Forms Authentication to specific folders

M

Michael Tissington

I have a web application that is using Forms Authentication (with
users/passwords stored in a database) and for the most part it is working.

I have a web page with links on it to files of different types (exe, zip,
pdf)

When the user clicks on one of these links I'd like them to have to log on
and then they can download the file (or any file in the same folder)

How can I set this up ?

Thanks.
 
M

MSFT

Hi Michael ,

Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
currently. As I understand, you have an ASP.NET application with form
authentication. When user request an ASPX file, he will be redirected to
logon form first. When user request a different file (exe, zip, pdf), you
also need this behavior.

To achieve this, we need change the virtual folder's configaration so that
ASP.NET also manage the request for these kind of request ( I use IIS 6.0
as demo):

1. Open IIS Manager in Administrator Tools, browse to the virtual folder,
right click it and select Properties.
2. On Directory tab, click button "Configration..." and you will see the
Application extensions list.
3. Click Add button, add a application extension for .exe. Set 'Executabel'
to C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll; Set
'Extension' to .exe; set 'Verbs' to All verbs.
4. Repeat step 3 for .zip and .pdf
5. restart your IIS

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
M

Michael Tissington

I have placed an entry in my web.config file and when I click on the link I
now get the login page, have after entering the name and password, the
redirection back to the exe is not working (it stays on the login page)

What am I missing?
 
M

MSFT

Hi Michael,

How did you code in the Login page? Generally, we only need one line simple
code after authentication like:

FormsAuthentication.RedirectFromLoginPage("", False)

and there is no any special in the web.config:

<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx"
protection="All" path="/" timeout="30" />
</authentication>

<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
M

Michael Tissington

Luke,

Strange, very strange this is what I have .... both exe and pdf have the
same problem .... after logon the page does not get redirected.

In the same session, if I then try to go to another page that requires
logon, I go straight to it and am not prompted to logon again - which is
what I would expect. However if I go to the link for the exe or pdf, I'm
still prompted to logon.
 
M

Michael Tissington

Just as a thought, do I need to set any permissions on the folder it self ?
 
M

MSFT

Hi Michael,

DId you use the persisted cookies? I suggest you create a new asp.net
project and only add one logon form and add code as I suggest in my
previous message. Will this help for a exe or pdf file?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
M

Michael Tissington

Luke,

I have tried this (going back to basics) and I get the same problem.

I'm running Windows 2003.
 
M

Mike Moore [MSFT]

Hi Michael,

I'm sorry we've been delayed in getting back to you. The ASP.NET process
needs to have read access to the files to be donwloaded. This can be set on
the individual files or on the folder. The account that needs read
permissions is typically either the "Network Service" or "ASPNET" account.

We are still researching this issue and will post more information as soon
as we can.

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer’s security.

This posting is provided "AS IS", with no warranties, and confers no rights.


--------------------
From: "Michael Tissington" <[email protected]>
References: <[email protected]>
<[email protected]>
 
M

Michael Tissington

Mike,

Thanks for the update.

I have added both "NETWORK SERVICES" the ASP.NET account on the local
machine to the security and given them full access ....

Still get the same problem.

--
Michael Tissington
http://www.oaklodge.com
http://www.tabtag.com

"Mike Moore [MSFT]" said:
Hi Michael,

I'm sorry we've been delayed in getting back to you. The ASP.NET process
needs to have read access to the files to be donwloaded. This can be set on
the individual files or on the folder. The account that needs read
permissions is typically either the "Network Service" or "ASPNET" account.

We are still researching this issue and will post more information as soon
as we can.

Thank you, Mike
Microsoft, ASP.NET Support Professional

Microsoft highly recommends to all of our customers that they visit the
http://www.microsoft.com/protect site and perform the three straightforward
steps listed to improve your computer's security.

This posting is provided "AS IS", with no warranties, and confers no rights.<[email protected]>
Subject: Re: Forms Authentication to specific folders
Date: Tue, 20 Jan 2004 08:13:30 -0800
Lines: 38
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
NNTP-Posting-Host: antelope.oaklodge.com 63.67.71.5
Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.
phx.gbl
Xref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.framework.aspnet.security:8293
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security

Just as a thought, do I need to set any permissions on the folder it
self
 
M

MSFT

Hi Michael,

Can you show me the code you used? Including the page you request to an exe
file, the logon page (HTML and code behind) and the web.config. We may find
something in them.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Y

Yan-Hong Huang[MSFT]

Hello Michael,

Thanks very much for your follow up.

Luke is out of office today. I have sent email to him and he will follow up
this issue after he come back tomorrow. If you have any more concerns,
please feel free to post here.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

MSFT

Hi Michael,

I have recieved your code. After making some changes in it, it works on my
side:

First, we modify some in the web.config:

<authentication mode="Forms">
<forms name="TabTagLogin" loginUrl="./login/login.aspx" protection="All"
path="/" timeout="10" />
</authentication>
<identity impersonate="true" />

<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>

loginUrl="./login/login.aspx" will force it use login in right sub folder.
With

<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>

It will deny anonymous users.

And in the code behind:

private void LoginButton_Click(object sender, System.EventArgs e)
{
//if (Page.IsValid == true)
//{
//string UserID;

//User user = new User();

//MismatchLabel.Visible = false;

// Check for already logged on
//if (loginUserDetails != null)
//{
// Session["UserDetails"] = null;
// loginUserDetails = null;
// FormsAuthentication.SignOut();
//}

//UserID = user.Login(LogonEmailTextBox.Text,
LogonPasswordTextBox.Text);
//if (UserID != null)
//{
// Session["UserDetails"] = user.GetUserDetails(UserID);
FormsAuthentication.RedirectFromLoginPage("*", false);
//}
//else
//{
// MismatchLabel.Visible = true;
//}
//}
}

As you see, I only keep the line
"FormsAuthentication.RedirectFromLoginPage("*", false);". It will always
redirect once user input a name and password. That make it work with aspx,
exe and zip.

Therefore, the problem on your side may be caused that this line didn't got
executed. The posible reason is (loginUserDetails != null) or (UserID =
null). Especially, when request is to a exe or zip file. You need to double
check the logic of your application to make sure this.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
M

MSFT

Hi Michael,

I have recieved your code. After making some changes in it, it works on my
side:

First, we modify some in the web.config:

<authentication mode="Forms">
<forms name="TabTagLogin" loginUrl="./login/login.aspx" protection="All"
path="/" timeout="10" />
</authentication>
<identity impersonate="true" />

<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>

loginUrl="./login/login.aspx" will force it use login in right sub folder.
With

<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>

It will deny anonymous users.

And in the code behind:

private void LoginButton_Click(object sender, System.EventArgs e)
{
//if (Page.IsValid == true)
//{
//string UserID;

//User user = new User();

//MismatchLabel.Visible = false;

// Check for already logged on
//if (loginUserDetails != null)
//{
// Session["UserDetails"] = null;
// loginUserDetails = null;
// FormsAuthentication.SignOut();
//}

//UserID = user.Login(LogonEmailTextBox.Text,
LogonPasswordTextBox.Text);
//if (UserID != null)
//{
// Session["UserDetails"] = user.GetUserDetails(UserID);
FormsAuthentication.RedirectFromLoginPage("*", false);
//}
//else
//{
// MismatchLabel.Visible = true;
//}
//}
}

As you see, I only keep the line
"FormsAuthentication.RedirectFromLoginPage("*", false);". It will always
redirect once user input a name and password. That make it work with aspx,
exe and zip.

Therefore, the problem on your side may be caused that this line didn't got
executed. The posible reason is (loginUserDetails != null) or (UserID =
null). Especially, when request is to a exe or zip file. You need to double
check the logic of your application to make sure this.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
M

Michael Tissington

Luke,

Using loginUrl="./login/login.aspx" (with the dot) does not work because
sometimes i'll be directed to a login page of the form
/download/installs/login/login.aspx adn what is required is
/login/login.aspx (in other words starting from the root). My understanding
is the '.' makes the path relative to the current url and not the root

In addition after commenting out the code I still can not get past the login
page. I have debugged my code and I correctly execute the line

FormsAuthentication.RedirectFromLoginPage("*", false);

But I still have the login page re displayed.
 
M

MSFT

Hi Michael,

Is it that all requests (inluding ASPX and EXE) can't pass the login form
or only EXE file? Where is the EXE or ZIP file, in the root or a virtual
folder? When we enter the login form, the address line of IE will be like:

http://localhost/webapplicationtest/login/login.aspx?ReturnUrl=/webapplica
tiontest%2fcodesamples.zip

Did it has same url string after you click Login button and redirected to
login form again?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
M

Michael Tissington

Luke,

Yes, after clicking Login, the login page is just display again and the URL
has not changed.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top