Authentication login screen appears on both frames of the framset

[dana lees]

Hello,

I am developing a C# asp.net application.
I am using the authentication and authorization mechanism, which its timeout
is set to 60 minutes.

My application consists of 2 frames - a header frame and a main frame.
When i enter the application, i see the login screen on the whole screen,
but when the authentication expires, the login screen appears on both
frames.

How can i make it appear on 1 central screen?


Thank you
Dana

 

[S. Justin Gengo]

Dana,

If you're using forms authentication when a user is not authorized to see a
page they are automatically redirected to the login page.

Since both of your frames are checking if the user is authorized they each
get redirected.

To fix this in the code for the page that you don't want redirected to the
login page you should remove it from the forms authentication process and
then check if the user is logged in "manually" in the code-behind. If they
are logged in display the data. If the are not then display an appropriate
message or nothng at all...

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche

 

[Bruce Barker]

when one frame detects a login required, it needs to redirect to a login
page, the login page should run client code that detects its in a frame, and
redirect to target "_top", or refresh its parent frame (the frameset)

-- bruce (sqlwork.com)

 

[dana lees]

Thank you very much.
Just a little question - How do i remove a certain page from the forms
authentication process?
Thanks,
Dana

 

[dana lees]

Do you have an example of such code maybe?

Thanks,
Dana

 

[S. Justin Gengo]

Dana,

I'm not certain where you set that permission you have to have done that
yourself to be locking the user out of that file. Otherwise the the page
wouldn't be redirecting to the login. There are a number of places you could
have done so, but you've probably done that in your web.config file. Just
give all users permission to the page that shouldn't redirect, but then do
the check in the page's code.

--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche

 

[dana lees]

I have used the we.config file in the following way:

<authentication mode="Forms">

<forms name="DJTCCookie" path="/" loginUrl="login.aspx" protection="All"
timeout="60">

</forms>

</authentication>

 

[dana lees]

How can i give the users permission to "header.aspx", which is the page they
are always allowed to open?

Thanks,
Dana

 

[S. Justin Gengo]

Dana,

You've locked down the entire application. You'll want to specify only
certain pages to protect. Here is a sample web.config file that allows
access to an entire application but locks down a single directory:

***Note the <location> section at the bottom which contains a second
<system.web> section.

1.. <?xml version="1.0" encoding="utf-8" ?>
2.. <configuration>
3..
4.. <system.web>
5..
6.. <!-- AUTHENTICATION
7.. This section sets the authentication policies of the application.
Possible modes are "Windows",
8.. "Forms", "Passport" and "None"
9.. -->
10.. <authentication mode="Forms">
11.. <!-- The name attribute below specifies the name of the browser
cookie that contains the authentication ticket. By default the cookie is
named .ASPXAUTH. If you are configuring multiple apps on the same server,
you should give a uniques cookie name for each app. loginUrl is the page to
which users are auto-redirected to when authentication is required. timeout
is the amnt. of time in minutes before a cookie expires. The default is 30
min. -->
12.. <forms name="LoginCookieName" loginUrl="admin/login.aspx"
timeout="20">
13.. <credentials passwordFormat="SHA1">
14.. <user name="UserName"
password="C8FEBA6A531A71A9AC1BA0D982163C9AADA69820"/>
15.. </credentials>
16.. </forms>
17.. </authentication>
18..
19.. <!-- AUTHORIZATION
20.. This section sets the authorization policies of the application. You
can allow or deny access
21.. to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
22.. (unauthenticated) users.
23.. -->
24.. <authorization>
25.. <!-- allowing anonymous users access to the entire app -->
26.. <allow users="?" />
27.. </authorization>
28..
29.. <!-- APPLICATION-LEVEL TRACE LOGGING
30.. Application-level tracing enables trace log output for every page
within an application.
31.. Set trace enabled="true" to enable application trace logging. If
pageOutput="true", the
32.. trace information will be displayed at the bottom of each page.
Otherwise, you can view the
33.. application trace log by browsing the "trace.axd" page from your web
application
34.. root.
35.. -->
36.. <trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="false" />
37..
38..
39.. <!-- GLOBALIZATION
40.. This section sets the globalization settings of the application.
41.. -->
42.. <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
43.. </system.web>
44..
45.. <!-- LOCATION
46.. The "<location>" tag allows a developer to specify a particular
folder / file to set
47.. properties for.
48.. -->
49.. <location path="admin">
50.. <system.web>
51..
52.. <!-- AUTHORIZATION
53.. This section sets the authorization policies of the application. You
can allow or deny access
54.. to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
55.. (unauthenticated) users.
56.. -->
57.. <authorization>
58.. <!-- I use the code below to allow one and only one user to access
the ADMIN folder
59.. (directory). My login script returns a username and not an id value.
If it returned an id
60.. value then the id value would be used instead. I then deny all users
and anonymous users.
61.. Thus only one user, the site admin, can access the folder "Admin" and
any pages in that
62.. folder. -->
63.. <allow users="UserName"></allow>
64.. <deny users="*"></deny>
65.. <deny users="?"></deny>
66.. </authorization>
67.. </system.web>
68.. </location>
69.. </configuration>


--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche

 

[dana lees]

Thank you very much!

Dana,

You've locked down the entire application. You'll want to specify only
certain pages to protect. Here is a sample web.config file that allows
access to an entire application but locks down a single directory:

***Note the <location> section at the bottom which contains a second
<system.web> section.

1.. <?xml version="1.0" encoding="utf-8" ?>
2.. <configuration>
3..
4.. <system.web>
5..
6.. <!-- AUTHENTICATION
7.. This section sets the authentication policies of the application.
Possible modes are "Windows",
8.. "Forms", "Passport" and "None"
9.. -->
10.. <authentication mode="Forms">
11.. <!-- The name attribute below specifies the name of the browser
cookie that contains the authentication ticket. By default the cookie is
named .ASPXAUTH. If you are configuring multiple apps on the same server,
you should give a uniques cookie name for each app. loginUrl is the page to
which users are auto-redirected to when authentication is required. timeout
is the amnt. of time in minutes before a cookie expires. The default is 30
min. -->
12.. <forms name="LoginCookieName" loginUrl="admin/login.aspx"
timeout="20">
13.. <credentials passwordFormat="SHA1">
14.. <user name="UserName"
password="C8FEBA6A531A71A9AC1BA0D982163C9AADA69820"/>
15.. </credentials>
16.. </forms>
17.. </authentication>
18..
19.. <!-- AUTHORIZATION
20.. This section sets the authorization policies of the application. You
can allow or deny access
21.. to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
22.. (unauthenticated) users.
23.. -->
24.. <authorization>
25.. <!-- allowing anonymous users access to the entire app -->
26.. <allow users="?" />
27.. </authorization>
28..
29.. <!-- APPLICATION-LEVEL TRACE LOGGING
30.. Application-level tracing enables trace log output for every page
within an application.
31.. Set trace enabled="true" to enable application trace logging. If
pageOutput="true", the
32.. trace information will be displayed at the bottom of each page.
Otherwise, you can view the
33.. application trace log by browsing the "trace.axd" page from your web
application
34.. root.
35.. -->
36.. <trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="false" />
37..
38..
39.. <!-- GLOBALIZATION
40.. This section sets the globalization settings of the application.
41.. -->
42.. <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
43.. </system.web>
44..
45.. <!-- LOCATION
46.. The "<location>" tag allows a developer to specify a particular
folder / file to set
47.. properties for.
48.. -->
49.. <location path="admin">
50.. <system.web>
51..
52.. <!-- AUTHORIZATION
53.. This section sets the authorization policies of the application. You
can allow or deny access
54.. to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
55.. (unauthenticated) users.
56.. -->
57.. <authorization>
58.. <!-- I use the code below to allow one and only one user to access
the ADMIN folder
59.. (directory). My login script returns a username and not an id value.
If it returned an id
60.. value then the id value would be used instead. I then deny all users
and anonymous users.
61.. Thus only one user, the site admin, can access the folder "Admin" and
any pages in that
62.. folder. -->
63.. <allow users="UserName"></allow>
64.. <deny users="*"></deny>
65.. <deny users="?"></deny>
66.. </authorization>
67.. </system.web>
68.. </location>
69.. </configuration>


--
Sincerely,

S. Justin Gengo, MCP
Web Developer / Programmer

www.aboutfortunate.com

"Out of chaos comes order."
Nietzsche