I am trying to implement forms authentication in my application, but I am getting the "Invalid Authentication Headers" error when browsing the locally IIS hosted application. Below is the screenshot of what I see in browser window.
Here is code snippet from web.config added for Forms Auth
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="None" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
In your <authorization> tag, you have used <deny users="?" />. This is going to deny access to the anonymous user.
Related
I am trying to deny access to my admin folder which is off root but it is saying that its inlvalid element. Yet I am using it within my web.config I dont want to post it in its entirity.
What I need is the ability to force login to the backdoor folder and anything that is in root allow annoymous access.
<authentication mode="Forms">
<forms loginUrl="~/BackDoor/Login.aspx">
</forms>
<location path="~/BackDoor/">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</authentication>
The location element must be defined outside of system.web:
<configuration>
<system.web>
<authentication mode="Forms">
<-- loginUrl should be a page that anonymous users can access -->
<forms loginUrl="~/BackDoorLogin.aspx">
</forms>
</authentication>
</system.web>
<location path="~/BackDoor/">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Im using C# and ASP.NET.
I have this file structure on my website:
~\Admin\SecuredFolder\ManageWebsite.aspx
~\Admin\Login.aspx
~\Homepage.aspx
What i'm trying to achieve is pretty much simple but i guess all my attempts till now turned out too complex and i'm kinda confused.
my goals:
Homepage.aspx and Login.aspx should be public for all (anonymous users)
SecuredFolder should be for logged users ONLY (ie: admin users). Whoever attempt to access any page in this folder (without being logged) should be redirected to login page.
Once login succeeds it will successfully redirect to ManageWebsite.aspx
I know this supposed to be a simple implementation but i feel like I have not internalized it properly yet.
Hope any of you could provide me an example.
Put this webconfig in securedfolder ~\Admin\SecuredFolder\
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?"/>
</authorization>
</system.web>
</configuration>
put this in webconfig of root folder ~\
<authentication mode="Forms">
<forms loginUrl="~/Admin/Login.aspx" timeout="2880" />
</authentication>
<location>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
To your root web.config add these to make Homepage and Login aspx pages public
<location path="Homepage.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Inside the Secure folder add a web.config file and to that add these to allow all contents inside SecuredFolder to be accessible only to Admin roles
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
After successful authentication, in Login.aspx, check the users role, if the role is that of Admin, redirect him to the ManageWebsite.aspx page
Place a web.config in your SecuredFolder and add
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Now it will only allow the logged in(admin) user to access its contents.
You can also add <authentication> to your root web.config to automatically redirect an unauthorized user to the login page.
<authentication mode="Forms">
<forms loginUrl="~\Admin\Login.aspx" timeout="20" slidingExpiration="true" cookieless="AutoDetect" protection="All" requireSSL="false" enableCrossAppRedirects="false" defaultUrl="Homepage.aspx" path="/"/>
</authentication>
I have a website built on a simple authentication model. It runs fine locally and on local IIS, but it is not redirecting to the default page after typing in the correct credentials, all this in the test server.
The code goes as follows.
Web.config
<compilation targetFramework="4.0" />
<httpRuntime maxRequestLength="50000" />
<customErrors mode="On" defaultRedirect="exc/exc.aspx?e=1">
<error statusCode="404" redirect="exc/404.aspx?e=404"/>
</customErrors>
<authentication mode="Forms">
<forms loginUrl="admin/login.aspx" defaultUrl="admin/main.aspx" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="admin/css/cms.css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="admin/css/styles.css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="admin/images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="exc/exc.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
login.aspx
The form action property is blank and AutoEventWireup is true.
login.aspx.cs
protected void btnAuth_Click1(object sender, EventArgs e)
{
//Some code not shown...
//User Validation
ValidateUserResponse response = new ValidateUserResponse();
response = service.ValidateUser(request);
if (response.State == true)
FormsAuthentication.RedirectFromLoginPage(request.Alias, False);
}
SignOut
protected void Page_Load(object sender, EventArgs e)
{
FormsAuthentication.SignOut();
Response.Redirect(FormsAuthentication.LoginUrl);
}
On the test server the URL looks something like this:
http://192.168.1.58/TestSite/admin/login.aspx
On VS2010 works well as well on my local IIS once published, but don't understand why isn't redirecting to the default page after the login when published on the TestServer. Showing that the website requires to log in and a 403 forbidden error.
Locally I have tested it with both URL forms and works (the virtual folder name is different):
http://192.168.1.58/TestSite1/admin/login.aspx
http://localhost/TestSite1/admin/login.aspx
I'd appreciate any suggestions on the matter to make it work.
Thank you.
----------Update-----------
I solved the problem this way:
Right Click on the Virtual Directory containing the WebApp
Go to the Directory Security Tab
Click on Modify
Unchecked Integrated Windows Authentication
Anonymous Access has to be checked as well
This made the WebForms Authentication settings on Web.Config to start having effect on the WebApp.
Thank you.
Make sure forms authentication is enabled in IIS on the web server.
I have an asp.net application with a web.config file in the root and uses Windows authentication by default.
I have an Admin folder that should have Forms authentication. for this, I have added a new web.config file in the Admin folder as below:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="~/Admin/Login.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Now when I run a page inside the Admin folder, it gives me the below error:
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
How to Configure Forms Authentication for the pages inside the Admin folder only and leaving other pages for the Windows authentication which is the default?
thanks
I think this you will need to do something like
In your Admin folder web.config
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
In your root web.config
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
Anyway this might help you Control Authorization Permissions in an ASP.NET Application
I have an ASP.NET Website. I want to restrict the Admin Folder to only users who are of 'Admin Role' in this SQL Server Table: tbl_Users_Admin having columns UID, PWD, Name, Role, Status). The rest of all the root pages I want to be publicly accessible by any user.
I will not be using ASP.NET Membership.
Admin User is just given the URL (https://www.Website.com/Admin/Login.aspx).
I have two Login.aspx pages in the root as well as in the Admin Folder.
I tried to resolve it through the Forms Authentication, but I am unable to resolve it.
Few forums suggested to create two different Web.Config files (one for root folder of website and another for Admin Folder), but it seems to be an inefficient way to me.
But I have not been successful to resolve it otherwise.
Although I have tried to do this using the as follows in the web.config file at root:
<location path="Admin">
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Admin/Login.aspx" name=".ASPXFORMSAUTH" defaultUrl="/Admin/Login.aspx" >
</forms>
</authentication>
<authorization>
<allow roles="administrators" />
<allow users="admin" />
<deny users="?" />
</authorization>
<sessionState mode="InProc" cookieless="false" timeout="20">
</sessionState>
<customErrors defaultRedirect="~/Admin/ErrorPages/Error.aspx" mode="On">
<error statusCode="404" redirect="~/Admin/ErrorPages/Error.aspx" />
</customErrors>
<compilation debug="true">
<codeSubDirectories>
<add directoryName="CSharp"/>
<add directoryName="VB"/>
</codeSubDirectories>
</compilation>
</system.web>
</location>
And for the rest of the root pages (Public Pages):
<system.web>
For rest of the root pages (Public Pages)
</system.web>
You don't need to add the Admin folder in the web.config.
Just add the following in the web.config under the configuration section.
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>