i have 2 pages : Login.aspx and Satis.aspx. i redirected from Login.aspx to Satis.aspx if authentication is correct . if i signout from satis i redirected to Login.aspx. But if i write satis.aspx' url on web scanner i entered satis.aspx. But i am not sign in Satis.aspx. i should't enter Satis.aspx directly.
my web config:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" path="/" protection="All">
<credentials>
<user name="a" password="a"></user>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="~/ContentPages/Satis/Satis.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Login.aspx.cs:
protected void lnkSubmit_Click(object sender, EventArgs e)
{
if(FormsAuthentication.Authenticate(UserEmail.Value,UserPass.Value))
{
FormsAuthentication.RedirectFromLoginPage
(UserEmail.Value, PersistForms.Checked);
}
else
Msg.Text = "Invalid Credentials: Please try again";
}
Satis.aspx
protected void LogoutSystem_Click(object sender, EventArgs e)
{
FormsAuthentication.SignOut();
Response.Redirect("~/Login/Login.aspx");
}
I think you should use "deny users="?"" instead of "allow users="*"" in your web.config file
[*] means all users even those who did not pass authentication
[?] means only users who passed authentication
Related
I have an MVC 4 application which is open to all users, no login needed. There is one controller only which I need to apply Windows Authentication to via a Web.Config, like this:
<authentication mode="Windows" />
<authorization>
<allow users="domain\jsmith" />
<deny users="*" />
</authorization>
The controller would MySite.Com/MyApp/MyAdminReportController
If this is possible, how?
I think you just need Windows auth and specify paths which are only need authorization. If you don't need Forms auth as well it looks like this:
<configuration>
...
<system.web>
......
<authentication mode="Windows">
</authentication>
</system.web>
<location path="MyAdminReport">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This is web config approach, other options is adding [Authorize] attribute to your controllers (even not hole controller you can add this attr for only specific actions too).
[Authorize]
public class MyAdminReportController : Controller
{
//[Authorize]
public ActionResult PrivatePage()
{
return View();
}
}
I have login page in MVC project and i created authorization config this.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" defaultUrl="~/Home/Index"/>
</authentication>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
How can i access in register page?
Depending on what version of MVC you're using the common practice I see now in MVC3/4 is to instead of restricting access to specific actions, to restrict access to all actions, by adding Authorize() as a global filter and then grant access to a few select actions using the AllowAnonymous() attribute to act as a white-list of actions that do not need to be protected. (Like Login, Register, etc).
global.asax
protected void Application_Start()
{
filters.Add(new AuthorizeAttribute());
}
AccountsController.cs
[AllowAnonymous]
public ActionResult Login()
{
//Perform login...
}
Then you're web.config just has this
<authorization>
<allow users="*" />
</authorization>
By default you should go to Register() action method of Account controller
// GET: /Account/Register
According to your web.config: try to add this to web.config before <system.web> tag.
<location allowOverride="true" path="Account/Register">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
A +1 to Nick Albrecht, but I found ambiguity with "filters" so I had to dig further.
Actually, it appears that
filters.Add(new AuthorizeAttribute());
this code belongs in App_Start
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AuthorizeTokens.AuthorizeWithMessage());
}
}
and FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters) is called in Application_Start.
So I have a login page where I set my own cookie and FormsAuthenticationTicket. However, when I finally choose to redirect the user to the new homepage after logging in, it refuses. It just redirects right back to the login page for no reason. I don't understand why.
My web.config with part of the machinekey removed:
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" cookieless="UseCookies" name=".ASPXFORMSAUTH" timeout="50" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
<machineKey decryption="AES" validation="SHA1" ........ />
My Login click event after entering username/pass and authenticating it as true:
if (Authenticated)
{
//Create Form Authentication ticket
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, userName, DateTime.Now, DateTime.Now.AddMinutes(30), false, userName, FormsAuthentication.FormsCookiePath);
string encryptedCookie = FormsAuthentication.Encrypt(ticket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedCookie);
Response.Cookies.Add(cookie);
Response.Redirect("MainPage.aspx", true);
}
MasterPage checks to make sure only certain pages can be accessed:
else if (Context.User.Identity.IsAuthenticated)
{
if (Session["uid"] == null)
{
userclass u = new userclass();
int uid = -1;
uid = (int)u.Getuseridbyusername(Context.User.Identity.Name);
if (uid != -1)
{
Session["uid"] = uid;
}
}
} else if (!Context.User.Identity.IsAuthenticated)
{
// First check if user is was redirected to ChangePassword
if (!Request.Path.Contains("ForgotPass.aspx") && !Request.Path.Contains("ChangePass.aspx") && !Request.Path.Contains("CreateAccount.aspx") && !Request.Path.Contains("Error.aspx") && !Request.Path.Contains("Logout"))
{
if (!Request.Path.Contains("Login"))
FormsAuthentication.RedirectToLoginPage();
}
}
Commenting out RedirectToLoginPage() has no effect. Trying to use RedirectFromLoginPage has no effect. Trying to use <allow users="?" /> has no effect. Trying to use <deny users="?" /> in conjunction has no effect.
EDIT: Cookie is set according to browser traffic. But no redirect is coming through. Apparently, either you cannot redirect after setting a cookie or ASP.NET doesn't know how to read instructions.
Solved. Apparently, I did have a Redirect somewhere that was taking the user back to the login page even though the cookie is set and Context.User.Identity.IsAuthenticated was returning true because the session variable "uid" was being set.
use this in config file
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
I am using the code below to access a page base based upon user authentication
if (user.FirstOrDefault() == HashedPassword)
{
string roles = "Member";
// Create the authentication ticket
FormsAuthenticationTicket authTicket = new
FormsAuthenticationTicket(1, // version
loginName.Text, // user name
DateTime.Now, // creation
DateTime.Now.AddMinutes(60),// Expiration
false, // Persistent
roles); // User data
// Now encrypt the ticket.
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket to the
// cookie as data.
HttpCookie authCookie =
new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection.
Response.Cookies.Add(authCookie);
Response.Redirect("/Members/ClientAccount.aspx");
}
else
{
Response.Redirect("signin.aspx");
}
}
The user is getting directed to ClientAccount.aspx if the login details are correct but I want that to happen only if his/her role is set as Admin as shown in the web.config file below .
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="members.aspx">
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="ClientAccount.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny roles="Member"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
How do I make this happen ?
I guess the web.config file is not looking at the cookie to do the authorization so I am doing something wrong there.
Double check your location path relative to the web.config, my guess is that is the problem.
<location path="/Members/ClientAccount.aspx">
...
</location>
Of course you'll need to do something else instead of this line, you were just doing this for testing I'd assume?
Response.Redirect("/Members/ClientAccount.aspx");
i.e. redirect them to a page you know they're not allowed to hit. I figure you're going to beef that part up once you're sure its not allowing members to access that page.
You should make sure your web.config has the following tag:
<authentication mode="Forms" />
You need to configure it right, there are lots of options:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
http://msdn.microsoft.com/en-us/library/ff647070.aspx
hey there, did you mean to have
<deny roles="Member"/>
right now, the deny policy really doesn't need the member role listed. If you are wanting member to also be allowed to that page, you will need to swap out the deny, to allow:
<authorization>
<allow roles="Admin" />
<allow roles="Member"/>
<deny users="?" />
</authorization>
I am having some trouble when I use ASP .Net 4's URL Routing feature while Authorization rules configured.
Global.asax
void Application_Start(object sender, EventArgs e) {
RegisterRoutes(RouteTable.Routes);
}
private void RegisterRoutes(RouteCollection routes) {
routes.MapPageRoute("dashboard", "", "~/Restricted/Default.aspx", true);
routes.MapPageRoute("register", "register", "~/Register.aspx", true);
routes.MapPageRoute("login", "login", "~/Login.aspx", true);
}
{Root}\Web.Config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="DevAuth"
loginUrl="/login/"
protection="All"
path="/"
timeout="15"
requireSSL="false"
slidingExpiration="true"
cookieless="AutoDetect" />
</authentication>
</system.web>
<system.webServer>
<security>
<authentication>
<basicAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</configuration>
{Root}\Restricted\Web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Developer" />
<add accessType="Deny" users="*" />
</authorization>
</security>
</system.webServer>
</configuration>
The problem I am facing is:
When I try to visit http://localhost/ -- because of my dashboard rule in Global.asax, instead of being redirected to http://localhost/login/?ReturnUrl=%2f, I am actually getting the content of http://localhost/Restricted/Default.aspx page.
when I try to visit http://localhost/Restricted/ -- I do get redirected to http://localhost/login/?ReturnUrl=%2fRestricted -- which is a good sign!
Any idea about what's going on?
EDIT 1
The following change in the config file gives me Access is denied.
{Root}\Web.Config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="DevAuth"
loginUrl="/login/"
protection="All"
path="/"
timeout="15"
requireSSL="false"
slidingExpiration="true"
cookieless="AutoDetect" />
</authentication>
</system.web>
<system.webServer>
<security>
<authentication>
<basicAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
<location path="login">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Hummmm I think it comes around this :
<location path="">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
The problem I see here comes from this path="", because this information says to the UserAgent [Browser, like IE or FF or Chrome] to block this address : http://localhost:xxxxx
which in fact, points out to your default route : ~/Restricted/Default.aspx
You are denying access to this page by default to all users. Hopes it gives you a hint on how to do this.
You are actually not using URL Rewriting; you are using Routing. There's a significant difference between the two that is likely causing your trouble: With Routing, the URL you are requesting is never changed. So the authorization system is still doing its work based on the URLs typed in the address bar... it knows nothing at all about what the routing engine is doing after.
That explains your initial behavior perfectly; Requesting the root/default (empty string route value) is permitted according to your initial auth rules. The fact that Routing is causing ~/Restricted/Default.aspx to be the content loaded is immaterial - that is, it is ignored. Likewise, directly requesting /Restricted/ would, then, trigger the auth mechanism.
Routing and file/location-based Authorization are actually very tricky to use together, for just this reason.
On the other hand, if you were using Rewriting (where the actual URL being requested is changed), things would work as you expect them to.
As Andrew Barber writes your authentication rules will not come into play when you use Routing in this way.
You can read more about routing and authentication/authorization here: http://blogs.msdn.com/b/mikeormond/archive/2008/06/21/asp-net-routing-and-authorization.aspx..