ASP.NET Forms Authentication

Discussion in 'ASP .Net' started by =?Utf-8?B?R2F2aW4gU3RldmVucw==?=, Apr 11, 2004.

  1. I'm trying to figure out the ASP.NET Forms Auth

    I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want to manually authenticate users to provide acess

    My project has 2 web.config files... the default file
    <authentication mode="Forms"><forms loginUrl="Login.aspx" protection="All" timeout="30" path="/SecureSite"/></authentication><authorization><allow users="?" /></authorization

    This allows users accress to my default page, reg page and a few others..

    if the user clicks on a link that takes them to the SecureSite dir, my app auto navaigates to the login page

    on the login button

    cCustomer oCust = new cCustomer()

    if (oCust.LoginCustomer(txtUsername.Text.ToString(), txtPassword.Text.ToString()) ==true

    HttpCookie cookie = FormsAuthentication.GetAuthCookie (txtUsername.Text.ToString(),chkPersist.Checked)
    cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0))
    Response.Cookies.Add (cookie)
    Response.Redirect (FormsAuthentication.GetRedirectUrl (txtUsername.Text.ToString(),chkPersist.Checked))


    and the web.config file in the SecureSite dir
    <authorization><deny users="?" /></authorization

    The problem is..

    The code authorizes the user... it even runs Response.Redirect, with the correct page, but the page goes back to the login form endlessly... Do i have a config file setting wrong? What do you think

    Any ideas

    Thanks
    Gavin Steven
    =?Utf-8?B?R2F2aW4gU3RldmVucw==?=, Apr 11, 2004
    #1
    1. Advertising

  2. =?Utf-8?B?R2F2aW4gU3RldmVucw==?=

    Pete Beech Guest

    Have you tried using FormsAuthentication.RedirectFromLoginPage, rather than
    setting the cookie manually and doing a Response.Redirect? Maybe the cookie
    is being lost when Response.Redirect is called directly? (just guessing -
    I've never tried it your way)

    Pete Beech

    "Gavin Stevens" <> wrote in message
    news:...
    > I'm trying to figure out the ASP.NET Forms Auth.
    >
    > I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5

    or 6 pages I placed in another directory in the webproject. These I want to
    manually authenticate users to provide acess.
    >
    > My project has 2 web.config files... the default file:
    > <authentication mode="Forms"><forms loginUrl="Login.aspx"

    protection="All" timeout="30"
    path="/SecureSite"/></authentication><authorization><allow users="?"
    /></authorization>
    >
    > This allows users accress to my default page, reg page and a few others...
    >
    > if the user clicks on a link that takes them to the SecureSite dir, my app

    auto navaigates to the login page.
    >
    > on the login button:
    >
    > cCustomer oCust = new cCustomer();
    >
    > if (oCust.LoginCustomer(txtUsername.Text.ToString(),

    txtPassword.Text.ToString()) ==true)
    > {
    > HttpCookie cookie = FormsAuthentication.GetAuthCookie

    (txtUsername.Text.ToString(),chkPersist.Checked);
    > cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
    > Response.Cookies.Add (cookie);
    > Response.Redirect (FormsAuthentication.GetRedirectUrl

    (txtUsername.Text.ToString(),chkPersist.Checked));
    > }
    >
    > and the web.config file in the SecureSite dir:
    > <authorization><deny users="?" /></authorization>
    >
    > The problem is...
    >
    > The code authorizes the user... it even runs Response.Redirect, with the

    correct page, but the page goes back to the login form endlessly... Do i
    have a config file setting wrong? What do you think?
    >
    > Any ideas?
    >
    > Thanks,
    > Gavin Stevens
    >
    Pete Beech, Apr 11, 2004
    #2
    1. Advertising

  3. Yes, I tried that... I'm thinking the problem if more in the way I have the whole thing configured with the web.config files and the site structure rather than the methods... Not sure exactly..

    Gavin
    =?Utf-8?B?R2F2aW4gU3RldmVucw==?=, Apr 12, 2004
    #3
  4. =?Utf-8?B?R2F2aW4gU3RldmVucw==?=

    Pete Beech Guest

    I've had a closer look at what you've got - I think the path setting in the
    form element is at least part of the problem. The path attribute is not the
    path to secure, but the path for the cookie..*

    You've already secured the path in the web.config file using the
    authorization element - so remove the path attribute from the <forms> tag,
    and see if that helps.

    Cheers,
    Pete Beech


    PS. In case that doesn't work, I also usually do the basic authentication
    similar to this - i.e:

    if (MyAuthenticateMethod(UserName.Text,
    UserPassword.Text))
    {
    FormsAuthentication.RedirectFromLoginPage(UserName.Text,
    Persist.Checked);
    }

    assuming UserName and UserPassword textboxes, and a Persist checkbox


    * From the quickstart docs, it states that this is the "path to use for the
    issued cookie. The default value is "/" to avoid difficulties with
    mismatched case in paths, since browsers are strictly case-sensitive when
    returning cookies. Applications in a shared-server environment should use
    this directive to maintain private cookies. (Alternatively, they can specify
    the path at runtime using the APIs to issue cookies.)"



    "Gavin Stevens" <> wrote in message
    news:...
    > Yes, I tried that... I'm thinking the problem if more in the way I have

    the whole thing configured with the web.config files and the site structure
    rather than the methods... Not sure exactly...
    >
    > Gavin
    Pete Beech, Apr 12, 2004
    #4
  5. First, I don't see in your code, where did you set the Auth cookie? Use
    FormsAuthentication.SetAuthCookie, not GetAuthCookie.
    You do not have to set manually an expiration on that cookie - it is done in
    the web.config.

    Second - Problem is actually here - do you run 2 applications (I see 2
    web.config files)? You don't have to. Just configure you first web.config
    appropriately:


    <?xml version="1.0"?>
    <configuration>

    <-- This is for you public part -->
    <system.web>
    ...
    <authentication mode="Forms">
    <forms loginUrl="login.aspx" name="MyAuthCookie" timeout="30" />
    </authentication>
    <authorization>
    <allow users="*" />
    </authorization>
    ...
    </system.web>
    ...

    <-- This is for you secure part -->
    <location path="SecureSite/">
    <system.web>
    ...
    <authentication mode="Forms">
    <forms loginUrl="login.aspx" name="MyAuthCookie"
    timeout="30" />
    </authentication>
    <authorization>
    <deny users="?" />
    </authorization>
    ...
    </system.web>
    </location>

    </configuration>

    "Gavin Stevens" <> wrote in message
    news:...
    > I'm trying to figure out the ASP.NET Forms Auth.
    >
    > I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5

    or 6 pages I placed in another directory in the webproject. These I want to
    manually authenticate users to provide acess.
    >
    > My project has 2 web.config files... the default file:
    > <authentication mode="Forms"><forms loginUrl="Login.aspx"

    protection="All" timeout="30"
    path="/SecureSite"/></authentication><authorization><allow users="?"
    /></authorization>
    >
    > This allows users accress to my default page, reg page and a few others...
    >
    > if the user clicks on a link that takes them to the SecureSite dir, my app

    auto navaigates to the login page.
    >
    > on the login button:
    >
    > cCustomer oCust = new cCustomer();
    >
    > if (oCust.LoginCustomer(txtUsername.Text.ToString(),

    txtPassword.Text.ToString()) ==true)
    > {
    > HttpCookie cookie = FormsAuthentication.GetAuthCookie

    (txtUsername.Text.ToString(),chkPersist.Checked);
    > cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
    > Response.Cookies.Add (cookie);
    > Response.Redirect (FormsAuthentication.GetRedirectUrl

    (txtUsername.Text.ToString(),chkPersist.Checked));
    > }
    >
    > and the web.config file in the SecureSite dir:
    > <authorization><deny users="?" /></authorization>
    >
    > The problem is...
    >
    > The code authorizes the user... it even runs Response.Redirect, with the

    correct page, but the page goes back to the login form endlessly... Do i
    have a config file setting wrong? What do you think?
    >
    > Any ideas?
    >
    > Thanks,
    > Gavin Stevens
    >
    Viktor Jevdokimov, Apr 14, 2004
    #5
  6. =?Utf-8?B?R2F2aW4gU3RldmVucw==?=

    Pete Beech Guest

    The main problem actually seems to be the path setting in the forms tag -
    try setting up a project and include the path setting, and you should find
    that you can reproduce the behaviour Gavin mentions.

    I agree about the use of GetAuthCookie, etc. I usually just let the
    RedirectFromLoginPage function create the cookie for me.

    You can do the web.config your way, but you can also have web.configs at
    different levels - which some people prefer to do. In any case, this isn't
    the cause of the problem.

    Cheers,
    Pete

    "Viktor Jevdokimov" <> wrote in message
    news:...
    > First, I don't see in your code, where did you set the Auth cookie? Use
    > FormsAuthentication.SetAuthCookie, not GetAuthCookie.
    > You do not have to set manually an expiration on that cookie - it is done

    in
    > the web.config.
    >
    > Second - Problem is actually here - do you run 2 applications (I see 2
    > web.config files)? You don't have to. Just configure you first web.config
    > appropriately:
    >
    >
    > <?xml version="1.0"?>
    > <configuration>
    >
    > <-- This is for you public part -->
    > <system.web>
    > ..
    > <authentication mode="Forms">
    > <forms loginUrl="login.aspx" name="MyAuthCookie" timeout="30"

    />
    > </authentication>
    > <authorization>
    > <allow users="*" />
    > </authorization>
    > ...
    > </system.web>
    > ...
    >
    > <-- This is for you secure part -->
    > <location path="SecureSite/">
    > <system.web>
    > ...
    > <authentication mode="Forms">
    > <forms loginUrl="login.aspx" name="MyAuthCookie"
    > timeout="30" />
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > ...
    > </system.web>
    > </location>
    >
    > </configuration>
    >
    > "Gavin Stevens" <> wrote in message
    > news:...
    > > I'm trying to figure out the ASP.NET Forms Auth.
    > >
    > > I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5

    > or 6 pages I placed in another directory in the webproject. These I want

    to
    > manually authenticate users to provide acess.
    > >
    > > My project has 2 web.config files... the default file:
    > > <authentication mode="Forms"><forms loginUrl="Login.aspx"

    > protection="All" timeout="30"
    > path="/SecureSite"/></authentication><authorization><allow users="?"
    > /></authorization>
    > >
    > > This allows users accress to my default page, reg page and a few

    others...
    > >
    > > if the user clicks on a link that takes them to the SecureSite dir, my

    app
    > auto navaigates to the login page.
    > >
    > > on the login button:
    > >
    > > cCustomer oCust = new cCustomer();
    > >
    > > if (oCust.LoginCustomer(txtUsername.Text.ToString(),

    > txtPassword.Text.ToString()) ==true)
    > > {
    > > HttpCookie cookie = FormsAuthentication.GetAuthCookie

    > (txtUsername.Text.ToString(),chkPersist.Checked);
    > > cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
    > > Response.Cookies.Add (cookie);
    > > Response.Redirect (FormsAuthentication.GetRedirectUrl

    > (txtUsername.Text.ToString(),chkPersist.Checked));
    > > }
    > >
    > > and the web.config file in the SecureSite dir:
    > > <authorization><deny users="?" /></authorization>
    > >
    > > The problem is...
    > >
    > > The code authorizes the user... it even runs Response.Redirect, with the

    > correct page, but the page goes back to the login form endlessly... Do i
    > have a config file setting wrong? What do you think?
    > >
    > > Any ideas?
    > >
    > > Thanks,
    > > Gavin Stevens
    > >

    >
    >
    Pete Beech, Apr 14, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brett Porter
    Replies:
    2
    Views:
    734
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  2. Eric
    Replies:
    2
    Views:
    1,354
    Tommy
    Feb 13, 2004
  3. Brett Porter
    Replies:
    2
    Views:
    178
    Andrea D'Onofrio [MSFT]
    Jan 20, 2004
  4. Eric
    Replies:
    2
    Views:
    450
  5. Michael D. Ober
    Replies:
    6
    Views:
    280
    Michael D. Ober
    Oct 30, 2006
Loading...

Share This Page