Forms authentication credentials fail

Discussion in 'ASP .Net Security' started by Chris, Apr 20, 2006.

  1. Chris

    Chris Guest

    Hi,

    I have a site with an admin folder that is protected with forms
    authentication. I just want 1 admin user to be able to access it but to
    use my own user authentication for the rest of the site.

    I did have it working using an asp.net 2.0 login control and the
    credential specified in the web.config but after going back to working
    on the admin parts, it has suddenly started refusing the login.

    I set the admin user's password to the result of
    FormsAuthentication.HashPasswordForStoringInConfigFile("password","sha1")
    and this did work before.

    I haven't done anything special with the login control.

    I'm sure it's something simple but I can't see why the login fails or
    what I did to break it.

    Is there a 'proper' way to do this that just as simple? (Without going
    into memberships etc.,)

    Here's my web.config:
    <configuration
    xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    <appSettings>
    <add key="MainDomain" value="http://www.crackthelottery.com"/>
    </appSettings>

    <snip connection strings.../>

    <system.web>

    <snip assembly stuff.../>

    <!--
    The <authentication> section enables configuration
    of the security authentication mode used by
    ASP.NET to identify an incoming user.
    -->
    <authentication mode="Forms">
    <forms loginUrl="Admin/Login.aspx" protection="All" timeout="30">
    <credentials passwordFormat="SHA1">
    <user name="admin"
    password="5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8"/>
    </credentials>
    </forms>
    </authentication>
    <anonymousIdentification enabled="true"/>
    <profile defaultProvider="SqlProvider">
    <providers>
    <clear/>
    <add name="SqlProvider"
    type="System.Web.Profile.SqlProfileProvider"
    connectionStringName="LocalSqlServer" applicationName="CrackTheLottery"
    description="SqlProfileProvider for CrackTheLottery"/>
    </providers>
    <properties>
    <add name="UserID" allowAnonymous="true" type="System.Int32"/>
    </properties>
    </profile>
    <httpHandlers>
    <add verb="*" path="*.zip" type="FileHandler"/>
    <add verb="*" path="*.exe" type="FileHandler"/>
    <add verb="*" path="*.xml" type="FileHandler"/>
    <add verb="*" path="*.pdf" type="FileHandler"/>
    </httpHandlers>
    </system.web>
    <location path="Admin">
    <system.web>
    <authorization>
    <allow users="admin"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>
    </configuration>

    I can't find anything that explains this simply and can't remember
    where I originally looked all this up so thanks for the help.
     
    Chris, Apr 20, 2006
    #1
    1. Advertising

  2. the login control does not work againt the <credential> section in web.config

    you can

    a) handle the authenticate event of the login control and call FormsAuthentication.Authenticate
    b) use the provider i wrote: http://www.leastprivilege.com/ASPNETMembershipProviderForWebconfig2ndTry.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi,
    >
    > I have a site with an admin folder that is protected with forms
    > authentication. I just want 1 admin user to be able to access it but
    > to use my own user authentication for the rest of the site.
    >
    > I did have it working using an asp.net 2.0 login control and the
    > credential specified in the web.config but after going back to working
    > on the admin parts, it has suddenly started refusing the login.
    >
    > I set the admin user's password to the result of
    > FormsAuthentication.HashPasswordForStoringInConfigFile("password","sha
    > 1") and this did work before.
    >
    > I haven't done anything special with the login control.
    >
    > I'm sure it's something simple but I can't see why the login fails or
    > what I did to break it.
    >
    > Is there a 'proper' way to do this that just as simple? (Without going
    > into memberships etc.,)
    >
    > Here's my web.config:
    > <configuration
    > xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
    > <appSettings>
    > <add key="MainDomain" value="http://www.crackthelottery.com"/>
    > </appSettings>
    > <snip connection strings.../>
    >
    > <system.web>
    >
    > <snip assembly stuff.../>
    >
    > <!--
    > The <authentication> section enables configuration
    > of the security authentication mode used by
    > ASP.NET to identify an incoming user.
    > -->
    > <authentication mode="Forms">
    > <forms loginUrl="Admin/Login.aspx" protection="All" timeout="30">
    > <credentials passwordFormat="SHA1">
    > <user name="admin"
    > password="5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8"/>
    > </credentials>
    > </forms>
    > </authentication>
    > <anonymousIdentification enabled="true"/>
    > <profile defaultProvider="SqlProvider">
    > <providers>
    > <clear/>
    > <add name="SqlProvider"
    > type="System.Web.Profile.SqlProfileProvider"
    > connectionStringName="LocalSqlServer"
    > applicationName="CrackTheLottery"
    > description="SqlProfileProvider for CrackTheLottery"/>
    > </providers>
    > <properties>
    > <add name="UserID" allowAnonymous="true" type="System.Int32"/>
    > </properties>
    > </profile>
    > <httpHandlers>
    > <add verb="*" path="*.zip" type="FileHandler"/>
    > <add verb="*" path="*.exe" type="FileHandler"/>
    > <add verb="*" path="*.xml" type="FileHandler"/>
    > <add verb="*" path="*.pdf" type="FileHandler"/>
    > </httpHandlers>
    > </system.web>
    > <location path="Admin">
    > <system.web>
    > <authorization>
    > <allow users="admin"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>
    > I can't find anything that explains this simply and can't remember
    > where I originally looked all this up so thanks for the help.
    >
     
    Dominick Baier [DevelopMentor], Apr 21, 2006
    #2
    1. Advertising

  3. Chris

    Some Bloke Guest

    Strange. I'm sure it was working at one point. Must have just been the
    setup I had that got it through.

    Thanks for the provider though, it should so be included in the
    framework for basic setups like mine.
    However, I am getting errors about 'WebConfigMembershipProvider' does
    not implement inherited abstract member
    'System.Web.Security.MembershipProvider.GetNumberOfUsersOnline()' etc.,

    Were these MembershipProvider methods not abstract in the Beta or
    something? Why are there no stubs now?
    Surely I don't need to override them all if I'm not going to use the
    functionality?

    I haven't quite got my head around forms authentication vs membership
    and all the providers yet, and how much you need to change.
    Like where does the AuthenticationSuccessEvent get handled?
     
    Some Bloke, Apr 22, 2006
    #3
  4. Hi,

    yeah - i omitted all the other methods - for the login control you only need
    to implement ValidateUser.

    it is not formsauth vs membership - membership is just an abstraction layer
    to check credentials/manage user. The normal formsauth infrastructure is
    still in use.

    the authentication success/failure events are something i used in my code,
    you don't have to do that. just remove those lines.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Strange. I'm sure it was working at one point. Must have just been the
    > setup I had that got it through.
    >
    > Thanks for the provider though, it should so be included in the
    > framework for basic setups like mine.
    > However, I am getting errors about 'WebConfigMembershipProvider' does
    > not implement inherited abstract member
    > 'System.Web.Security.MembershipProvider.GetNumberOfUsersOnline()'
    > etc.,
    > Were these MembershipProvider methods not abstract in the Beta or
    > something? Why are there no stubs now?
    > Surely I don't need to override them all if I'm not going to use the
    > functionality?
    > I haven't quite got my head around forms authentication vs membership
    > and all the providers yet, and how much you need to change.
    > Like where does the AuthenticationSuccessEvent get handled?
     
    Dominick Baier [DevelopMentor], Apr 22, 2006
    #4
  5. Chris

    Chris Guest

    Hi again,

    Me again with my new groups account, not my old one like last time, if
    that confused anyone.

    I didn't think membership was necessarily mutually exclusive to forms
    authentication it was just how they work together (ValidateUser vs
    FormsAuthentication.Authenticate) that had me confused as I haven't
    really used the built in forms authentication before either.

    It's all working now though, thanks, but I did get stuck while I had
    anything set in the Authenticate event of the login control, even if
    there's nothing in the handler. Just something to check if anyone else
    gets stuck.

    I also notice some web.config samples in examples have a comma with
    System.Web or App_Code after it in the type attribute, (???? in the
    sample below) but none of them explain the significance of this as it
    seems to work without it. Just a little loose thought I'd like to clean
    up.

    <membership defaultProvider="WebConfigMembershipProvider">
    <providers>
    <add name="WebConfigMembershipProvider"
    type="WebConfigMembershipProvider, ????"/>
    </providers>
    </membership>
     
    Chris, Apr 22, 2006
    #5
  6. Chris

    Chris Guest

    Chris, Apr 23, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,529
    Tommy
    Feb 13, 2004
  2. Wenjie

    if (f() != FAIL) or if (FAIL != f())?

    Wenjie, Jul 28, 2003, in forum: C Programming
    Replies:
    3
    Views:
    465
    E. Robert Tisdale
    Jul 31, 2003
  3. Max2006
    Replies:
    2
    Views:
    493
    Steven Cheng [MSFT]
    Jun 5, 2008
  4. Douglas J. Badin
    Replies:
    4
    Views:
    326
    Yan-Hong Huang[MSFT]
    Jan 29, 2004
  5. Eric
    Replies:
    2
    Views:
    597
Loading...

Share This Page