I have created new Project > ASP.NET Web Application (with individual user accounts). To root web.config I have added `
<authentication mode="Forms">
<forms loginUrl="log.aspx" defaultUrl="about.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>`
in order to redirect every not authenticated user to log.aspx (it exists in project root). But when I run my project now I got error
HTTP Error 404.15 - Not Found
The request filtering module is configured to deny a request where the
query string is too long.
Requested URL http://localhost:55371/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAbout.aspx
Physical Path
D:\Visual Studio workplace\WebApplication4\WebApplication4\Account\Login
Suggested fix is change maxquerystring so I did it as here. And then error changed
Exception Details: System.Web.HttpException: The length of the query string for this request exceeds the configured maxQueryStringLength value.
To me it looks like some infinite loop. Could you please tell me why the first error mentions /account/login which is default in this project? Also what is a solution in this situation?
I am using VS2015 with IIS Express.
When you select "Individual User Accounts" during project creation you are setting up authentication to use ASP.Net Identity which is a completely different system than Forms Authentication.
You don't want to mix them, use one or the other. But be aware Forms Auth is now much weaker security than Identity which basically sets up a modern Token server within your website.
I have seen this same error posted many times and as I have encountered the same problem myself and all of the answers were not helping me, until I found the real solution to the problem.
The original question says:
"I have created new Project > ASP.NET Web Application ..." and it says he changed the web.config file.
Indeed there is an infinite loop that is occuring because the web.config is set to deny access to any unauthenticated user to every page of the site that is including the login page itself! That is causing the loop.
In order to avoid the infinite loop one should grant access to at least the login page. I made that, placing another web.config file inside the folder where my login page is placed, and with the following code inside it:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</configuration>
This grants unauthorized access to all pages inside the folder, so be sure to put your login page there and that's all.
Edited: it is important to say that this approach is using Forms Authentication.
Related
My ISP has recently had several permission issues on my site which is hosted on a shared IIS box.
My MVC5 application has no code on the default page which requires authentication, but there are areas which do
I have webpublished my application to a subdirectory "test" and I'm currently getting a infinite redirect loop when I try to load any of the [AllowAnonymous] pages which as a result give a 404.
http://www.mywebsite.co.uk/test/Account/Login?ReturnUrl=%2Ftest%2FAccount%2FLogin%3FReturnUrl%3D%252Ftest%252FAccount%252FLogin%253FReturnUrl%253D%25252Ftest%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252Ftest%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252Ftest%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252Ftest%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252Ftest%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252Ftest%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252Ftest%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252Ftest%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252Ftest%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252Ftest%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252Ftest%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252Ftest%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252Ftest%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252Ftest%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252Ftest%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252Ftest%25252525252525252525252525252525252Fhome%25252525252525252525252525252525252Ffeedback
(i think this 404 is the result of a query string too long)
If I webpublish to test2 the "same" code works without this issue.
I've tried removing items from the _layout.cshtml to see if I can spot what call is causing this but after stripping all items out I still get this error.
Does anyone have any suggestions what I can use to diagnose where the problem lies?
Usually that is the problem, that Login page does not allow unauthorized users: you get endless loop - unauthorized user is not allowed to see login page, so he is redirected to login page to get authorization.
So either need [AllowAnonymous] attribute on your login action in controller or add to web.config:
<location path="/test/account/login">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I have a website that uses ASP.NET forms authentication using .Net 4.0 on IIS 7. I have secured the site using a third party single-sign on provider (jasig CAS), and it all works well.
The default documents list in IIS has Default.aspx at the very top.
The default page of the website is Default.aspx and it is opened to the public with the below snippet from my web.config, again this works as expected when I navigate directly to the page.
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The problem that I'm having is that when I navigate to the root of my website ie www.mydomain.com rather than www.mydomain.com/default.aspx I am redirected to the forms authentication page.
Surely this is the same page, and is subject to the same authorization rules?
I am stuck on this, and do not know where to turn.
There is a similar question in Stack Overflow:
Allowing anonymous access to default page
In Global.asax, place the following code in Application_BeginRequest method:
if (Request.AppRelativeCurrentExecutionFilePath == "~/")
HttpContext.Current.RewritePath("default.aspx");
I ended up using this code (the same as above), but it had to go in the OnBeginRequest method in the CasAuthenticationModule
if (Request.AppRelativeCurrentExecutionFilePath == "~/")
HttpContext.Current.RewritePath("default.aspx");
I Have an ASP.net application where I have a page named foo.aspx where some secured data is placed.
I want to denny the access to this page to users not logged in, and this login Username and Password must set by me in web.config or somewhere else.
But I have a problem that there is already a Admin Panel which is restricted to normal users
by Username , Password I have set in web.config using authentication mode set to forms.
Now how can I restrict foo.aspx page as authentication code can't duplicate and also want separate log in page.
In web.config, you could define elements (after system.web closure) where you set a specific configuration for a specific zone/page of your app.
Eg:
<configuration>
<system.web>
....
</system.web>
<location path="Foo.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
There, you may set a different authorization mode than the one in use by your app.
With the above example, your page won't be protected by the standard authorization mode configured globally, but you have the choiche to protect your page in a custom way, directly in the page itself.
At the top of your foo.aspx page you have
if(login == false)
send them to login page;
This will make sure that they are logged in before they can even access the foo page.
The best way to achieve this is to have two different asp.net applications. You can still configure your IIS to have your Foo application in another folder / subdomain.
You can, however, try to develop your own AuthenticationModule which will need to have a list of urls protected by Admin-authent and a list of urls protected by Foo-authent, each one with its specific Login page and a default login-pwd pair or a table of users. Here's a tutorial for developing custom Authent module : http://www.codeproject.com/Articles/5353/Custom-Authentication-provider-by-implementing-IHt
Good Luck
You can add your page foo.aspx to a folder and you can protect this folder by adding a new web.config file
for example ,
Folder
-foo.aspx
-web.config
in new web.config file
<?xml version="1.0" encoding="utf-8"?><configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I have an intranet site with basic authentication.
Is it possible to have just one page not ask for the credetials?
As in allow access to anyone just for the one page?
Can something be set in web.config for the single page?
Add the following element to the configuration node you web.config:
<location path="aFolder/aPageToExclude.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
For more info and usage have a look at the MSDN documentation: Location Element (ASP.NET Settings Schema)
What I do is that I don't use ASP.Net Authentication. What I do is when the user enters their username and password, I check the database for if a row with that username and password exists.
You can do that using objDataSet.Tables[0].Rows.Count > 0. You can put that in an 'if' condition and then take the username and put it in a session. You do this like this:
Session["username"] = (Username Variable Here). Then, you create two master pages, one is for pages that are only accessible to a logged in person, and one that is accessible for anyone. In the master page that only gives access to a person who is logged in, you can check if the session data is null or not. If it is null, you can redirect that person back to the login page. The LoggedIn master page can just stay as is. If you already have a master page, then you can duplicate it, and add that condition. If you have not implemented master pages yet, you can put the condition in the page load of every page that needs a user to be logged in to access that page. Because you are using sessions and not cookies, it will be harder for a user to hack into this system.
you need to overwrite your web.config file settings.
you need to create one folder and create one more web.config file in that folder.
Then put Page.aspx in that folder.
Then modify that web.config file code like below:
<authentication mode="Forms">
</authentication>
Note:
1) you don't have to mention users=* it's automatically allows all the users to access those pages under that folder.
or
What you can do is if you are already using directory structure for pages, then you can keep that page.aspx in the same level where you have Login page.
I have an ASP.NET 2.0 web application(C#) where I wanted to enable Single Sign On. I want only certain users to have access to all the pages, but others to only see a few pages. What changes do I need to make to my Web.config file, and what code would I need in my code-behind for the pages?
Thank you
Fortunately, ASP.NET was built with this exact kind of scenario in mind.
A quick example here would be the following project structure:
LoginPage.aspx
Default.aspx
web.config
/Protected
MembersOnlyPage.aspx
web.config
If I have understood you correctly, you can simply drop a 'web.config' file into the 'Protected' folder shown above. That web.config file should look like:
<system.web>
<authorization>
<allow users ="Bob, Jane, Mary" />
</authorization>
</system.web>
Read up on the <allow> and <deny> elements of <authorization>, because you can also use the 'roles' attribute instead of 'users' to specify groups of users who should have access, or be denied access.
You'll then need to modify the root web.config file to "turn on" forms authentication. Add something like:
<authentication mode="Forms" >
<forms loginUrl="LoginPage.aspx" name=".ASPNETAUTH" protection="All" path="~/" timeout="20">
</forms>
</authentication>
... to your <system.web> element.
Now, all you have to do is wire up your LoginPage.aspx to log the user in. You can use the standard ASP.NET Login control for this purpose, and if you want to use your own database for authentication/authorisation, you can intercept the login control's events to do whatever you need to.
For the quickest, most basic solution, check out the following video:
http://www.asp.net/learn/videos/video-45.aspx
Hope this helps
/Richard