Forms Authentication doesn't protect specified pages.

Discussion in 'ASP .Net Security' started by Steve R., Jun 19, 2004.

  1. Steve R.

    Steve R. Guest

    This is driving me nuts:

    I've used this same exact setup (web.config, see below) before without
    any problems... the authentication does not stop at the logon page AT
    ALL. I've put breakpoints in it to be sure, plus, there's no code at
    all in my Load event handler for the Logon page.

    It seems to work as predicted if I try to access the app from a
    workstation that I haven't tried to access from. I just tested one
    more time and it worked 3 times in a row and I couldn't break it, but
    on the dev server itself, it always falls right through without
    stopping at all on logon.aspx and another workstation accessing the
    app worked a few times and then began to fail.

    I've got another app set up on the very same server where I have never
    encountered that problem before. This is not the first time I've
    implemented Forms Authentication.

    I cannot figure out what gives here. Where should I start to look? The
    web config setup was copied and pasted directly from the working app
    to the app under development on the same dev server.

    Any help would be very gratefully received.

    Here's the relevant portions of my web.config:

    <system.web>
    <!-- enable Forms authentication -->
    <authentication mode="Forms">
    <forms name="AHDAuth" loginUrl="logon.aspx"
    protection="All" path="/" />
    </authentication>
    <!-- enable custom errors for the application -->
    <customErrors mode="Off">

    </customErrors>
    <sessionState mode="InProc" cookieless="false" />
    <compilation defaultLanguage="vb" debug="true" />
    </system.web>
    <!-- set secure paths -->

    <location path="Quote.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>
    <location path="SupplierInfoEdit.aspx">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>
    Steve R., Jun 19, 2004
    #1
    1. Advertising

  2. Steve R.

    ranganh Guest

    Dear Steve,

    In your Login page, have you enabled, persistent cookies. i.e.

    FormsAuthentication.RedirectFromLoginPage("Username", true)

    if you give the boolean (persistent cookie) as true, then the cookie will be stored in
    the machine and it will not ask for login until you explicitly log out.

    That might be causing your authentication not to work.

    If that is not the case, write back.

    thanks.

    "Steve R." wrote:

    > This is driving me nuts:
    >
    > I've used this same exact setup (web.config, see below) before without
    > any problems... the authentication does not stop at the logon page AT
    > ALL. I've put breakpoints in it to be sure, plus, there's no code at
    > all in my Load event handler for the Logon page.
    >
    > It seems to work as predicted if I try to access the app from a
    > workstation that I haven't tried to access from. I just tested one
    > more time and it worked 3 times in a row and I couldn't break it, but
    > on the dev server itself, it always falls right through without
    > stopping at all on logon.aspx and another workstation accessing the
    > app worked a few times and then began to fail.
    >
    > I've got another app set up on the very same server where I have never
    > encountered that problem before. This is not the first time I've
    > implemented Forms Authentication.
    >
    > I cannot figure out what gives here. Where should I start to look? The
    > web config setup was copied and pasted directly from the working app
    > to the app under development on the same dev server.
    >
    > Any help would be very gratefully received.
    >
    > Here's the relevant portions of my web.config:
    >
    > <system.web>
    > <!-- enable Forms authentication -->
    > <authentication mode="Forms">
    > <forms name="AHDAuth" loginUrl="logon.aspx"
    > protection="All" path="/" />
    > </authentication>
    > <!-- enable custom errors for the application -->
    > <customErrors mode="Off">
    >
    > </customErrors>
    > <sessionState mode="InProc" cookieless="false" />
    > <compilation defaultLanguage="vb" debug="true" />
    > </system.web>
    > <!-- set secure paths -->
    >
    > <location path="Quote.aspx">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    > <location path="SupplierInfoEdit.aspx">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    >
    ranganh, Jun 19, 2004
    #2
    1. Advertising

  3. Steve R.

    Steve R. Guest

    I considered that. I looked for the cookie in the cookies folder on
    the affected systems and did not find it. I haven't ruled it out,
    though. I did have it set to True and then changed it, but if a cookie
    had already been sent to one of the systems in question, I guess
    changing the code wouldn't affect a cookie that was already there,
    would it? What changes how long it lasts on the client system? I've
    never encountered that property.

    It is always after a successful logon that it starts screwing up.
    Thanks for confirming my suspicions, that really does seem like the
    only reasonable explanation. In your explanation below, wouldn't the
    cookie be named "Username". I'm wondering if I'm looking in the wrong
    place for it.

    Thanks,

    Steve




    "ranganh" <> wrote in message news:<>...
    > Dear Steve,
    >
    > In your Login page, have you enabled, persistent cookies. i.e.
    >
    > FormsAuthentication.RedirectFromLoginPage("Username", true)
    >
    > if you give the boolean (persistent cookie) as true, then the cookie will be stored in
    > the machine and it will not ask for login until you explicitly log out.
    >
    > That might be causing your authentication not to work.
    >
    > If that is not the case, write back.
    >
    > thanks.
    >
    > "Steve R." wrote:
    >
    > > This is driving me nuts:
    > >
    > > I've used this same exact setup (web.config, see below) before without
    > > any problems... the authentication does not stop at the logon page AT
    > > ALL. I've put breakpoints in it to be sure, plus, there's no code at
    > > all in my Load event handler for the Logon page.
    > >
    > > It seems to work as predicted if I try to access the app from a
    > > workstation that I haven't tried to access from. I just tested one
    > > more time and it worked 3 times in a row and I couldn't break it, but
    > > on the dev server itself, it always falls right through without
    > > stopping at all on logon.aspx and another workstation accessing the
    > > app worked a few times and then began to fail.
    > >
    > > I've got another app set up on the very same server where I have never
    > > encountered that problem before. This is not the first time I've
    > > implemented Forms Authentication.
    > >
    > > I cannot figure out what gives here. Where should I start to look? The
    > > web config setup was copied and pasted directly from the working app
    > > to the app under development on the same dev server.
    > >
    > > Any help would be very gratefully received.
    > >
    > > Here's the relevant portions of my web.config:
    > >
    > > <system.web>
    > > <!-- enable Forms authentication -->
    > > <authentication mode="Forms">
    > > <forms name="AHDAuth" loginUrl="logon.aspx"
    > > protection="All" path="/" />
    > > </authentication>
    > > <!-- enable custom errors for the application -->
    > > <customErrors mode="Off">
    > >
    > > </customErrors>
    > > <sessionState mode="InProc" cookieless="false" />
    > > <compilation defaultLanguage="vb" debug="true" />
    > > </system.web>
    > > <!-- set secure paths -->
    > >
    > > <location path="Quote.aspx">
    > > <system.web>
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > </system.web>
    > > </location>
    > > <location path="SupplierInfoEdit.aspx">
    > > <system.web>
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > </system.web>
    > > </location>
    > >
    Steve R., Jun 19, 2004
    #3
  4. Steve R.

    ranganh Guest

    Dear Steve,

    In normal cases, the cookie is stored in the system for 50 years. But I know, we can also specify the duration manually for the cookie to be stored in the system.

    In your case, did you check logging out? I mean you say, first time, it successfully asks for login and once you log in, after performing all the tasks, did you implement, a mechanism for signing out? I mean, you have any log out button, which will do the FormsAuthentication.Signout() method?

    This method will delete the cookie and even persistent cookies.

    If even after you signout, its taking you in automatically, write back, there is some other problem then. we will solve it . dont worry :)

    hope it helps



    "Steve R." wrote:

    > I considered that. I looked for the cookie in the cookies folder on
    > the affected systems and did not find it. I haven't ruled it out,
    > though. I did have it set to True and then changed it, but if a cookie
    > had already been sent to one of the systems in question, I guess
    > changing the code wouldn't affect a cookie that was already there,
    > would it? What changes how long it lasts on the client system? I've
    > never encountered that property.
    >
    > It is always after a successful logon that it starts screwing up.
    > Thanks for confirming my suspicions, that really does seem like the
    > only reasonable explanation. In your explanation below, wouldn't the
    > cookie be named "Username". I'm wondering if I'm looking in the wrong
    > place for it.
    >
    > Thanks,
    >
    > Steve
    >
    >
    >
    >
    > "ranganh" <> wrote in message news:<>...
    > > Dear Steve,
    > >
    > > In your Login page, have you enabled, persistent cookies. i.e.
    > >
    > > FormsAuthentication.RedirectFromLoginPage("Username", true)
    > >
    > > if you give the boolean (persistent cookie) as true, then the cookie will be stored in
    > > the machine and it will not ask for login until you explicitly log out.
    > >
    > > That might be causing your authentication not to work.
    > >
    > > If that is not the case, write back.
    > >
    > > thanks.
    > >
    > > "Steve R." wrote:
    > >
    > > > This is driving me nuts:
    > > >
    > > > I've used this same exact setup (web.config, see below) before without
    > > > any problems... the authentication does not stop at the logon page AT
    > > > ALL. I've put breakpoints in it to be sure, plus, there's no code at
    > > > all in my Load event handler for the Logon page.
    > > >
    > > > It seems to work as predicted if I try to access the app from a
    > > > workstation that I haven't tried to access from. I just tested one
    > > > more time and it worked 3 times in a row and I couldn't break it, but
    > > > on the dev server itself, it always falls right through without
    > > > stopping at all on logon.aspx and another workstation accessing the
    > > > app worked a few times and then began to fail.
    > > >
    > > > I've got another app set up on the very same server where I have never
    > > > encountered that problem before. This is not the first time I've
    > > > implemented Forms Authentication.
    > > >
    > > > I cannot figure out what gives here. Where should I start to look? The
    > > > web config setup was copied and pasted directly from the working app
    > > > to the app under development on the same dev server.
    > > >
    > > > Any help would be very gratefully received.
    > > >
    > > > Here's the relevant portions of my web.config:
    > > >
    > > > <system.web>
    > > > <!-- enable Forms authentication -->
    > > > <authentication mode="Forms">
    > > > <forms name="AHDAuth" loginUrl="logon.aspx"
    > > > protection="All" path="/" />
    > > > </authentication>
    > > > <!-- enable custom errors for the application -->
    > > > <customErrors mode="Off">
    > > >
    > > > </customErrors>
    > > > <sessionState mode="InProc" cookieless="false" />
    > > > <compilation defaultLanguage="vb" debug="true" />
    > > > </system.web>
    > > > <!-- set secure paths -->
    > > >
    > > > <location path="Quote.aspx">
    > > > <system.web>
    > > > <authorization>
    > > > <deny users="?" />
    > > > </authorization>
    > > > </system.web>
    > > > </location>
    > > > <location path="SupplierInfoEdit.aspx">
    > > > <system.web>
    > > > <authorization>
    > > > <deny users="?" />
    > > > </authorization>
    > > > </system.web>
    > > > </location>
    > > >

    >
    ranganh, Jun 21, 2004
    #4
  5. Steve R.

    Steve R. Guest

    That was very helpful. Thanks! I finally deleted all the cookies on
    the dev system because I couldn't find the specific one, and that
    worked. Now that I've changed the persistent cookie property to FALSE,
    I expect the problem is gone. Thanks for keeping me focused on the
    cookie issue.

    Steve




    "ranganh" <> wrote in message news:<>...
    > Dear Steve,
    >
    > In normal cases, the cookie is stored in the system for 50 years. But I know, we can also specify the duration manually for the cookie to be stored in the system.
    >
    > In your case, did you check logging out? I mean you say, first time, it successfully asks for login and once you log in, after performing all the tasks, did you implement, a mechanism for signing out? I mean, you have any log out button, which will do the FormsAuthentication.Signout() method?
    >
    > This method will delete the cookie and even persistent cookies.
    >
    > If even after you signout, its taking you in automatically, write back, there is some other problem then. we will solve it . dont worry :)
    >
    > hope it helps
    >
    >
    >
    Steve R., Jun 21, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,360
    Tommy
    Feb 13, 2004
  2. Peter Rilling
    Replies:
    1
    Views:
    608
    John Saunders
    Jun 7, 2004
  3. Replies:
    4
    Views:
    580
  4. Alan Silver
    Replies:
    7
    Views:
    523
    Alan Silver
    Jan 3, 2006
  5. Ronald S. Cook
    Replies:
    4
    Views:
    1,034
    Erik Funkenbusch
    Mar 13, 2006
Loading...

Share This Page