I have set up member folders in c# asp.net webforms before to only allow certain users and to redirect if the user is not authenticated. I am wondering is this possible / how would I implement the authentication based on weather a Session variable is present(filled with a value) or not authenticate if the Session is null.
I was hoping that something like this would be possible similar to how you can set permissions in we.config for entire folder.
It can be done with help of standart asp.net features. I will try to advice one possible solution for it. First you need to setup "web form authentication" ASP.NET Authentication, you should modify your web.config.
<system.web>
<authentication mode="Forms">
<forms name="Custom" loginUrl="/login.aspx" />
</authentication>
</system.web>
Then you need to specify members locations in the web.config also ASP.NET Authorization.
<location path="folders/memberN">
<system.web>
<authorization>
<allow roles="memberN"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
This will allow all users in group "memberN" to work under "folders/memberN" path.
Next we need to add membership and role providers to your web.config. Membership and role providerse configured based on sql server provider.
<configuration>
<connectionStrings>
<add name="SqlServices"
connectionString="Data Source=MySqlServer;Integrated Security=SSPI;Initial
Catalog=aspnetdb;" />
</connectionStrings>
<system.web>
<roleManager defaultProvider="SqlProvider"
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/">
<providers>
<add
name="SqlProvider"
type="System.Web.Security.SqlRoleProvider"
connectionStringName="SqlServices"
applicationName="SampleApplication" />
</providers>
</roleManager>
<membership
defaultProvider="SqlProvider"
userIsOnlineTimeWindow="20">
<providers>
<remove name="AspNetSqlProvider" />
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
applicationName="/" />
</providers>
</membership>
</system.web>
</configuration>
Finnaly we need to create special tabels in the database (more details).
%WINDOWS%\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe -S <server> -E -d <database> -A all
Related
Problem: Visual Studio 2013 and ASP.NET Web Configuration Tool
I wanted to make fast roles etc. I tried enable it using this article: http://blogs.msdn.com/b/webdev/archive/2013/08/19/asp-net-web-configuration-tool-missing-in-visual-studio-2013.aspx?PageIndex=2#comments .
I can enter the configuration tool, I added 2 roles & users but than when I want to log in in my website in VS already I have the following mistake:
In addition, even though my web site is hold in the "C:\Aspnet\ WebSite4-20150614_m10z1" I realize that new app_data folder appeared automatically (second already) with the base aspnetdb - this time in the following path (in "C:\Aspnet"). One level upper.
what I did already:
x IIS Express
iisexpress.exe /path:c:\windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles /vpath:"/asp.netwebadminfiles" /port:8089 /clr:4.0 /ntlm
information: registration completed
x Developer Command Promopt for VS2013
aspnet_regsql -A all -C "Data Source= WIN-G6HBJHSJ5B3\SQLEXPRESS; Integrated Security=True; User Instance=True" -d "C:\Aspnet\WebSite4-20150614_m10z1\App_Data\AdventureWorksLT2008_Data.mdf"
Attachments:
x web config:
<?xml version="1.0"?>
<configuration>
<connectionStrings>
<add name="AdventureWorksLT2008_DataConnectionString" connectionString="Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|\AdventureWorksLT2008_Data.mdf;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
<roleManager enabled="true" defaultProvider="CustomizedRoleProvider">
<providers>
<add name="CustomizedRoleProvider"
type="System.Web.Security.SqlRoleProvider"
applicationName="AdventureWorks"
connectionStringName="AdventureWorksLT2008_DataConnectionString"/>
</providers>
</roleManager>
<membership defaultProvider="CustomizedMembershipProvider">
<providers>
<add name="CustomizedMembershipProvider"
type="system.Web.Security.SqlmembershipProvider"
applicationName="AdventureWorks"
connectionStringName="AdventureWorksLT2008_DataConnectionString"/>
</providers>
</membership>
<authentication mode="Forms">
<forms loginUrl="Zaloguj.aspx" />
</authentication>
<authorization>
<allow roles="Administrator"/>
</authorization>
</system.web>
</configuration>
x administration tool
In the "Web Site Administration Tool" in the Application I have emptiness after the mark "/" . This is how it looks "Application: /"
Suspicious:
connection to ASPNETDB & right configuration of aspnet_regsql
check the procedure proper name that you have implemented in code behind this is not same or it can't get the procedure name
I have successfully set up a test area on my website which is authenticated using forms auth on iis 8. I am using this in integrated mode with asp.net which as I understand should mean that with the correct web.config file I am able to make the server use the asp.net auth on everything not just URLs. If I try and navigate to a page that I haven't entered the credentials for it returns an error 403, which is what I expect. However if I put in the path of a file stored on the site exactly, it downloads the file without the need for credentials to be provided. Here is my current top level web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false">
</compilation>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="default.aspx" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="staff/test/test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="RoleManager" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
The area /staff/test/test has a word document in it. If I type www.website.com/staff/test/test/test.doc into my browser is downloads the file.
What should I change to secure that file?
Thanks for your replies. In the end it turned out to be the security permissions on the root of the website. The code I originally pasted on here worked fine I had the server\users group having read permissions where as I only needed iis_iusers having read permissions.
Thanks again
I have placed a c# web app on our IIS server, creating an application for it. I then changed the "Authentication" type to windows authentication for the site and also for the xml tags in my web config file. Now, when I navigate to the site, it asks me for the login username and password, but then does not authenticate, asking over and over for my credentials. In the browser login popup, i am typing
Domain\Username
Password.
How can I see why it will not authenticate, or find out what is wrong. I have done everything in articles I have found, but cannot find the issue. It is as if the server does not authenticate, but yet I can remote desktop to it with the same credentials, so it is on the domain.
Here is my web.conf file snippet with the settings:
<system.web>
<authentication mode="Windows" />
<identity impersonate="false"/>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
enable="true" />
I also added the same configuration to the application host file on the IIS server. The entry is below:
<location path="TaxFormerWebApp">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" useKernelMode="true">
<extendedProtection tokenChecking="None" />
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
<anonymousAuthentication enabled="false" />
</authentication>
<requestFiltering>
<fileExtensions applyToWebDAV="false" />
<verbs applyToWebDAV="false" />
<hiddenSegments applyToWebDAV="false" />
</requestFiltering>
On my local version of my site, you are free to roam with no problem. However when running off of the built version on the web, you are randomly logged out.
It happens whenever I click out of the Internet Window, but it also does it between page loads.
My web config is seen below,
<!--CONNECTION STRING-->
<connectionStrings>
<add name="RaiseFantasyLeagueConnectionString" connectionString="Data Source=MATT-PC\SQLEXPRESS;Initial Catalog=Raise;Integrated Security=True;MultipleActiveResultSets=True" providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<customErrors mode="Off"></customErrors>
<sessionState timeout="30"></sessionState>
<!--MEMBERSHIP-->
<roleManager enabled="true" defaultProvider="SqlRoleManager">
<providers>
<add name="SqlRoleManager" type="System.Web.Security.SqlRoleProvider" connectionStringName="RaiseFantasyLeagueConnectionString" applicationName="MyApplication" />
</providers>
</roleManager>
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="30">
<providers>
<clear/>
<add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="RaiseFantasyLeagueConnectionString" applicationName="Raise Fantasy League" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0"/>
</providers>
</membership>
<!--AUTHENTICATION-->
<authentication mode="Forms">
<forms name="RaiseFLAuthentication" loginUrl="home.aspx" cookieless="UseCookies" defaultUrl="/myPredictions.aspx" timeout="240"/></authentication>
<!--AUTHORIZATION-->
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
I was told to put into my web config, but this has not solved the problem.
Can anyone tell me what I am missing?
Another issue I am having is that from the home page, if I log in I am not taken to the defult URL, just a 404 page. The URL does not even change from the default address.
Can anyone see why that may be happening?
We use Windows Authentication with a session timeout of 20 seconds.
After 20 seconds, the session expires and the user is redirected to the
sessionExpired page. The problem is this: When the user uses IE,
closes the browser and logs in again using Windows Authentication,
a new session is not created for the same user. The old session remains present,
and the user is redirected to the sessionExpired page again.
What am I missing? What could be the problem?
Update:
My Configuration file is as follows
<system.web>
<roleManager enabled="false"/>
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<sessionState timeout="20"/>
<membership defaultProvider="MyADMembershipProvider">
<providers>
<add name="MyADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ADConnectionString"
connectionUsername="userName"
connectionPassword="password"/>
</providers>
</membership>
</system.web>