Forms Auth (roles being ignored)

Discussion in 'ASP .Net Security' started by WhiskeyRomeo, Sep 11, 2007.

  1. WhiskeyRomeo

    WhiskeyRomeo Guest

    Please ignore my previous post as I am way past that now.

    Below is the code I am using in the login page. Below that are settings
    within Web.config file. The procedure responsible for checking the password
    just sets a session variable call "WebRoles" and returns True. In this case
    I am setting a role that should be denied access to the requested page
    eventhough the user is authenticated. But the code below always results in a
    redirection to the protected page. In this website there is only one page in
    the root directory (Login.aspx) and there is a Public subfolder which has two
    pages RegUpdate.aspx and Appt.aspx.

    For authenticated users the redirection happens just fine. But, somehow, I
    thought the following line would fail for denied roles:

    'Redirect the request
    FormsAuthentication.RedirectFromLoginPage(Trim(sUserName), False)

    What I am missing?

    ********************CODE************
    Partial Class Login
    Inherits System.Web.UI.Page

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As
    System.EventArgs) Handles Me.Load

    End Sub

    Private Function CheckPassWord(ByVal sUser As String, ByVal sPassword As
    String) As Boolean
    Session("WebRoles") = "Photog" 'THIS ROLE IS NOT ALLOWED ACCESSED TO
    THE PUBLIC FOLDER PER WEB.CONFIG FILE.
    Return True
    End Function


    Protected Sub btnLogIn_Click(ByVal sender As Object, ByVal e As
    System.EventArgs) Handles btnLogIn.Click
    Try
    If Not (Session("UserName")) Is Nothing Then
    FormsAuthentication.SignOut()
    End If

    Select Case CheckPassWord(Trim(tbUserName.Text),
    Trim(tbPassWord.Text))

    Case True
    Call RedirectUser(Trim(tbUserName.Text))
    Case False
    lblmsg.Text = "UserName or Password not found. Please
    try again." + vbCrLf + lblmsg.Text
    ViewState("tries") = ViewState("tries") + 1
    If ViewState("tries") > 3 Then
    Response.Redirect("Denied.aspx")
    End If
    End Select
    Catch ex As Exception

    End Try
    End Sub

    Private Sub RedirectUser(ByVal sUserName As String)

    'create authentication ticket
    Dim authTicket As New FormsAuthenticationTicket(1, sUserName,
    DateTime.Now, DateTime.Now.AddMinutes(20), False, Session("WebRoles"))

    'Create encrypted string representation of ticket
    Dim sEncryptedTicket As String = ""
    Try
    sEncryptedTicket = FormsAuthentication.Encrypt(authTicket)
    Catch ex As Exception
    Session("StringEncrptFailed") = ex.Message
    End Try

    'Store it within a HttpCookie Object
    Dim authCookie As New
    HttpCookie(FormsAuthentication.FormsCookieName, sEncryptedTicket)
    authCookie.Path = FormsAuthentication.FormsCookiePath
    Dim strCookiePath As String = authCookie.Path
    'Add it the cookie to the outgoing cookie collection
    Try
    Response.Cookies.Add(authCookie)
    Catch ex As Exception
    Session("CookieAddFailed") = ex.Message
    End Try

    'Redirect the request
    FormsAuthentication.RedirectFromLoginPage(Trim(sUserName), False)

    End Sub

    End Class
    *************WEB.CONFIG FILE*******
    <?xml version="1.0"?>
    ..
    ..
    ..
    <system.web>
    ..
    ..
    ..
    <roleManager enabled ="true" />
    <authentication mode="Forms">
    <forms name="Appointment" loginUrl="Login.aspx" slidingExpiration="true"
    protection="All" timeout="20" path="/">
    <credentials passwordFormat="Clear"></credentials>
    </forms>
    </authentication>
    <machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate"/>
    <authorization>
    <deny users="?"/>
    </authorization>
    </system.web>

    <location path="Public">
    <system.web>
    <authorization>
    <!-- Order and case are important below -->
    <allow roles="Public"/>
    <deny roles="Photog"/>
    <deny users="?"/>
    </authorization>
    </system.web>
    </location>
    ..
    ..
    ..
     
    WhiskeyRomeo, Sep 11, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    765
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    614
    Elton Wang
    Jan 8, 2005
  3. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    478
    Chris Mohan
    Apr 29, 2004
  4. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    267
    Hernan de Lahitte
    May 3, 2005
  5. Ed Staffin
    Replies:
    1
    Views:
    404
    Ken Schaefer
    Apr 17, 2006
Loading...

Share This Page