page vs directory security

Discussion in 'ASP .Net' started by js, Nov 23, 2005.

  1. js

    js Guest

    I am trying to use the form futhentication where the configuration
    parameters are specified in web.config in my application root directory
    "/".

    My applciation has secured pages and public pages scatter in various
    directory, and the start page (main.aspx) is public page with a logon
    button to control the accessibility of secured pages. When I use the
    following configuration, I will get "Server Error in "/" Applciation.
    How to set the Web.config so that it will redirect user to login.aspx
    discretionally when accessing secured page. Thanks.

    <system.web>
    <compilation defaultLanguage="c#" debug="true" />
    <customErrors mode="Off" />

    <authentication mode="Forms" />
    <authorization>
    <deny users="?" />
    </authorization>
    <forms name=".ASPXCOOKIEDEMO"
    loginUrl="Login.aspx" protection="all" timeout="30" path="/">
    </forms>
    <trace enabled="false" requestLimit="10" pageOutput="false"
    traceMode="SortByTime" localOnly="true" />
    <sessionState cookieless="true" timeout="20" />
    </system.web>
     
    js, Nov 23, 2005
    #1
    1. Advertising

  2. Hi,

    use the following config file to redirect a user to Login.aspx:

    <system.web>
    <authentication mode="Forms">
    <forms loginUrl="Login.aspx"/>
    </authentication>
    </system.web>

    Grtz, Wouter van Vugt,
    Trainer Info Support - www.infosupport.com
    www.dive-in-it.nl
     
    Wouter van Vugt, Nov 23, 2005
    #2
    1. Advertising

  3. js

    js Guest

    Thanks but it doesn't work. I think this configuration is for entire
    site but not for just secured pages.
     
    js, Nov 24, 2005
    #3
  4. js schreef:

    > Thanks but it doesn't work. I think this configuration is for entire
    > site but not for just secured pages.


    Hi JS,

    sorry to say, it does work. When a user hits a protected page,(using
    the authorization element in the web.config), the framework will auto
    redirect to the login page specified like i said. If you want to secure
    just a directory, add an extra config file to that directory and
    specify the security settings in there.

    Grtz, Wouter
     
    Wouter van Vugt, Nov 24, 2005
    #4
  5. You must be missing something
    IT DOES WORK

    "js" <> wrote in message
    news:...
    > Thanks but it doesn't work. I think this configuration is for entire
    > site but not for just secured pages.
    >
     
    Patrick.O.Ige, Nov 24, 2005
    #5
  6. js

    na Guest

    Ok. It worked that upon hiting my website the request is redirected to
    the Login.aspx, but I only need the visitors to login when they request
    any secured page. After they login, their credentials are persisted
    during the active session, they WON'T see the Login.aspx again. By
    configuring the way you suggested, the first thing user sees is the
    Login.aspx.

    Say, my web site URL is http://www.mywebsite.com which contains
    Main.aspx (the default page, no login required),
    \directory1\Public1.aspx, \directory1\Private2.aspx,
    \directory2\Public3.aspx, \directory2\Private4.aspx. When a user hits
    the URL, they will see the Main.aspx, they should NOT see Login.aspx.
    Neither should they see the Login.aspx when they click the links or
    buttons of Public1.aspx or Public3.aspx. ONLY when they click the links
    or buttons of Private2.aspx or Private4.aspx will they be asked to
    login.

    Hope this explains my situation. Thanks.


    *** Sent via Developersdex http://www.developersdex.com ***
     
    na, Nov 24, 2005
    #6
  7. js

    na Guest

    Well, I figured it out. I just added <location> tags for those pages
    that are public. The following is partail of my Web.config setting.

    <system.web>
    <compilation defaultLanguage="c#" debug="true" />
    <customErrors mode="RemoteOnly" />
    <trace enabled="false" requestLimit="10" pageOutput="false"
    traceMode="SortByTime" localOnly="true" />
    <sessionState cookieless="true" timeout="20" />
    <authentication mode="Forms">
    <forms name="my_Authorization"
    loginUrl="Login.aspx"
    protection="All"
    timeout="30"
    path="/"
    requireSSL="false"
    slidingExpiration="false">
    <credentials passwordFormat = "SHA1"/>
    </forms>
    </authentication>
    <authorization>
    <deny users="?"/>
    </authorization>
    </system.web>

    <location path="main.aspx">
    <system.web>
    <authorization>
    <allow users="?"/>
    </authorization>
    </system.web>
    </location>

    <location path="directory1/public1.aspx">
    <system.web>
    <authorization>
    <allow users="?"/>
    </authorization>
    </system.web>
    </location>

    <location path="directory2/public3.aspx">
    <system.web>
    <authorization>
    <allow users="?"/>
    </authorization>
    </system.web>
    </location>




    *** Sent via Developersdex http://www.developersdex.com ***
     
    na, Nov 28, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dave
    Replies:
    1
    Views:
    9,753
    Steven Cheng[MSFT]
    Oct 24, 2005
  2. Aaron
    Replies:
    1
    Views:
    355
    John C. Bollinger
    Aug 4, 2003
  3. Marco
    Replies:
    1
    Views:
    2,420
    Roedy Green
    Jan 28, 2006
  4. Akram Baig
    Replies:
    0
    Views:
    333
    Akram Baig
    Apr 7, 2011
  5. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    155
    Dinis Cruz
    Oct 11, 2003
Loading...

Share This Page