected back to the the login page. No calls to other pages are made.
e.Authenticated = true;
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, true);
Web.config
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="login.aspx" protection="All" path="/" timeout="180" enableCrossAppRedirects="true" domain="xyz.com"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
The problem was with the web.config. The test workstation where this was setup did not like the part...
domain="xyz.com"
Removing that made the entire thing work.
Im using a login and a database to check if a user is in there then send the user to my "locked" page.
It workes nice and all but only from Default.aspx, but the user kan click around to other pages but the form is on all my pages until the user logs in.
How do i change this to work on all my pages, that includs when the user wants to log off:
<authentication mode="Forms">
<forms loginUrl="Default.aspx" defaultUrl="inloggad/rosta.aspx">
<credentials passwordFormat="Clear">
</credentials>
</forms>
</authentication>
You have to create the roles such as customer, admin and then add the following in your web.config.
<location path="/">
<system.web>
<authorization>
<allow roles="Administrators" />
<allow roles="customers" />
<deny users="*" />
</authorization>
</system.web>
</location>
I'm working on an ASP.NET Web Forms application and where I've a folder called Account at the root. Which contain mainly three ASPX pages: Login.aspx, ChangePassword.aspx, ForgotPassword.aspx.
I've configured forms authentication with custom membership provider.
web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" slidingExpiration="true" timeout="2880" path="/" protection="All" />
</authentication>
<membership defaultProvider="CustomMembershipProvider">
<providers>
<clear/>
<add name="CustomMembershipProvider"
type="App_Code.CustomMembershipProvider, Portal.Web"
connectionStringName="PortalConnectionString"
applicationName="/" />
</providers>
</membership>
If I try to access the pages in Account folder other than Login.aspx I've been redirecting to Login.aspx and I currently I'm avoiding forms authentication for the other two pages like below,
<location path="Account/ChangePassword.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Account/ForgotPassword.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Instead of specifying individual pages like above can I combine them? I tried of specifying the folder name Account in the path attribute but that's not working.
The next thing is I've another page called Dashboard.aspx in the root and whenever I directly access it I thought I would be redirected to the Account/Login.aspx page but it's not happening, why?
You definitely can specify a folder as the path attribute - try removing the trailing / if you'd left it on, e.g.
<location path="account">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
However, because you want to protect the other pages inside account folder, you will need to override for the pages specifically available for anonymous users, such as Login.aspx and ResetPassword.aspx. You cannot combine multiple file entries.
As for why Dashboard.aspx is redirecting, there must be something else in the config you've not posted here which is causing that.
So I have set up my web.config to authenticate forms. I have the two pieces of code in my web.config but it is acting strange. When you go to www.mysite.com it redirects to the login.aspx page but when you go to www.mysite.com/default.aspx it does not redirect. why is it doing this? I also have the default doc set as default.aspx
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="2880" defaultUrl="account/default.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
As clearly shown in the config file, you have allowed unauthenticated users to access "default.aspx" URL explicitly. There is no such thing for "/" URL. Note that it does not matter that they (might) end up pointing to the same physical file on disk eventually. Only the URL matters for authorization purposes. You can clone your <location> tag and simply have another one for path="/" that allows access to all users, regardless of their authentication status.
I have a log in page which is the home page so is located at www.domainname.com
when someone goes to this page it adds a returnurl to the string so they are at:
www.domainname.com/default.aspx?ReturnUrl=%2f so when they log in they get returned to http://www.domainname.com/, which is the login page again, so to access the site they have to login twice.
Does anyone know how to fix this? I think a fix to this would be to allow everyone access to the home page - http://www.domainname.com/ as well as http://www.domainname.com/default.aspx but i'm not sure how to acheive this.
I want all user roles to be denied access to every page apart from the home page before they login, i also have an admin/cms section that only Admin roles can access but everyone can access the cms login page.
I currently have this in my web.config
<authentication mode="Forms">
<forms protection="All" loginUrl="default.aspx" defaultUrl="~/home/" />
</authentication>
<authorization>
<allow roles="Admin, User"/>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="cms/default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="cms">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Well i seemed to have done it a bit by luck.
I just changed
<authentication mode="Forms">
<forms protection="All" loginUrl="default.aspx" defaultUrl="~/home/" />
</authentication>
To
<authentication mode="Forms">
<forms protection="All" loginUrl="/" defaultUrl="~/home/" />
</authentication>
You should send them to the page you want them to default to. What you should do is create the login page on a seperate page (login.aspx) for instance and then make the default.aspx page the home page. Then when they go to default.aspx they will be redirected to login.aspx?ReturnURL=%2f .
Yes, we can use the above solution. One problem here is when we are using SEO implementation. To achieve your requirement, you can use URLRewrite.
http://weblogs.asp.net/scottgu/archive/2010/04/20/tip-trick-fix-common-seo-problems-using-the-url-rewrite-extension.aspx