newbie -- forms authentication

Discussion in 'ASP .Net' started by Dan, Feb 17, 2005.

  1. Dan

    Dan Guest

    Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
    forms authentication: I have created a VS solution and added to it a new web
    application project; then I added some dummy pages to the project. Now I'd
    like to protect an administrative section of this dummy website, so I
    created a new folder named "admin" in my webapp project (in VS2003,
    right-clicking the project and selecting Add/New Folder). I have then placed
    in this folder (adding new items to the VS project):

    1) a login web form (login.aspx).
    2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages.
    3) a Web.config file to override the default (root) settings, with the
    following code:

    <system.web>
    <authentication mode="Forms">
    <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
    timeout="30">
    <credentials passwordFormat="Clear">
    <user name="Mickey" password="Mouse"/>
    </credentials>
    </forms>
    </authentication>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>

    Now when I click the hyperlink to the protected (i.e. under path admin/)
    HTML page, the login form is NOT invoked and I can access the page as if it
    had no protection. What I'm doing wrong?

    Thanks guys...
     
    Dan, Feb 17, 2005
    #1
    1. Advertising

  2. We actually tried your code and it works fine. Maybe if it helps, here's the
    content of our test web.config file.

    Kind regards,
    Nikander & Margriet Bruggeman

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>

    <system.web>

    <!-- DYNAMIC DEBUG COMPILATION
    Set compilation debug="true" to enable ASPX debugging. Otherwise,
    setting this

    value to
    false will improve runtime performance of this application.
    Set compilation debug="true" to insert debugging symbols (.pdb
    information)
    into the compiled page. Because this creates a larger file that
    executes
    more slowly, you should set this value to true only when debugging
    and to
    false at all other times. For more information, refer to the
    documentation about
    debugging ASP.NET files.
    -->
    <compilation
    defaultLanguage="c#"
    debug="true"
    />

    <!-- CUSTOM ERROR MESSAGES
    Set customErrors mode="On" or "RemoteOnly" to enable custom error
    messages, "Off"

    to disable.
    Add <error> tags for each of the errors you want to handle.

    "On" Always display custom (friendly) messages.
    "Off" Always display detailed ASP.NET error information.
    "RemoteOnly" Display custom (friendly) messages only to users not
    running
    on the local Web server. This setting is recommended for security
    purposes, so
    that you do not display application detail information to remote
    clients.
    -->
    <customErrors
    mode="RemoteOnly"
    />

    <!-- AUTHENTICATION
    This section sets the authentication policies of the application.
    Possible modes

    are "Windows",
    "Forms", "Passport" and "None"

    "None" No authentication is performed.
    "Windows" IIS performs authentication (Basic, Digest, or
    Integrated Windows)

    according to
    its settings for the application. Anonymous access must be
    disabled in IIS.
    "Forms" You provide a custom form (Web page) for users to enter
    their credentials,

    and then
    you authenticate them in your application. A user credential
    token is stored in a

    cookie.
    "Passport" Authentication is performed via a centralized
    authentication service

    provided
    by Microsoft that offers a single logon and core profile services
    for member

    sites.
    -->
    <!--authentication mode="Windows" /-->

    <authentication mode="Forms">
    <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
    timeout="30">
    <credentials passwordFormat="Clear">
    <user name="Mickey" password="Mouse"/>
    </credentials>
    </forms>
    </authentication>


    <!-- AUTHORIZATION
    This section sets the authorization policies of the application.
    You can allow or

    deny access
    to application resources by user or role. Wildcards: "*" mean
    everyone, "?" means

    anonymous
    (unauthenticated) users.
    -->

    <authorization>
    <deny users="?" />
    <!-- allow users="*" /--> <!-- Allow all users -->
    <!-- <allow users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    <deny users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    -->
    </authorization>

    <!-- APPLICATION-LEVEL TRACE LOGGING
    Application-level tracing enables trace log output for every page
    within an

    application.
    Set trace enabled="true" to enable application trace logging. If

    pageOutput="true", the
    trace information will be displayed at the bottom of each page.
    Otherwise, you

    can view the
    application trace log by browsing the "trace.axd" page from your
    web application
    root.
    -->
    <trace
    enabled="false"
    requestLimit="10"
    pageOutput="false"
    traceMode="SortByTime"
    localOnly="true"
    />

    <!-- SESSION STATE SETTINGS
    By default ASP.NET uses cookies to identify which requests belong
    to a particular

    session.
    If cookies are not available, a session can be tracked by adding a
    session

    identifier to the URL.
    To disable cookies, set sessionState cookieless="true".
    -->
    <sessionState
    mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424"
    sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
    cookieless="false"
    timeout="20"
    />

    <!-- GLOBALIZATION
    This section sets the globalization settings of the application.
    -->
    <globalization
    requestEncoding="utf-8"
    responseEncoding="utf-8"
    />

    </system.web>

    </configuration>

    "Dan" wrote:

    > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
    > forms authentication: I have created a VS solution and added to it a new web
    > application project; then I added some dummy pages to the project. Now I'd
    > like to protect an administrative section of this dummy website, so I
    > created a new folder named "admin" in my webapp project (in VS2003,
    > right-clicking the project and selecting Add/New Folder). I have then placed
    > in this folder (adding new items to the VS project):
    >
    > 1) a login web form (login.aspx).
    > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages.
    > 3) a Web.config file to override the default (root) settings, with the
    > following code:
    >
    > <system.web>
    > <authentication mode="Forms">
    > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
    > timeout="30">
    > <credentials passwordFormat="Clear">
    > <user name="Mickey" password="Mouse"/>
    > </credentials>
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > Now when I click the hyperlink to the protected (i.e. under path admin/)
    > HTML page, the login form is NOT invoked and I can access the page as if it
    > had no protection. What I'm doing wrong?
    >
    > Thanks guys...
    >
    >
    >
     
    =?Utf-8?B?TmlrYW5kZXIgJiBNYXJncmlldCBCcnVnZ2VtYW4=, Feb 17, 2005
    #2
    1. Advertising

  3. Dan

    Patrice Guest

    Is the root folder an IIS application ? In this case the web.config file is
    not taken into account...

    Patrice

    --

    "Dan" <> a écrit dans le message de
    news:...
    > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
    > forms authentication: I have created a VS solution and added to it a new

    web
    > application project; then I added some dummy pages to the project. Now I'd
    > like to protect an administrative section of this dummy website, so I
    > created a new folder named "admin" in my webapp project (in VS2003,
    > right-clicking the project and selecting Add/New Folder). I have then

    placed
    > in this folder (adding new items to the VS project):
    >
    > 1) a login web form (login.aspx).
    > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages.
    > 3) a Web.config file to override the default (root) settings, with the
    > following code:
    >
    > <system.web>
    > <authentication mode="Forms">
    > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
    > timeout="30">
    > <credentials passwordFormat="Clear">
    > <user name="Mickey" password="Mouse"/>
    > </credentials>
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > Now when I click the hyperlink to the protected (i.e. under path admin/)
    > HTML page, the login form is NOT invoked and I can access the page as if

    it
    > had no protection. What I'm doing wrong?
    >
    > Thanks guys...
    >
    >
     
    Patrice, Feb 17, 2005
    #3
  4. Dan

    Patrice Guest

    I meant that the root needs to be an IIS application to take this config
    file into account...


    --

    "Patrice" <> a écrit dans le message de
    news:%...
    > Is the root folder an IIS application ? In this case the web.config file

    is
    > not taken into account...
    >
    > Patrice
    >
    > --
    >
    > "Dan" <> a écrit dans le message de
    > news:...
    > > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue

    with
    > > forms authentication: I have created a VS solution and added to it a new

    > web
    > > application project; then I added some dummy pages to the project. Now

    I'd
    > > like to protect an administrative section of this dummy website, so I
    > > created a new folder named "admin" in my webapp project (in VS2003,
    > > right-clicking the project and selecting Add/New Folder). I have then

    > placed
    > > in this folder (adding new items to the VS project):
    > >
    > > 1) a login web form (login.aspx).
    > > 2) a dummy HTML page hyperlinked by some root (unrestricted-access)

    pages.
    > > 3) a Web.config file to override the default (root) settings, with the
    > > following code:
    > >
    > > <system.web>
    > > <authentication mode="Forms">
    > > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx"

    protection="All"
    > > timeout="30">
    > > <credentials passwordFormat="Clear">
    > > <user name="Mickey" password="Mouse"/>
    > > </credentials>
    > > </forms>
    > > </authentication>
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > </system.web>
    > >
    > > Now when I click the hyperlink to the protected (i.e. under path admin/)
    > > HTML page, the login form is NOT invoked and I can access the page as if

    > it
    > > had no protection. What I'm doing wrong?
    > >
    > > Thanks guys...
    > >
    > >

    >
    >
     
    Patrice, Feb 17, 2005
    #4
  5. Dan,

    Read this article it should help.
    http://www.theserverside.net/articles/article.tss?l=FormAuthentication

    Andy


    "Dan" <> wrote in message
    news:...
    > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
    > forms authentication: I have created a VS solution and added to it a new

    web
    > application project; then I added some dummy pages to the project. Now I'd
    > like to protect an administrative section of this dummy website, so I
    > created a new folder named "admin" in my webapp project (in VS2003,
    > right-clicking the project and selecting Add/New Folder). I have then

    placed
    > in this folder (adding new items to the VS project):
    >
    > 1) a login web form (login.aspx).
    > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages.
    > 3) a Web.config file to override the default (root) settings, with the
    > following code:
    >
    > <system.web>
    > <authentication mode="Forms">
    > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
    > timeout="30">
    > <credentials passwordFormat="Clear">
    > <user name="Mickey" password="Mouse"/>
    > </credentials>
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > Now when I click the hyperlink to the protected (i.e. under path admin/)
    > HTML page, the login form is NOT invoked and I can access the page as if

    it
    > had no protection. What I'm doing wrong?
    >
    > Thanks guys...
    >
    >
     
    Andy Sutorius, Feb 17, 2005
    #5
  6. Dan

    Dan Guest

    Thank you all guys, I tried some fixes but it still does not work... The
    subdirectory "admin" is just a directory of the unique (root) web
    application, but this should not harm as suggested by the article pointed by
    Andy. I tried to follow this article by making the following changes:

    1) remove the web.config file in admin subdir
    2) add forms authentication to the root web.config file, and a <location>
    tag to specify that the admin subdir should be protected, as follows:

    ---> in <configuration> / <system.web> tree of the root config file:

    <authentication mode="Forms">
    <forms name=".ASPXAUTH" path="/" loginUrl="FrmLogin.aspx" protection="All"
    timeout="30">
    <credentials passwordFormat="Clear">
    <user name="Mickey" password="Mouse"/>
    </credentials>
    </forms>
    </authentication>

    <authorization>
    <allow users="*" />
    </authorization>

    <location path="admin">
    <authorization>
    <deny users="?"/>
    </authorization>
    </location>

    Anyway, I still get the same results, i.e. all works fine but no protection
    is active for any file under admin folder. I can add here the whole process
    of creating the sample application here so that someone can try reproducing
    the issue, maybe there is something wrong with my approach as I have changed
    the VS2003 default location because I need ALL my web apps files in my local
    drive folder. Here it is how I created the web application (see
    http://www.codeproject.com/useritems/ASPNET_projects.asp):

    1. I create my project folder in my local drive, e.g. C:\MyProject.

    2. I create a folder named "www" inside C:\MyProject (=C:\MyProject\www),
    where all the apps files will be stored.

    3. In IIS I create a new virtual directory making it point to
    C:\MyProject\www.

    4. In VS2003 I create a new Blank Solution and save it in C:\MyProject, so
    that if its name is Dummy its physical folder will be C:\MyProject\Dummy.

    5. In VS2003 I add a New Project to the blank solution making it point it to
    http://localhost/myproject.

    If you then change the root web.config file as specified above and create an
    admin folder, place some page into it and hyperlink it from the root folder
    you should access it with no protection, which is of course wrong. Any idea?
     
    Dan, Feb 17, 2005
    #6
  7. Dan, you can only protect .aspx pages this way, as .html, etc. bypasses the
    whole process. Is your dummy page .aspx?

    Bill

    "Dan" wrote:

    > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
    > forms authentication: I have created a VS solution and added to it a new web
    > application project; then I added some dummy pages to the project. Now I'd
    > like to protect an administrative section of this dummy website, so I
    > created a new folder named "admin" in my webapp project (in VS2003,
    > right-clicking the project and selecting Add/New Folder). I have then placed
    > in this folder (adding new items to the VS project):
    >
    > 1) a login web form (login.aspx).
    > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages.
    > 3) a Web.config file to override the default (root) settings, with the
    > following code:
    >
    > <system.web>
    > <authentication mode="Forms">
    > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
    > timeout="30">
    > <credentials passwordFormat="Clear">
    > <user name="Mickey" password="Mouse"/>
    > </credentials>
    > </forms>
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > Now when I click the hyperlink to the protected (i.e. under path admin/)
    > HTML page, the login form is NOT invoked and I can access the page as if it
    > had no protection. What I'm doing wrong?
    >
    > Thanks guys...
    >
    >
    >
     
    =?Utf-8?B?QmlsbCBCb3Jn?=, Feb 17, 2005
    #7
  8. Dan,

    Make sure that your location tag is between the </system.web> and
    </configuration> tags. I have been working on the same scenario as you for
    the past 3 days. Hopefully we can get you up and running today. I see that
    you were missing the <system.web> tag from your location tag. Also make sure
    that you have your login page in the root directory. I think you had the
    rest of it right. No web.config in the admin folder just the files you want
    to protect.

    Take a look at mine, www.sutorius.com/psyche, click one of the hyperlinks
    and type in user1 for the username and password.

    My web.config in the root directory
    <configuration>
    <system.web>
    </system.web>

    <location path="admin" allowOverride="true">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>

    </configuration>

    Andy

    "Dan" <> wrote in message
    news:u%...
    > Thank you all guys, I tried some fixes but it still does not work... The
    > subdirectory "admin" is just a directory of the unique (root) web
    > application, but this should not harm as suggested by the article pointed

    by
    > Andy. I tried to follow this article by making the following changes:
    >
    > 1) remove the web.config file in admin subdir
    > 2) add forms authentication to the root web.config file, and a <location>
    > tag to specify that the admin subdir should be protected, as follows:
    >
    > ---> in <configuration> / <system.web> tree of the root config file:
    >
    > <authentication mode="Forms">
    > <forms name=".ASPXAUTH" path="/" loginUrl="FrmLogin.aspx"

    protection="All"
    > timeout="30">
    > <credentials passwordFormat="Clear">
    > <user name="Mickey" password="Mouse"/>
    > </credentials>
    > </forms>
    > </authentication>
    >
    > <authorization>
    > <allow users="*" />
    > </authorization>
    >
    > <location path="admin">
    > <authorization>
    > <deny users="?"/>
    > </authorization>
    > </location>
    >
    > Anyway, I still get the same results, i.e. all works fine but no

    protection
    > is active for any file under admin folder. I can add here the whole

    process
    > of creating the sample application here so that someone can try

    reproducing
    > the issue, maybe there is something wrong with my approach as I have

    changed
    > the VS2003 default location because I need ALL my web apps files in my

    local
    > drive folder. Here it is how I created the web application (see
    > http://www.codeproject.com/useritems/ASPNET_projects.asp):
    >
    > 1. I create my project folder in my local drive, e.g. C:\MyProject.
    >
    > 2. I create a folder named "www" inside C:\MyProject (=C:\MyProject\www),
    > where all the apps files will be stored.
    >
    > 3. In IIS I create a new virtual directory making it point to
    > C:\MyProject\www.
    >
    > 4. In VS2003 I create a new Blank Solution and save it in C:\MyProject, so
    > that if its name is Dummy its physical folder will be C:\MyProject\Dummy.
    >
    > 5. In VS2003 I add a New Project to the blank solution making it point it

    to
    > http://localhost/myproject.
    >
    > If you then change the root web.config file as specified above and create

    an
    > admin folder, place some page into it and hyperlink it from the root

    folder
    > you should access it with no protection, which is of course wrong. Any

    idea?
    >
    >
     
    Andy Sutorius, Feb 17, 2005
    #8
  9. Dan

    Dan Guest

    Thank you both guys, I have finally managed to get it work! The problem was
    in the position of the <location> section in the XML file; frankly I find
    this <system.web> tag a bit confusing in the general doc structure, but now
    I know how to deal with it. Also, I did not know that the protection
    mechanism was limited to aspx pages, anyway I was trying with an aspx one.
    Thanks again to you all and have a nice day!
     
    Dan, Feb 17, 2005
    #9
  10. Dan schrieb:
    > Thank you both guys, I have finally managed to get it work! The problem was
    > in the position of the <location> section in the XML file; frankly I find
    > this <system.web> tag a bit confusing in the general doc structure, but now
    > I know how to deal with it. Also, I did not know that the protection
    > mechanism was limited to aspx pages, anyway I was trying with an aspx one.
    > Thanks again to you all and have a nice day!
    >
    >

    Hello. According to the Dan's problem, I've nearly the same. But it's
    not the wrong position in the web.config file. I really don't know the
    solution. Maybe you can help me...

    I have a WebApplication with no subdirectories to secure. On my local
    computer it works fine. I followed the steps of the msdn (I do not find
    the url yet, but it works(local)).
    First I created a Webapplication with a few aspx sites. Then I added the
    authentication and authorizaten tags to my web.config file and I created
    a login.aspx. After compiling the project the browser tries to connect
    to the default.aspx an redirects to the login.aspx (as expected).
    That's the local computer (running WinXP Pro, Visual Studio 2002,
    ..NET-Framework(1.1 ?), IIS).

    For another project I have to develop a new solution on a (test-)server.
    I did the same steps as descriped above. And it doesn't work! I ask the
    employees here and a few dotnet-boards, but I can't get any solution
    right now. The server is running with Win2k3 Server, Visual Studio 2003,
    ..NET-Framework (1.1), IIS, WSS(!). Maybe there's a possible problem (the
    WSS). We have another server without WSS, where the authentication works
    fine. Do you know what I have to do, that it works an the server with
    WSS too? Or any other solution?

    Thanks!
     
    Dennis Dobslaf, Feb 23, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andrew Connell
    Replies:
    1
    Views:
    571
    Natty Gur
    Oct 21, 2003
  2. Eric
    Replies:
    2
    Views:
    1,566
    Tommy
    Feb 13, 2004
  3. JEFF
    Replies:
    1
    Views:
    1,058
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  4. Keltex
    Replies:
    1
    Views:
    453
    Dominick Baier [DevelopMentor]
    Jan 24, 2006
  5. Eric
    Replies:
    2
    Views:
    647
Loading...

Share This Page