I have a site that uses forms authentication site wide, with some pages within as exceptions where they are allowed to be viewed with anonymous access. I want the default doc, index.aspx to be viewable via anonymous access. It grants me access if I specify index.aspx in the url, but if I type in the domain name only, I get redirected to connectionTest.aspx (the login page for the site). I have confirmed that index.aspx is the default doc. So there's something wrong with my web config entry for index.aspx
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="30" />
<authorization>
<deny users="?" />
</authorization>
<location path="~/index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Your issue is come because you did not have declare the domain on the form authentication. Because the authentication is base on cookie and you need to access it with out the www. in front you need to declare it as:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="demo.com" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
when you set the domain with out the www. in front then all cookies from the domain are the same one, if you do not declare that, then each cookie is depends from the sub-domain and are different - so you logged out.
the same stands and for the cookie it self.
Similar answer : Multiple applications using same login database logging each other out
Related
I am trying to set up a forms authentication application where all pages are accessible to authenticated users with the exception of the login page which is open to all or anonymous users.
I set up web.config like below:
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Login.aspx" timeout="3"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
....
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?"/>
<!-- also tried this
<allow users="*"/>
-->
</authorization>
</system.web>
</location>
I also set the start page (in VS 2019) to login.aspx. When I run it I still get:
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.
I solved the problem by moving login.aspx to a folder (I called it Account). I added a web.config in this folder with content:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I removed the "location" part from main web.config. So it looks like:
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Account/Login.aspx" timeout="3"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
....
</system.web>
I cannot seem to isolate my forums to set different permissions for them than the rest of the site.
Here is the setup for my site.
<location path=".">
<system.web>
<authentication mode="None" />
</system.web>
</location>
I need to isolate my forums. At the moment, for testing purposes, I have it setup so that all users are denied access.
<location path="~/public/public-forum.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="public/login.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
What I'm finding is that I can still access the forum page. This suggests to me that this isn't setup correctly.
Does the path attribute have to be relative? Does it have to point to the URL that the page is accessed through or the rewritten path? ~/public/public-forum.aspx is a virtual path that is rewritten so neither the directly nor the file exists with those names. Why does this currently not work?
I hope that's enough detail for a solution.
edit2:
So the solution isn't only in the comments :
As far as i know you cannot specify an authenticationmode per location.
You could set the forms authentication mode throughout your site and only require logged in users in the secure parts.
edit:
mmmh strange , are you sure you only edited the ~ away?
They discuss your problem here but i can't imagine how changing the ~ would trigger it.
Could you perhaps post your entire web.config?
Also : are you using iis 6 and virtual directories?
The ~ sign is not needed , try this :
<location path="public/public-forum.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="public/login.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
In my web.config I have this authentication setting:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
For some reason, if I comment it out I can see my website just perfectly with all the assets (js, css, images), but if I uncomment it, none of the assets can be reached, instead it just redirects to login page.
here is a nice in-depth article for you. basically, it says you can configure this in your web.config by adding <location> blocks like so:
<!-- file level access -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- folder access (and its contents) -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
from this KB article and a bit more info here.
Use Location element.
<location path="~/css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Looks like assets are served via ASP.NET pipeline. Check the following topic:
Prevent IIS from serving static files through ASP.NET pipeline
The
deny users="?"
is saying that no unauthenticated users can access the site at the root and it will redirect to the login page. I normally always keep the root (/) public (allow users="*") and have protected folders set up using the location. That will keep images, css and script folders under the root available for public access.
This should probably work for you if you can move your protected pages into another folder easily:
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="protected">
<authorization>
<deny users="?" />
</authorization>
</location>
</configuration>
in asp.net, i use this config section to deny anonymous users for all pages.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
and i use the following to declare an exception that anonymous can access.
<location path="Welcome.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
that works fine for me.
however, how can i set only the default page as an exception?
(such as: anonymous can access only http://mysite/, but can NOT access any other pages in the site?)
i'v tried use location path="~/" or "/" and it doesn't work.
If path="Default.aspx" doesn't work then it cannot be done using configuration. There's no syntax available to specify only the application root in the path attribute.
I think you can change your folder structre to achieve this. Then you can change the web.config to deny user
<configuration>
<system.web>
<authorization>
<allow roles="administrators" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
I am doing simple forms authentication for a small ASP.NET (3.5, C#) application and setting up my usernames and passwords in the web.config.
I would like to apply the default stylesheet and include the header graphic (included on every other page) but the graphic and stylesheet won't apply, presumably because the anonymous user doesn't have access to those two files. Is there some easy way for me to add them or some other way to make the image appear on the page?
Here is the relevent section of the web.config:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="login.aspx"
protection="All" timeout="30">
<credentials passwordFormat="SHA1">
<user
name="testuser"
password="hashgoeshere"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
The stylesheet is at:
/stylesheet.css
and the image is at:
/img/logoimage.png
Thanks. This site makes me happy because hopefully it will make Experts Exchange and their lame paywall DIE!
You can add exceptions in your Web.Config using location-specific rules (add these after the System.Web section):
<location path="stylesheet.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="img/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>