I have an intranet site with basic authentication.
Is it possible to have just one page not ask for the credetials?
As in allow access to anyone just for the one page?
Can something be set in web.config for the single page?
Add the following element to the configuration node you web.config:
<location path="aFolder/aPageToExclude.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
For more info and usage have a look at the MSDN documentation: Location Element (ASP.NET Settings Schema)
What I do is that I don't use ASP.Net Authentication. What I do is when the user enters their username and password, I check the database for if a row with that username and password exists.
You can do that using objDataSet.Tables[0].Rows.Count > 0. You can put that in an 'if' condition and then take the username and put it in a session. You do this like this:
Session["username"] = (Username Variable Here). Then, you create two master pages, one is for pages that are only accessible to a logged in person, and one that is accessible for anyone. In the master page that only gives access to a person who is logged in, you can check if the session data is null or not. If it is null, you can redirect that person back to the login page. The LoggedIn master page can just stay as is. If you already have a master page, then you can duplicate it, and add that condition. If you have not implemented master pages yet, you can put the condition in the page load of every page that needs a user to be logged in to access that page. Because you are using sessions and not cookies, it will be harder for a user to hack into this system.
you need to overwrite your web.config file settings.
you need to create one folder and create one more web.config file in that folder.
Then put Page.aspx in that folder.
Then modify that web.config file code like below:
<authentication mode="Forms">
</authentication>
Note:
1) you don't have to mention users=* it's automatically allows all the users to access those pages under that folder.
or
What you can do is if you are already using directory structure for pages, then you can keep that page.aspx in the same level where you have Login page.
Related
I have created new Project > ASP.NET Web Application (with individual user accounts). To root web.config I have added `
<authentication mode="Forms">
<forms loginUrl="log.aspx" defaultUrl="about.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>`
in order to redirect every not authenticated user to log.aspx (it exists in project root). But when I run my project now I got error
HTTP Error 404.15 - Not Found
The request filtering module is configured to deny a request where the
query string is too long.
Requested URL http://localhost:55371/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FAbout.aspx
Physical Path
D:\Visual Studio workplace\WebApplication4\WebApplication4\Account\Login
Suggested fix is change maxquerystring so I did it as here. And then error changed
Exception Details: System.Web.HttpException: The length of the query string for this request exceeds the configured maxQueryStringLength value.
To me it looks like some infinite loop. Could you please tell me why the first error mentions /account/login which is default in this project? Also what is a solution in this situation?
I am using VS2015 with IIS Express.
When you select "Individual User Accounts" during project creation you are setting up authentication to use ASP.Net Identity which is a completely different system than Forms Authentication.
You don't want to mix them, use one or the other. But be aware Forms Auth is now much weaker security than Identity which basically sets up a modern Token server within your website.
I have seen this same error posted many times and as I have encountered the same problem myself and all of the answers were not helping me, until I found the real solution to the problem.
The original question says:
"I have created new Project > ASP.NET Web Application ..." and it says he changed the web.config file.
Indeed there is an infinite loop that is occuring because the web.config is set to deny access to any unauthenticated user to every page of the site that is including the login page itself! That is causing the loop.
In order to avoid the infinite loop one should grant access to at least the login page. I made that, placing another web.config file inside the folder where my login page is placed, and with the following code inside it:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</configuration>
This grants unauthorized access to all pages inside the folder, so be sure to put your login page there and that's all.
Edited: it is important to say that this approach is using Forms Authentication.
I have created a Login page that is only for admins (so there is no need to check if the user is admin or not). The page does the check against a database where the username and password is stored. I am able to successfully check the name/password against the database and then transfer the user to the admin page, however, I noticed that I can still type http://localhost:xxxxx/AdminPage and it will take me there. How do I stop people from doing this? I have tried adding
<authorization><deny users="?"/></authorization>
to the web.config file, which stops all anonymous users from entering, but now I need to know how to allow users from the database to be given permission. (NOTE: this is not a normal Login to Default setup. This is directing to a page other than Default)
You can user role based authorization described here.
If you use default ASP role system, you need to add some code to web.config:
<location path="your_page" >
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
I Have an ASP.net application where I have a page named foo.aspx where some secured data is placed.
I want to denny the access to this page to users not logged in, and this login Username and Password must set by me in web.config or somewhere else.
But I have a problem that there is already a Admin Panel which is restricted to normal users
by Username , Password I have set in web.config using authentication mode set to forms.
Now how can I restrict foo.aspx page as authentication code can't duplicate and also want separate log in page.
In web.config, you could define elements (after system.web closure) where you set a specific configuration for a specific zone/page of your app.
Eg:
<configuration>
<system.web>
....
</system.web>
<location path="Foo.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
There, you may set a different authorization mode than the one in use by your app.
With the above example, your page won't be protected by the standard authorization mode configured globally, but you have the choiche to protect your page in a custom way, directly in the page itself.
At the top of your foo.aspx page you have
if(login == false)
send them to login page;
This will make sure that they are logged in before they can even access the foo page.
The best way to achieve this is to have two different asp.net applications. You can still configure your IIS to have your Foo application in another folder / subdomain.
You can, however, try to develop your own AuthenticationModule which will need to have a list of urls protected by Admin-authent and a list of urls protected by Foo-authent, each one with its specific Login page and a default login-pwd pair or a table of users. Here's a tutorial for developing custom Authent module : http://www.codeproject.com/Articles/5353/Custom-Authentication-provider-by-implementing-IHt
Good Luck
You can add your page foo.aspx to a folder and you can protect this folder by adding a new web.config file
for example ,
Folder
-foo.aspx
-web.config
in new web.config file
<?xml version="1.0" encoding="utf-8"?><configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Can some one please help me to get an idea on this? I have a C# website application in which I want to do authorization for accessing the documents in website directory.
If user requests for a document say pdf through a link in my website, http://www.mywebapp.com/documents/test.pdf , before opening the test.pdf in browser, I actually want to verify the user is authorized to access the pdf based on role he got. I have enabled forms authentication for the folder "documents" in IIS and system is redirecting to login page if user is not authenticated. I'm all good with that, but stuck with authorization.
I can't set the roles in web.config since it would different for different users. User role is stored in httpcookie for that particular user.
And in my documents folder there would be different documents targeted for different roles.
Say test.pdf for role called vendor. So only vendors can access this pdf
Another document form.pdf for role supplier- only users with role supplier can see this pdf .
Should I write some handler to execute before loading the pdf in browser?
Or when ever requests comes as /documents/ should I have a URL rewrite to execute an aspx page to verify the authorization and if authorized display the page?
Can anybody please help me to get an idea on how to implement this authorization.
Appreciate your help!
Thanks,
KK
Looks like your question is "how I can check cookie value on my page and return stream of a file with correct document type when cookie is ok".
make sure you are handling all request (much easier to do using MVC than WinForms, but possible in later too)
read and verify cookie
return file if check passed, don't forget to set "content-diposition" and "content-type" headers. Again File result in MVC is easier to use... Make sure to read file content under correct account if using impersonation.
You can add following code to web.config and try
<location path="documents/test.pdf ">
<system.web>
<authorization>
<allow roles="Vendors"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="documents/form.pdf ">
<system.web>
<authorization>
<allow roles="Role Supplier"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
i m relatively new to C# and ASP.NET and I am having trouble designing an authentication system.
I have created a website where the user has to login, after which he can access various pages in this site. When the user clicks a logout link, he returns to the login page and is given the message "you have successfully logout." Now how do I prevent the user from typing the URL of one of the internal pages, bypassing my authentication? While working with PHP, I used session_start() and ob_end_flush() at the beginning and the end of each page to control authentication. What is a similar model in ASP.NET?
Also how do I include a .cs file from app_code folder to a aspx.cs?
If you are using FormsAuthentication, this is simple to do using configuration in web.config.
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="default.aspx" protection="All" path="/" slidingExpiration="true" timeout="60" />
</authentication>
This configuration forces aspx to ensure that all pages in the site can only be accessed by authorized users.
However, there is a logic problem with this configuration: no one would ever be able to login since they must be authorized to access any page in the site.
You can fix this, however, by opening "holes" in this protected by adding specific pages and indicating they can be authorized by anyone:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now how do i prevent re entry into the site by typing the url of the internal pages in the address bar.
How are you actually tracking the authentication? Forms authentication? Windows authentication? Something custom? Essentially, what you need to do is have those pages check for a valid authentication token. If no such token exists, redirect to the login page or an error or something to that effect.
You can do this by checking for authentication manually in the Page_Init method (which can access Session data, Cookies data, etc. where you'd store such a token), you can use various methods built-in, etc.
The concept is the same as it was in PHP, the tooling is just a little different.
While working with PHP i used session_start() and ob_end_flush() at the beginning and the end of each page.....What is it im supposed to use in c#?
You don't need to explicitly start/end session state in ASP.NET. Any code in the scope of the web application can access session state/values via System.Web.HttpContext.Current.Session. Any request coming from the same session will have this data associated with it.
Also how do i include .cs file from app_code folder to a aspx.cs
While in PHP you had to include files, in ASP.NET it's compiled code so the file isn't so important. What you need to reference is the namespace/class to use the code. For example...
If you have the following in a file in App_Code:
namespace MyApplicationCode
{
public class SomeCode
{
// stuff in the class
}
}
Then from any code within the application you should be able to use it by it's fully-qualified name (MyApplicationCode.SomeCode):
var someVariable = new MyApplicationCode.SomeCode();
Additionally, you can add a using statement in the header of the code file:
using MyApplicationCode;
And then access it directly:
var someVariable = new SomeCode();
When a user is successfully authenticated with his credentials, a cookie is set with a session id that corresponds to a file that stores value on the server. This cookie confirms to the server that the user is authenticated.
Check how your system handles sessions, it can be done without a session cookie, too:
(pseudo-code)
if (User.Login(formUsername, formPassword)) {
SetCookie ("LoggedIn", 1, Time() + 3600);
}
Now, whicever page needs a logged in user to be viewed, you just check if the user has the cookie set:
(pseudo-code)
if (CookieIsSet("LoggedIn")) {
// this page can be viewed
}
else {
Redirect ("/notAuthorized");
}
When you log the user out, you can delete the cookie by setting the expiration date in the past:
(pseudo-code)
SetCookie ("LoggedIn", 1, Time() - 3600);
Now, the user cannot view the internal page as the check (CookieIsSet(...)) will fail. Now, functions, methods and all the details depend on the system, but it always works like this:
if credentials are ok, set a cookie
whenever an internal page is visited, check if cookie is set
when logging out, delete the cookie
Hope this helps.
To check if the user typed in the address bar I would simply check the UrlReferer in page load of protected pages, other aspects should be controlled by web security and state management
if (Request.UrlReferrer == null)
Response.Redirect("errorpage.aspx");