Form Authentication - Roles - Always returns to login screen

Discussion in 'ASP .Net Security' started by Laurie Dvorak, Apr 19, 2005.

  1. I'm using forms authentication and I want to limit access to certain
    directories only to users with certain roles. I have the following code
    (simplified to isolate problem):

    Web.config (main directory)
    <authentication mode="Forms">
    <forms name="WhsWebAuth" loginUrl="~/login.aspx" protection="None"
    timeout="30"/>
    </authentication>

    Web.config (directory I want to protect)
    <authorization>
    <allow roles="Admin" />
    <deny users="*" />
    </authorization>

    login.aspx.cs
    protected void OnButtonLoginClick(object sender,
    System.Web.UI.ImageClickEventArgs e)
    {
    FormsAuthentication.RedirectFromLoginPage(textBoxUsername.Text, false);
    }

    global.asax.cs
    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    {
    if (HttpContext.Current.Request.IsAuthenticated)
    {
    string[] roles = new string[]{"Admin"};
    HttpContext.Current.User = new
    GenericPrincipal(HttpContext.Current.User.Identity, roles);
    }
    }

    This works fine on my devolopment machine and I've used it before on another
    website. However, I'm working a new website and when I run it on the
    client's ISP's server I can never get past the login screen. If I try to
    go to a page in the protected directory it brings up the login screen
    (fine). I login and then it immediately returns to the login screen. Even
    if I try to manually type in the page I'm trying to go to after the login,
    it returns me back to the login screen (so it's not just a matter of the
    redirect failing). It's as if the roles that are being set in the
    global.asax.cs file are being lost somehow.

    I'm thinking the problem must lie in how the ISP has the IIS server setup
    since this works fine on my machine and has worked on another website.
    However since it is an ISP, I cannot look at the server myself and I'm not
    sure what would cause this anyways.

    Ideas anyone?

    Thanks in advance,
    Laurie
    Laurie Dvorak, Apr 19, 2005
    #1
    1. Advertising

  2. Laurie Dvorak

    Brock Allen Guest

    In your login page (for diagnostic reasons) print out the User.Identity.Name
    and User.IsInRole("Admin"). Typically when you login and then are redirected
    back to the login page, you are still logged in, it's just that security
    for that page disallowed access. So, print out that diagnostic info to see
    if you're really losing the auth info.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > I'm using forms authentication and I want to limit access to certain
    > directories only to users with certain roles. I have the following
    > code (simplified to isolate problem):
    >
    > Web.config (main directory)
    > <authentication mode="Forms">
    > <forms name="WhsWebAuth" loginUrl="~/login.aspx" protection="None"
    > timeout="30"/>
    > </authentication>
    >
    > Web.config (directory I want to protect)
    > <authorization>
    > <allow roles="Admin" />
    > <deny users="*" />
    > </authorization>
    > login.aspx.cs
    > protected void OnButtonLoginClick(object sender,
    > System.Web.UI.ImageClickEventArgs e)
    > {
    > FormsAuthentication.RedirectFromLoginPage(textBoxUsername.Text,
    > false);
    > }
    > global.asax.cs
    > protected void Application_AuthenticateRequest(Object sender,
    > EventArgs e)
    > {
    > if (HttpContext.Current.Request.IsAuthenticated)
    > {
    > string[] roles = new string[]{"Admin"};
    > HttpContext.Current.User = new
    > GenericPrincipal(HttpContext.Current.User.Identity, roles);
    > }
    > }
    > This works fine on my devolopment machine and I've used it before on
    > another website. However, I'm working a new website and when I run
    > it on the client's ISP's server I can never get past the login screen.
    > If I try to go to a page in the protected directory it brings up the
    > login screen (fine). I login and then it immediately returns to the
    > login screen. Even if I try to manually type in the page I'm trying
    > to go to after the login, it returns me back to the login screen (so
    > it's not just a matter of the redirect failing). It's as if the
    > roles that are being set in the global.asax.cs file are being lost
    > somehow.
    >
    > I'm thinking the problem must lie in how the ISP has the IIS server
    > setup since this works fine on my machine and has worked on another
    > website. However since it is an ISP, I cannot look at the server
    > myself and I'm not sure what would cause this anyways.
    >
    > Ideas anyone?
    >
    > Thanks in advance,
    > Laurie
    Brock Allen, Apr 19, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. al
    Replies:
    7
    Views:
    4,080
    George
    Jun 17, 2004
  2. Andy Fish
    Replies:
    2
    Views:
    866
    Andy Fish
    Feb 24, 2005
  3. Andy Fish
    Replies:
    0
    Views:
    105
    Andy Fish
    Feb 24, 2005
  4. Colin Graham

    Login to admin system through login screen only

    Colin Graham, Apr 10, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    245
    Joseph MCAD
    Apr 11, 2005
  5. Jéjé
    Replies:
    0
    Views:
    232
    Jéjé
    Sep 27, 2005
Loading...

Share This Page