I have a web application, and some users who use Chrome as their preferred browser of choice, get the following error when they have logged out of the application, and try to log back in.
"This webpage has a redirect loop".
My web application uses forms authentication, and the FormAuthenticationModule redirects the user back to the Login page of my application, so I cannot use this approach:
<customErrors mode="On" defaultRedirect="~/MyErrorPage.aspx" >
<error statusCode="401" redirect="~/NoAccess.aspx"/>
</customErrors>
Instead, I have added the following to the Page_Load event of my LoginPage.
if (Request.IsAuthenticated && !string.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
{
Response.Redirect("~/NoAccess.aspx");
}
However, since I have added this approach, the users seem to get the "Redirect Loop" error.
After clearing the cookies, all seems well, but the problem does occur again.
Is there a permanent fix for this I can add to my code, or is there anything else I can do to prevent this issue from happening?
Try adding this to your web.config file:
<location path="NoAccess.aspx">
<system.web>
<authorization>
<allow users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
This will turn off any authorization for this page and should stop Your loop.
You can also add this:
<location path="Login.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
This will deny access to your login page to all users that are already authenticated.
Combining those two should allow You to add custom errors for all redirections.
You may also consider creating a directory for unauthorized access (eg. public/) and placing inside all error pages (that do not require being authorized).
Then You can do:
<location path="public">
<system.web>
<authorization>
<allow users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
You can read more about location here.
And more about authorization here.
Had a very similar problem and solved it in IIS: In Authentication feature enable Anonymous Authentication and disable everything else. This makes sense, as eventually this is the application that manages authentication logic and not the IIS or ASP.NET. But obviously this solution doesn't support the elegant access to public pages as #Grzegorz suggested.
I also had a redirect loop which resulted in the error message The request filtering module is configured to deny a request where the query string is too long. for a Visual Studio 2013 Web Site where Authentication was set to Individual User Accounts.
The requested URL was a long version of http://localhost:52266/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl.... so it was obviously continually redirecting to the login page and appending the return URL each time.
No amount of of breakpoints in an attempt to find the offending loop seemed to make a difference, as none were triggered.
In the end I did the following:
Find the project properties. Do this by selecting the project (not solution) and see the Properties window (don't right-click then choose Properties, otherwise you won't find it).
Set Anonymous Authentication to Enabled.
Set Windows Authentication to Disabled.
When starting the project the default page should now appear and breakpoints you have added should start working.
It's an old post and I faced this issue while custom authentication and validation.
the issue got resolved by adding this line of code in web.config
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" path="/" timeout="240" cookieless="UseCookies"></forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<compilation debug="true" targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<httpModules>
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" />
</httpModules>
</system.web>
Hope it helps.
Related
I am using ASP.net and having problems redirecting the the original requested URL after login. The URL is showing clearly in the address bar but when signing it it takes me to Default.aspx every time:
http://development-4/login.aspx?ReturnUrl=%2fControls%2fFinancial%2fAddressBook.aspx
The .NET framework already handles automatically redirecting using the 'ReturnUrl' value. Unless you're taking the user somewhere other than they attempted to go, use the following to redirect them to their requested page.
Replace 'userName' with the username they provided while logging in. 'isPersistant' refers to whether the cookie should persist browser sessions or be deleted when their window is closed.
FormsAuthentication.RedirectFromLoginPage("userName", isPersistant);
If you have chosen to take the user somewhere else, your code should look similar to this.
FormsAuthentication.SetAuthCookie("userName", isPersistant);
Response.Redirect("~/SomePage.aspx");
Because you didn't provide very much background information, I'll add the following config. you should have something similar.
<system.web>
<authentication mode="Forms">
<forms name="loginCookieName" loginUrl="~/login.aspx" protection="All" timeout="60" path="/" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Whenever I add a domain tag to the web.config Forms section it makes my menus disappear from my application.
<authentication mode="Forms">
<forms name="appname" loginUrl="login.aspx" domain="localhost" />
</authentication>
Has anyone experienced this before?
This prevents all requests under this application from passing unless you authenticate. For aspx pages this is fine and dandy, but for the webresource requests AJAX controls needs this is a problem, because IIS does not return the scripts/stylesheets, but the error page.
So, add a location element to provide access to the needed handlers:
<configuration>
...
<location path="Telerik.Web.UI.WebResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
...
</configuration>
Or, turn on the CDN so webresources are used as rarely as possible:
http://www.telerik.bg/help/aspnet-ajax/scriptmanager-cdn-support.html and http://www.telerik.bg/help/aspnet-ajax/stylesheetmanager-cdn-support.html. The MS AJAX scripts, however, will still be taken from webresource, I think. Take a look at the requests in the browers and let the needed ones pass.
I use Forms Authentication on my project and need to implement the feature for password recovery. Problem is, every time I try to access another controller method I get redirected to the login page. I tried to use
</location>
<location path="~/Account/RecoverPassword">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
on the web.config, but didn't work. How can I achieve this?
* means any existing user.
You want users="?", which means anonymous users.
I have the following code:
My goal is that only when the user tries to go to the Register.aspx page they need to be authenticated with the Admin.aspx page.
I get the following message;
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused ty a virtual directory not being configured as an application in IIS.
Am I doing something wrong?
<location path="Report.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Admin.aspx" >
<credentials passwordFormat="Clear">
<user name="John" password="pass#432"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Your application is probably sitting in a folder under your website as part of that website and not an application in its own right.
For IIS 6.1: Go into IIS, right click your applications root folder and select Convert to Application.
Give this a go and see if it helps.
If that dosn't work...
Check you are putting your authentication config in the root web.config file and not in one in a folder lower down. (for example the one sitting in the MVC views folders if using MVC).
Although not related to your problem, as someone else said you have a deny all. To deny unauthenticated users access to the page use the question mark instead of asterix.
<location path="foo.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
i am in a very tricky situation..
I have a page that is a part of my project and i want to access it without logging in or doing anything..
Explanation:
I have a test project which has a login page, default page, Admin folder, Guest folder, and a showmessage page.
the Admin folder has pages that are accessible to only admins
the Guest folder has pages that are accessible to all users.
now when ever i type in http://localhost/Default.aspx or any other page it first takes me to the login page and only after i enter the login credentials i go to the default page and from there to the other pages.
this system works fine for me and i dont wish to change it,
but there is this page similar to default called showmessage.aspx page.
what i want is when i type http://localhost/showmessage.aspx it should ignore all the login pages and take me directly to this page.. is there a way to do that.
i have this in my webconfig:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="~/Default.aspx" name="GUI" slidingExpiration="true" timeout="30" path="/">
</forms>
</authentication>
<location path="Admin" allowOverride="true">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
Please can some1 help me.
appreciate all the help i can get. thanks
You should be able to specify the path directly to the page and allow everyone.
<location path="ShowMessage.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>