I'd like to set my web.config file to redirect to login.cshtml if a cookie is not set. How can I do this? What I have at the moment is exhibiting some behaviour I don't understand, also. I have :
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.cshtml" name=".ASPXFORMSAUTH">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
What is happening is the user is being redirected to
"Account/Login ReturnUrl=%2fdefault.cshtml"
So the default.cshtml is being rendered, with a weird login page placed centrally within it? It's probably to do with the structure of my program, but I don't really understand what is being called that could render this weird HTML?
the loginUrl should be the path that would take you to the Login view, as if you were trying to navigate to it via a web browser. Which, if I had it to guess, would be something like mywebsite.com/Account/Login. So the corresponding code in web.config would be
<forms loginUrl="~/Account/Login" name=".ASPXFORMSAUTH">
</forms>
This would be based on default routes and so forth. If your site has modified routes and/or view engine overrides in place, you may experience different behavior.
I think the issue here is that you are referencing "Login.cshtml" in the loginURL, which is a view. In MVC you don't route a user to a view (that is selected in the controller). You have to point the user to the path/Controller/Action. As mentioned in the other post here, that is usually "~/Account/Login" if you use the standard project template (the tilde indicating the application root).
Related
I'm trying to deny the access for anyone that uses an specific url.
For example:
The user can acces to: testing.com
but the user should not have access to: testing.com/files (even if the user paste this link in the url)
I tried using a Web.config, Global.asax file, but I'm unable to do it.
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<location path="http://mypath.com/files">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I created both the Web.config and the Global.asax by hand because when I created the project they were not included. If there is some way to do this without using them it would be better. But I don't know which would be the best way.
Can you give me a tip for where it goes the answer?
Drop a web config into the files folder. While you can try and mess around with a main web.config, I would keep things simple, and to secure a folder by folder, then just add a web.config to each folder. It just oh so much less complex.
So, for that folder, then you can now have:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Portal" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
So, now you don't have to worry about mess up of the URL - it simply the folder you drop in the web.config file.
Now, do keep in mind, that if you secure the folder this way, then users's url's to files in that folder can't be use.
HOWEVER code behind can!!! So, keep in mind that IIS securty ONLY applies to your markup, url's and hyperlinks.
But, code behind is still 100% free to use that path name. And in fact, your code behind for use of such files will NOT be using URL's, but plane jane full windows file path names anyway.
So, you can still say provide a grid view or some such to list out the files in that folder, and when the user clicks on a button (say to download such a file), then you can read the file, and steam (send) it out to the browser for a download.
but, any URL to the above file folders will not work.
Whenever I add a domain tag to the web.config Forms section it makes my menus disappear from my application.
<authentication mode="Forms">
<forms name="appname" loginUrl="login.aspx" domain="localhost" />
</authentication>
Has anyone experienced this before?
This prevents all requests under this application from passing unless you authenticate. For aspx pages this is fine and dandy, but for the webresource requests AJAX controls needs this is a problem, because IIS does not return the scripts/stylesheets, but the error page.
So, add a location element to provide access to the needed handlers:
<configuration>
...
<location path="Telerik.Web.UI.WebResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
...
</configuration>
Or, turn on the CDN so webresources are used as rarely as possible:
http://www.telerik.bg/help/aspnet-ajax/scriptmanager-cdn-support.html and http://www.telerik.bg/help/aspnet-ajax/stylesheetmanager-cdn-support.html. The MS AJAX scripts, however, will still be taken from webresource, I think. Take a look at the requests in the browers and let the needed ones pass.
I am using visual web developer and I am creating my first site.
I set access rules for some pages, however, when I preview the site and I click on those pages instead od redirecting me on the Login page I created it redirects me to the default master page one.
How can I change this setting?
Please modify the below section in your web.config file:
<!-- Web.config file -->
<system.web>
<authentication mode="Forms">
<forms forms="401kApp" loginUrl="/login.aspx" />
</authentication>
</system.web>
<authentication mode="Forms">
<forms loginUrl="~/mycustom/loginpage" defaultUrl="~/Pages/Home.aspx" timeout="2880" />
</authentication>
Modify the the web.config for your desired login url.
You can also specify default url and timeout value.
I have the following code:
My goal is that only when the user tries to go to the Register.aspx page they need to be authenticated with the Admin.aspx page.
I get the following message;
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused ty a virtual directory not being configured as an application in IIS.
Am I doing something wrong?
<location path="Report.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Admin.aspx" >
<credentials passwordFormat="Clear">
<user name="John" password="pass#432"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Your application is probably sitting in a folder under your website as part of that website and not an application in its own right.
For IIS 6.1: Go into IIS, right click your applications root folder and select Convert to Application.
Give this a go and see if it helps.
If that dosn't work...
Check you are putting your authentication config in the root web.config file and not in one in a folder lower down. (for example the one sitting in the MVC views folders if using MVC).
Although not related to your problem, as someone else said you have a deny all. To deny unauthenticated users access to the page use the question mark instead of asterix.
<location path="foo.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
i have a website made in asp.net 4.0 running in azure webrole.
i am using simple forms authentication and allow unautheticated GET requests to various pages , scripts and styles .
The problem is i have implemented a custom handler for extention ".kl" which actually is serving images based on the code with this extention. so suppose the output for 1.kl and 2.kl would be different.
i need to allow unauthenticated requests to this handler.
how should i do it?
this is the tag in my webconfig
<authentication mode="Forms">
<forms loginUrl="~/UserPages/UserLogin.aspx" timeout="2880" name=".ASPXF2KAUTH" protection="All" path="/" defaultUrl="~/CodeGeneratorPages/SC_WC_CodeGen.aspx">
</forms>
</authentication>
It is purely ASP.NET question, and the solution is one and the same for Azure and on-premis deployment.
You need to decide a single "folder" for where your handler will serve. For example it could be "/dynamic-images" or whatever. And make sure that all references/links you are generating are pointing at this folder ("~/dynamic-images/1.kl").
And now you need to add a location element in your configuration. Note that location is an immediate child of configuration (do not put it inside system.web):
<location path="dynamic-images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
There is no other way (that I know) to achieve your goal.
also one more solution to this quest that i figuredout by myself
is that allow UnAuthenticated access by default to the root directory of the website then deny access to all the folders and child path.. that way any handler would be allowed to be accessed by any anynomous user where as all the child paths wont be allowed.