ASP.NET 2.0 & FormsAuthentication

Discussion in 'ASP .Net Security' started by vetplakh, Sep 2, 2005.

  1. vetplakh

    vetplakh Guest

    Visual Studio 2005 Beta 2

    Web.config
    <system.web>
    <authentication mode="Forms">
    <forms name=".AS20AUTH" slidingExpiration="false" loginUrl="login.aspx" />
    </authentication>
    </system.web>
    ....

    According to IIS logs Forms Authentication Control Flow described in
    http://msdn2.microsoft.com/library/9fw3ef80(en-us,vs.80).aspx
    doesn't work.

    Pls help me.
    vetplakh, Sep 2, 2005
    #1
    1. Advertising

  2. Hello vetplakh,

    wanna give us more info, or shall we on ourselves figure out what exactly
    your problem is??

    do you have denied access to anon users??

    <authorization>
    <deny users="?" />
    <authorization>

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Visual Studio 2005 Beta 2
    >
    > Web.config
    > <system.web>
    > <authentication mode="Forms">
    > <forms name=".AS20AUTH" slidingExpiration="false"
    > loginUrl="login.aspx" />
    > </authentication>
    > </system.web>
    > ...
    > According to IIS logs Forms Authentication Control Flow described in
    > http://msdn2.microsoft.com/library/9fw3ef80(en-us,vs.80).aspx doesn't
    > work.
    >
    > Pls help me.
    >
    Dominick Baier [DevelopMentor], Sep 2, 2005
    #2
    1. Advertising

  3. vetplakh

    vetplakh Guest

    OS - Wndows XP SP2

    I create web-site:
    Location: HTTP
    Language: C#

    To the newly created web-project I add web.config-file:
    <?xml version="1.0"?>
    <!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
    -->
    <configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <configSections>
    <section name="OctaEnc"
    type="System.Configuration.NameValueSectionHandler" />
    </configSections>
    <!--===============================================================================-->
    <appSettings>
    <add key="HTMLFactoryLog" value="E:\Data\HTMLFactory.log"/>
    <add key="SubDocEngineLog" value="E:\Data\SubDocEngine.log"/>
    </appSettings>
    <!--===============================================================================-->
    <connectionStrings>
    <add
    connectionString="Server=(local);Database=VKM34FR;Integrated
    Security=SSPI;"
    name="CnNET"
    providerName="System.Data.SqlClient"
    />
    <add

    connectionString="Provider=SQLOLEDB;Server=(local);Database=VKM34FR;Integrated Security=SSPI;"
    name="CnADO"
    providerName="System.Data.OleDb"
    />
    </connectionStrings>
    <!--===============================================================================-->
    <protectedData>
    <protectedDataSections>
    <add name="OctaEnc" provider="RsaProtectedConfigurationProvider"
    inheritedByChildren="false" />
    </protectedDataSections>
    </protectedData>
    <OctaEnc>
    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
    xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod
    Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <EncryptedKey Recipient="" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <KeyName>Rsa Key</KeyName>
    </KeyInfo>
    <CipherData>
    <CipherValue>iN/kDPw1CA8TUT7whF/luN6zQBLRAANSU1tyDLerhx8gc5rncBF2K6yKK4DDX6YtIvkGvJgJtiupfwjK4Es8k6+bfE4Q50mYC19Ofotnl+W7ZLsdPLRM80j/c9qSiPkixP/GJB8bGQwyyBwsOlwi1Vcki3CGpWFykxmDi1v84Vo=</CipherValue>
    </CipherData>
    </EncryptedKey>
    </KeyInfo>
    <CipherData>
    <CipherValue>Muw9pp7r3VguhqKzM9vRfzjV5YBLQkqSQSS0HTt8bpgYU8kLRiUVGtbuVMk8YXc+FCbBGYLtpTRkmJTE5oDA1CDD518RwyHxqQIHMOzgMtlhLGmYtJZ0zdOrduiZ1+jJAR4Nvb4Ulm5FGdhKEgNTfCpf2qT06y+13LwYkYJaiYirLh2ulI84ZP0JlojcDEn7</CipherValue>
    </CipherData>
    </EncryptedData>
    </OctaEnc>
    <!--===============================================================================-->
    <system.web>
    <!--
    Set compilation debug="true" to insert debugging
    symbols into the compiled page. Because this
    affects performance, set this value to true only
    during development.
    -->
    <compilation debug="true" defaultLanguage="c#" />
    <!--
    The <authentication> section enables configuration
    of the security authentication mode used by
    ASP.NET to identify an incoming user.
    -->
    <authentication mode="Forms">
    <forms name=".AS20AUTH" slidingExpiration="false" loginUrl="login.aspx" />
    </authentication>
    <!--
    The <customErrors> section enables configuration
    of what to do if/when an unhandled error occurs
    during the execution of a request. Specifically,
    it enables developers to configure html error pages
    to be displayed in place of a error stack trace.

    <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
    <error statusCode="403" redirect="NoAccess.htm"/>
    <error statusCode="404" redirect="FileNotFound.htm"/>
    </customErrors>
    -->
    <httpHandlers>
    <add verb="GET" path="ShowImage.aspx" type="OcVKM20.PDFHandler,OcVKM20"/>
    </httpHandlers>
    </system.web>
    <system.net>
    <mailSettings>
    <smtp deliveryMethod="Network">
    <network host="10.0.77.26" defaultCredentials="false"/>
    </smtp>
    </mailSettings>
    </system.net>
    </configuration>

    I add the existing C++ project OcVKM20 to the solution and add reference to
    this project into web-project.

    I add new web-form login.aspx to the web-project and explicitly make
    default.aspx as a start page.

    I run application - redirection doesn't occur.

    > do you have denied access to anon users??
    >
    > <authorization>
    > <deny users="?" />
    > <authorization>

    No I don't. The default value is used (which I'm sure is allow="*")

    P.S.
    > ... shall we on ourselves figure out what exactly
    > your problem is??


    Don't you guys get paid for that?


    "Dominick Baier [DevelopMentor]" wrote:

    > Hello vetplakh,
    >
    > wanna give us more info, or shall we on ourselves figure out what exactly
    > your problem is??
    >
    > do you have denied access to anon users??
    >
    > <authorization>
    > <deny users="?" />
    > <authorization>
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Visual Studio 2005 Beta 2
    > >
    > > Web.config
    > > <system.web>
    > > <authentication mode="Forms">
    > > <forms name=".AS20AUTH" slidingExpiration="false"
    > > loginUrl="login.aspx" />
    > > </authentication>
    > > </system.web>
    > > ...
    > > According to IIS logs Forms Authentication Control Flow described in
    > > http://msdn2.microsoft.com/library/9fw3ef80(en-us,vs.80).aspx doesn't
    > > work.
    > >
    > > Pls help me.
    > >

    >
    >
    >
    >
    vetplakh, Sep 6, 2005
    #3
  4. Hello vetplakh,


    > No I don't. The default value is used (which I'm sure is allow="*")
    >


    And that's your problem - no authentication required - no redirect

    >
    >> ... shall we on ourselves figure out what exactly your problem is??
    >>

    > Don't you guys get paid for that?



    HAHA. No, we don't. we hang out here just for kicks.

    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello vetplakh,
    >>
    >> wanna give us more info, or shall we on ourselves figure out what
    >> exactly your problem is??
    >>
    >> do you have denied access to anon users??
    >>
    >> <authorization>
    >> <deny users="?" />
    >> <authorization>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Visual Studio 2005 Beta 2
    >>>
    >>> Web.config
    >>> <system.web>
    >>> <authentication mode="Forms">
    >>> <forms name=".AS20AUTH" slidingExpiration="false"
    >>> loginUrl="login.aspx" />
    >>> </authentication>
    >>> </system.web>
    >>> ...
    >>> According to IIS logs Forms Authentication Control Flow described in
    >>> http://msdn2.microsoft.com/library/9fw3ef80(en-us,vs.80).aspx
    >>> doesn't
    >>> work.
    >>> Pls help me.
    >>>
    Dominick Baier [DevelopMentor], Sep 6, 2005
    #4
  5. vetplakh

    vetplakh Guest

    OK - I added

    <authorization>
    <allow users="*"/>
    </authorization>

    after
    <authentication>

    No luck.

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello vetplakh,
    >
    >
    > > No I don't. The default value is used (which I'm sure is allow="*")
    > >

    >
    > And that's your problem - no authentication required - no redirect
    >
    > >
    > >> ... shall we on ourselves figure out what exactly your problem is??
    > >>

    > > Don't you guys get paid for that?

    >
    >
    > HAHA. No, we don't. we hang out here just for kicks.
    >
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello vetplakh,
    > >>
    > >> wanna give us more info, or shall we on ourselves figure out what
    > >> exactly your problem is??
    > >>
    > >> do you have denied access to anon users??
    > >>
    > >> <authorization>
    > >> <deny users="?" />
    > >> <authorization>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Visual Studio 2005 Beta 2
    > >>>
    > >>> Web.config
    > >>> <system.web>
    > >>> <authentication mode="Forms">
    > >>> <forms name=".AS20AUTH" slidingExpiration="false"
    > >>> loginUrl="login.aspx" />
    > >>> </authentication>
    > >>> </system.web>
    > >>> ...
    > >>> According to IIS logs Forms Authentication Control Flow described in
    > >>> http://msdn2.microsoft.com/library/9fw3ef80(en-us,vs.80).aspx
    > >>> doesn't
    > >>> work.
    > >>> Pls help me.
    > >>>

    >
    >
    >
    >
    vetplakh, Sep 6, 2005
    #5
  6. vetplakh

    vetplakh Guest

    OK - I got it. Thx for help

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello vetplakh,
    >
    >
    > > No I don't. The default value is used (which I'm sure is allow="*")
    > >

    >
    > And that's your problem - no authentication required - no redirect
    >
    > >
    > >> ... shall we on ourselves figure out what exactly your problem is??
    > >>

    > > Don't you guys get paid for that?

    >
    >
    > HAHA. No, we don't. we hang out here just for kicks.
    >
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello vetplakh,
    > >>
    > >> wanna give us more info, or shall we on ourselves figure out what
    > >> exactly your problem is??
    > >>
    > >> do you have denied access to anon users??
    > >>
    > >> <authorization>
    > >> <deny users="?" />
    > >> <authorization>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Visual Studio 2005 Beta 2
    > >>>
    > >>> Web.config
    > >>> <system.web>
    > >>> <authentication mode="Forms">
    > >>> <forms name=".AS20AUTH" slidingExpiration="false"
    > >>> loginUrl="login.aspx" />
    > >>> </authentication>
    > >>> </system.web>
    > >>> ...
    > >>> According to IIS logs Forms Authentication Control Flow described in
    > >>> http://msdn2.microsoft.com/library/9fw3ef80(en-us,vs.80).aspx
    > >>> doesn't
    > >>> work.
    > >>> Pls help me.
    > >>>

    >
    >
    >
    >
    vetplakh, Sep 6, 2005
    #6
  7. Dominick
    That was a nice question if we get paid :):)
    Patrick

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello vetplakh,
    >
    >
    > > No I don't. The default value is used (which I'm sure is allow="*")
    > >

    >
    > And that's your problem - no authentication required - no redirect
    >
    > >
    > >> ... shall we on ourselves figure out what exactly your problem is??
    > >>

    > > Don't you guys get paid for that?

    >
    >
    > HAHA. No, we don't. we hang out here just for kicks.
    >
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello vetplakh,
    > >>
    > >> wanna give us more info, or shall we on ourselves figure out what
    > >> exactly your problem is??
    > >>
    > >> do you have denied access to anon users??
    > >>
    > >> <authorization>
    > >> <deny users="?" />
    > >> <authorization>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Visual Studio 2005 Beta 2
    > >>>
    > >>> Web.config
    > >>> <system.web>
    > >>> <authentication mode="Forms">
    > >>> <forms name=".AS20AUTH" slidingExpiration="false"
    > >>> loginUrl="login.aspx" />
    > >>> </authentication>
    > >>> </system.web>
    > >>> ...
    > >>> According to IIS logs Forms Authentication Control Flow described in
    > >>> http://msdn2.microsoft.com/library/9fw3ef80(en-us,vs.80).aspx
    > >>> doesn't
    > >>> work.
    > >>> Pls help me.
    > >>>

    >
    >
    >
    Patrick.O.Ige, Oct 31, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. fadi
    Replies:
    1
    Views:
    504
  2. TaeHo Yoo
    Replies:
    1
    Views:
    520
    Teemu Keiski
    Jul 9, 2003
  3. Bill Henning
    Replies:
    8
    Views:
    9,517
    King Adrock
    Nov 9, 2005
  4. rban
    Replies:
    4
    Views:
    99
    Javier G. Lozano
    Dec 12, 2005
  5. jeljeljel
    Replies:
    0
    Views:
    716
    jeljeljel
    Sep 9, 2008
Loading...

Share This Page