I created a custom login/authentication page.
When the user authenticates and is valid, my site:
Response.Redirects("destinationpage.aspx");
Because I'm not using Forms Authentication, I need another way to protect "destinationpage.aspx".
Is there a way to use urlRewrite in web.config to redirect users to "customlogin.aspx" to authenticate before being able to reach "destinationpage.aspx"?
Related
I have Asp.NET MVC application which gets logged in after secure Id and password authentication.
After login, when I go to developer tools in Web Browser and Copy the ASP.NET_SessionId Cookie and paste it in another browser without login with Id and password, It gets logged in.
Where this cookie is created? And how I can handle this vulnerability?
You are describing "session hijacking"
You should ensure that ASP.net requires https, and that cookies are not accessible to client side script, by adding this to web.config
<httpCookies httpOnlyCookies="true" requireSSL="true" />
You might also implement something like the SecureSessionModule in this article which generates some additional measures
Note the caveats
https://learn.microsoft.com/en-us/archive/msdn-magazine/2004/august/wicked-code-foiling-session-hijacking-attempts
Using asp.net how would you achieve having the login page on the root of the website so for example, the login page to be on www.helloworld.com rather than having a separate file for the login www.helloworld.com/login.aspx
Does any understand what I am trying to do?
Additional information:
Just to give you some examples, look at this website www.torn.com then look at this one www.mobslife.com.. Notice how the url for the login page is just www.torn.com but on www.mobslife.com it is www.mobslife.com/login.php
If the site uses Web Forms and IIS has the standard set of default pages defined, then you can use file Default.aspx under the root directory of the web site to implement the login form.
We currently have a website which has formsauthentication implemented on it.
One of the client requested us to implement a single sign on solution to this website with basic authentication and we want to keep formsauth for the rest of the clients.
So I created a new SSO folder, SSO/SSODefault.aspx page, which will be accessed by only one client and I configured basic authentication in IIS (enabled basic auth and disabled anonymous).
How do I configure/code at application level so that if a user access ~/SSO/SSODefault.aspx I need to perform basic authentication and if user access ~/Login.aspx or ~/any other page except the above SSO page I need to do FormsAuthentication.
You'll still do FormsAuthentication, but in your SSO page, you'll generate a ticket that the FormsAuthentication method will look at, discover that it is already authenticated, and let that user in. This blog post should get you started in the right direction.
I am working on asp.net web application with C#.net.
I have done form authentication, which works very well for the application.
Now, I have one more section admin folder where admin have pages to access.
My question is, When normal user comes to my site he access user/login.aspx where i have done
formauthentication.redirectFromloginpage(....)
It is working fine.
Now when admin section needs to access, admin will access
admin/login.aspx, I have simply redirect to inner page in this section and not done formauthentication.
I want to implement formauthentication if admin is validate by system, but that will be a other page, on which i need to redirect after login.
My question, is , any way to make two different loginURL or DefaultURL which works for my scenario.
Or any other way, (may be using two web.config????)
There is not really a need for a separate admin/login.aspx.
You can use the same login page for regular users and admins. Just use roles to separate admins and regular users. And deny access to the admin pages for users that do not have the admin role and you are all set.
Update: use the LogggedIn event of the Login control if you want to redirect them to a different page.
If ( Roles.IsUserInRole(User.Identity.Name, "Admin"))
{
Response.redirect(....);
}
I am developing a large asp.net based application. Certain pages & links require user authentication. At some page, I have links and form submission for which I first need to authenticate the user. Here is an example:
In PageX I have a link L1. When user click, i check if user is authenticated or not. If not I redirect to login page. Once, the user is authenticated, I redirect back him to the PageX. But the problem is, I don't want the user to click L1 again! Instead, I want the L1 action to be executed once user is authenticated and its results displayed etc.
I am trying to have a good solution to this problem. Any idea on how to accomplish this?
ASP.NET's Forms Authentication addresses this scenario. You can deny all unauthenticated users to all pages or (more commonly) deny unauthenticated users to a proper subset of pages.
there are several way of doing it:
1, The build-in way of Form Authentication, correct me if i remembered wrong, you should be able to add your own login logic and integrate your login control with Form Authentication provider
2, assign L1 url link to query string or a session if user is not login, and add logic to your login control, redirect user when login is successful.
Use Forms Authentication.
It's baked into ASP.NET and does exactly what you're talking about.
The User will click on a link. If they're not authenticated, they will be redirected to a login page (one of the parameters to the page will be the destination URL they were trying to reach). After a successful login, the User will be redirected to the page they requested instead of having to click the link again.
You also need to make sure you have your web.config set up to properly allow/deny unauthorized access to your application as described here:
Setting authorization rules for a particular page or folder in Web.config