SSB.Web.Mvc.MvcCaptcha
The image does not appear if a form authentication is turned on
in the web.config file:
<authorization>
<deny users="?" />
</authorization>
Then the image does not appear
How I fix that ?
the plug in is SSB.Web.Mvc.MvcCaptcha
from http://www.smartsoftwarebits.com/mvccaptcha
Add following section to the web.config <configuration> section to authorize anonymous access to the MvcCaptcha controller.
<location path="MvcCaptcha">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Related
I have a folder, ~/Account that has numerous pages in it. I want all the pages protected from anonymous access except the Login.aspx page (for obvious reasons). I cannot seem to come up with the correct web.config to do this. Here is the one I have at present:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="~/Account/Login.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Can anyone give me a hand at the correct settings? Thanks!
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm developing project on localhost and I want when user open any page except home.aspx,contact.aspx,about.aspx,services.aspx then it redirects to login.aspx if user is not logged in.
And second thing is I'm facing issue object reference not set of instance object in code below.
I want that when user's session expire then it also redirects to login.aspx.
I'm trying to secure my project pages.Thanks and sorry for bad English.
protected void Page_Load(object sender, EventArgs e)
{
welcome.InnerText = Session["name"].ToString();
}
Put the following in your web config in system.web section.
<authorization>
<deny users="?" />
</authorization>
The above will not allow access to any page in website by unauthenticated users. Now add a section for each page that you want unauthenticated users to access by using the following configuration in web config file. Add the config below just before the closing configuration tag.
I am assuming all allowed pages are under your website's root.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
Sample Web Config using above sections
<configuration>
<system.web>
<authentication mode="Forms" />
<!--this is the first part-->
<authorization>
<deny users="?" />
</authorization>
<sessionState mode="InProc" cookieless="false" timeout="540"/>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
<!--this is the second part-->
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Services.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Contact.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="About.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
NOTE: If the pages you want to allow access to unauthenticated users is not under website root but under some folder like customer/Services.aspx then make sure to replace the path with customer/Services.aspx in above configuration. This is shown as below.
Config when allowed page is NOT under website root but under some folder
<location path="customer/Services.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
Regarding your second issue, you should check whether the session variable of name exists when getting it's value. So, you need to use code as below.
Second Issue Resolution
protected void Page_Load(object sender, EventArgs e)
{
if (Session["name"] != null)
{
welcome.InnerText = Session["name"].ToString();
}
}
What #Sunil contributed will deny unknown users. That way if the session has expired, the user will be denied access. The issue is that this will block access to the whole site, and #Hameed is asking for specific pages to still be accessible. The way that I typically structure the site is to put the un-secure pages in the root, and put the secure pages in a subdirectory. Then create a new web.config file for the security.
When I add following code in web.config to prevent unauthorized user to access ASP.NET WebApp
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I get following error when loading Login.aspx form
In Internet Explorer 11
JavaScript critical error at line 2, column 1 in
http://localhost:2968/Account/Login.aspx?ReturnUrl=/bundles/WebFormsJs?v=q9E9g87bUDaS624mcBuZsBaM8xn2E5zd-f4FCdIk2cA1&v=q9E9g87bUDaS624mcBuZsBaM8xn2E5zd-f4FCdIk2cA1
SCRIPT1002: Syntax error
And in Google Chrome
Uncaught SyntaxError: Unexpected token <
http://localhost:2968/Account/Login.aspx?ReturnUrl=%2fbundles%2fWebFormsJs%3fv%3dq9E9g87bUDaS624mcBuZsBaM8xn2E5zd-f4FCdIk2cA1&v=q9E9g87bUDaS624mcBuZsBaM8xn2E5zd-f4FCdIk2cA1
You need to add location directives also to allow access to your Scripts and Content folder (JS and CSS) for unauthorized users:
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Also, as you're using bundles, add the bundles folder too:
<location path="Bundles">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In my web.config I have this authentication setting:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
For some reason, if I comment it out I can see my website just perfectly with all the assets (js, css, images), but if I uncomment it, none of the assets can be reached, instead it just redirects to login page.
here is a nice in-depth article for you. basically, it says you can configure this in your web.config by adding <location> blocks like so:
<!-- file level access -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- folder access (and its contents) -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
from this KB article and a bit more info here.
Use Location element.
<location path="~/css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Looks like assets are served via ASP.NET pipeline. Check the following topic:
Prevent IIS from serving static files through ASP.NET pipeline
The
deny users="?"
is saying that no unauthenticated users can access the site at the root and it will redirect to the login page. I normally always keep the root (/) public (allow users="*") and have protected folders set up using the location. That will keep images, css and script folders under the root available for public access.
This should probably work for you if you can move your protected pages into another folder easily:
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="protected">
<authorization>
<deny users="?" />
</authorization>
</location>
</configuration>
in my web-application, an authenticated user can access this URL localhost/mydata.aspx, but an un-authenticated user type this URL he can also access this page.
so how to prevent unauthorized user from access this page and if they does redirecting them to login.aspx
Add the following in your web.config file under the configuration section:
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
And if you want to restrict access to a particular folder:
<location path="FolderPath">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This will allow access to unauthenticate a user:
<location path="LoginPage.Aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>