Forms authentication credentials fail

[Chris]

Hi,

I have a site with an admin folder that is protected with forms
authentication. I just want 1 admin user to be able to access it but to
use my own user authentication for the rest of the site.

I did have it working using an asp.net 2.0 login control and the
credential specified in the web.config but after going back to working
on the admin parts, it has suddenly started refusing the login.

I set the admin user's password to the result of
FormsAuthentication.HashPasswordForStoringInConfigFile("password","sha1")
and this did work before.

I haven't done anything special with the login control.

I'm sure it's something simple but I can't see why the login fails or
what I did to break it.

Is there a 'proper' way to do this that just as simple? (Without going
into memberships etc.,)

Here's my web.config:
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings>
<add key="MainDomain" value="http://www.crackthelottery.com"/>
</appSettings>

<snip connection strings.../>

<system.web>

<snip assembly stuff.../>

<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms">
<forms loginUrl="Admin/Login.aspx" protection="All" timeout="30">
<credentials passwordFormat="SHA1">
<user name="admin"
password="5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8"/>
</credentials>
</forms>
</authentication>
<anonymousIdentification enabled="true"/>
<profile defaultProvider="SqlProvider">
<providers>
<clear/>
<add name="SqlProvider"
type="System.Web.Profile.SqlProfileProvider"
connectionStringName="LocalSqlServer" applicationName="CrackTheLottery"
description="SqlProfileProvider for CrackTheLottery"/>
</providers>
<properties>
<add name="UserID" allowAnonymous="true" type="System.Int32"/>
</properties>
</profile>
<httpHandlers>
<add verb="*" path="*.zip" type="FileHandler"/>
<add verb="*" path="*.exe" type="FileHandler"/>
<add verb="*" path="*.xml" type="FileHandler"/>
<add verb="*" path="*.pdf" type="FileHandler"/>
</httpHandlers>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

I can't find anything that explains this simply and can't remember
where I originally looked all this up so thanks for the help.

 

[Dominick Baier [DevelopMentor]]

the login control does not work againt the <credential> section in web.config

you can

a) handle the authenticate event of the login control and call FormsAuthentication.Authenticate
b) use the provider i wrote: http://www.leastprivilege.com/ASPNETMembershipProviderForWebconfig2ndTry.aspx

 

[Some Bloke]

Strange. I'm sure it was working at one point. Must have just been the
setup I had that got it through.

Thanks for the provider though, it should so be included in the
framework for basic setups like mine.
However, I am getting errors about 'WebConfigMembershipProvider' does
not implement inherited abstract member
'System.Web.Security.MembershipProvider.GetNumberOfUsersOnline()' etc.,

Were these MembershipProvider methods not abstract in the Beta or
something? Why are there no stubs now?
Surely I don't need to override them all if I'm not going to use the
functionality?

I haven't quite got my head around forms authentication vs membership
and all the providers yet, and how much you need to change.
Like where does the AuthenticationSuccessEvent get handled?

 

[Dominick Baier [DevelopMentor]]

Hi,

yeah - i omitted all the other methods - for the login control you only need
to implement ValidateUser.

it is not formsauth vs membership - membership is just an abstraction layer
to check credentials/manage user. The normal formsauth infrastructure is
still in use.

the authentication success/failure events are something i used in my code,
you don't have to do that. just remove those lines.

 

[Chris]

Hi again,

Me again with my new groups account, not my old one like last time, if
that confused anyone.

I didn't think membership was necessarily mutually exclusive to forms
authentication it was just how they work together (ValidateUser vs
FormsAuthentication.Authenticate) that had me confused as I haven't
really used the built in forms authentication before either.

It's all working now though, thanks, but I did get stuck while I had
anything set in the Authenticate event of the login control, even if
there's nothing in the handler. Just something to check if anyone else
gets stuck.

I also notice some web.config samples in examples have a comma with
System.Web or App_Code after it in the type attribute, (???? in the
sample below) but none of them explain the significance of this as it
seems to work without it. Just a little loose thought I'd like to clean
up.

<membership defaultProvider="WebConfigMembershipProvider">
<providers>
<add name="WebConfigMembershipProvider"
type="WebConfigMembershipProvider, ????"/>
</providers>
</membership>

 

[Chris]

Actually, now I've read it properly, the article at
http://www.theserverside.net/articles/showarticle.tss?id=CreatingProfileProvider
does explain that the bit after the comma is the assembly containing
the provider.