ASP.NET Forms Authentication

[Guest]

I'm trying to figure out the ASP.NET Forms Auth

I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want to manually authenticate users to provide acess

My project has 2 web.config files... the default file
<authentication mode="Forms"><forms loginUrl="Login.aspx" protection="All" timeout="30" path="/SecureSite"/></authentication><authorization><allow users="?" /></authorization

This allows users accress to my default page, reg page and a few others..

if the user clicks on a link that takes them to the SecureSite dir, my app auto navaigates to the login page

on the login button

cCustomer oCust = new cCustomer()

if (oCust.LoginCustomer(txtUsername.Text.ToString(), txtPassword.Text.ToString()) ==true

HttpCookie cookie = FormsAuthentication.GetAuthCookie (txtUsername.Text.ToString(),chkPersist.Checked)
cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0))
Response.Cookies.Add (cookie)
Response.Redirect (FormsAuthentication.GetRedirectUrl (txtUsername.Text.ToString(),chkPersist.Checked))


and the web.config file in the SecureSite dir
<authorization><deny users="?" /></authorization

The problem is..

The code authorizes the user... it even runs Response.Redirect, with the correct page, but the page goes back to the login form endlessly... Do i have a config file setting wrong? What do you think

Any ideas

Thanks
Gavin Steven
(e-mail address removed)

 

[Pete Beech]

Have you tried using FormsAuthentication.RedirectFromLoginPage, rather than
setting the cookie manually and doing a Response.Redirect? Maybe the cookie
is being lost when Response.Redirect is called directly? (just guessing -
I've never tried it your way)

Pete Beech

I'm trying to figure out the ASP.NET Forms Auth.

I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5

or 6 pages I placed in another directory in the webproject. These I want to
manually authenticate users to provide acess.

My project has 2 web.config files... the default file:
<authentication mode="Forms"><forms loginUrl="Login.aspx"

protection="All" timeout="30"

This allows users accress to my default page, reg page and a few others...

if the user clicks on a link that takes them to the SecureSite dir, my app

auto navaigates to the login page.

on the login button:

cCustomer oCust = new cCustomer();

if (oCust.LoginCustomer(txtUsername.Text.ToString(),

txtPassword.Text.ToString()) ==true)

{
HttpCookie cookie = FormsAuthentication.GetAuthCookie (txtUsername.Text.ToString(),chkPersist.Checked);
cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
Response.Cookies.Add (cookie);
Response.Redirect (FormsAuthentication.GetRedirectUrl (txtUsername.Text.ToString(),chkPersist.Checked));
}

and the web.config file in the SecureSite dir:
<authorization><deny users="?" /></authorization>

The problem is...

The code authorizes the user... it even runs Response.Redirect, with the

correct page, but the page goes back to the login form endlessly... Do i
have a config file setting wrong? What do you think?

 

[Guest]

Yes, I tried that... I'm thinking the problem if more in the way I have the whole thing configured with the web.config files and the site structure rather than the methods... Not sure exactly..

Gavin

 

[Pete Beech]

I've had a closer look at what you've got - I think the path setting in the
form element is at least part of the problem. The path attribute is not the
path to secure, but the path for the cookie..*

You've already secured the path in the web.config file using the
authorization element - so remove the path attribute from the <forms> tag,
and see if that helps.

Cheers,
Pete Beech


PS. In case that doesn't work, I also usually do the basic authentication
similar to this - i.e:

if (MyAuthenticateMethod(UserName.Text,
UserPassword.Text))
{
FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Persist.Checked);
}

assuming UserName and UserPassword textboxes, and a Persist checkbox


* From the quickstart docs, it states that this is the "path to use for the
issued cookie. The default value is "/" to avoid difficulties with
mismatched case in paths, since browsers are strictly case-sensitive when
returning cookies. Applications in a shared-server environment should use
this directive to maintain private cookies. (Alternatively, they can specify
the path at runtime using the APIs to issue cookies.)"

Yes, I tried that... I'm thinking the problem if more in the way I have

the whole thing configured with the web.config files and the site structure
rather than the methods... Not sure exactly...

 

[Viktor Jevdokimov]

First, I don't see in your code, where did you set the Auth cookie? Use
FormsAuthentication.SetAuthCookie, not GetAuthCookie.
You do not have to set manually an expiration on that cookie - it is done in
the web.config.

Second - Problem is actually here - do you run 2 applications (I see 2
web.config files)? You don't have to. Just configure you first web.config
appropriately:


<?xml version="1.0"?>
<configuration>

<-- This is for you public part -->
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MyAuthCookie" timeout="30" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
...
</system.web>
...

<-- This is for you secure part -->
<location path="SecureSite/">
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MyAuthCookie"
timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
...
</system.web>
</location>

</configuration>

I'm trying to figure out the ASP.NET Forms Auth.

I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5

or 6 pages I placed in another directory in the webproject. These I want to
manually authenticate users to provide acess.

My project has 2 web.config files... the default file:
<authentication mode="Forms"><forms loginUrl="Login.aspx"

protection="All" timeout="30"

This allows users accress to my default page, reg page and a few others...

if the user clicks on a link that takes them to the SecureSite dir, my app

auto navaigates to the login page.

on the login button:

cCustomer oCust = new cCustomer();

if (oCust.LoginCustomer(txtUsername.Text.ToString(),

txtPassword.Text.ToString()) ==true)

{
HttpCookie cookie = FormsAuthentication.GetAuthCookie (txtUsername.Text.ToString(),chkPersist.Checked);
cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
Response.Cookies.Add (cookie);
Response.Redirect (FormsAuthentication.GetRedirectUrl (txtUsername.Text.ToString(),chkPersist.Checked));
}

and the web.config file in the SecureSite dir:
<authorization><deny users="?" /></authorization>

The problem is...

The code authorizes the user... it even runs Response.Redirect, with the

correct page, but the page goes back to the login form endlessly... Do i
have a config file setting wrong? What do you think?

 

[Pete Beech]

The main problem actually seems to be the path setting in the forms tag -
try setting up a project and include the path setting, and you should find
that you can reproduce the behaviour Gavin mentions.

I agree about the use of GetAuthCookie, etc. I usually just let the
RedirectFromLoginPage function create the cookie for me.

You can do the web.config your way, but you can also have web.configs at
different levels - which some people prefer to do. In any case, this isn't
the cause of the problem.

Cheers,
Pete