Security :: How To Redirect Page If Authentication Fails
Aug 12, 2010
we would like to redirect the user to a given page if the authentication to our SharePoint site fails (i.e. the standard windows login prompt pops up three times - we are using windows authentication). No matter what option we try it always ends up bringing the user back to a blank page.
We have tried writing a HttpModule (and catch the if Response.StatusCode = 401), which doesn't seem to fire any events if the user is not authenticated. We have tried writing a HttpHandler, but of course we can redirect the user if there is an error code but can't continue onto the desired site if not. We have tried doing the following in the web.config:
I am in the process of designing application in case user authentication if failed i need to redirect to default page (NT Authentication). Is there any way you can redirect the user on IIS if the user is fail go through the NT authenticaiton at IIS level.Options 1 : Always land the user to defalut page and validate there and redirect to site based on the access give the directory level access. I am looking if there any options to let the user to default page in case user access is denied.
I have a logon/register control that is on several pages. Users are logged on with code: - FormsAuthentication.SetAuthCookie(Userid, False) Response.Redirect(Request.Url.AbsoluteUri) ' Round trip is necessary to complete logon
All this was working OK, except that there was a problem with Internet Explorer users: if their browser had the default privacy setting the authorization cookie was rejected. There was no message, but they were not logged on. See [URL] To try to solve this problem I changed to cookieless authentication, but now the logon control doesn't work. The problem is that after cookieless authentication the URL changes from
[URL]
However Request.Url.AbsoluteUri remains http://localhost:3641/TestGDB/login_pages/home2.aspx even after the logon, and so with cookieless authentication the user is not logged on as there is no authentication ticket in the redirect URL.
The problem is "solved" by changing the Redirect statement to Response.Redirect("~/login_pages/home2.aspx") which works perfectly for this particular page, but is obviously wrong when the control is on other pages.
I created a mixed mode authentication mechanism based on a few of the articles that I have read on this topic. It's similar to something like this: [URL]
Basically, there are two web applications. One accepts the Windows Auth and one accepts Forms Auth. The Windows Auth then creates a forms auth ticket and passes control to the Forms auth application. This solution works fine when both applications are housed within the same IIS web site.
Now, order to control the security of this solution we set up multiple IIS web sites on the same machine. Web Site 1 serves external traffic (forms auth) and Web Site 2 serves internal traffic (windows auth).
So the design is that an internal user can hit the site using Windows auth via a internal name (myserver) while the external users use Forms Auth hitting [URL].
All that said, the solution works when the two applications are in the same site. Doesn't work when they are in different sites.
While running an app from the server where it is deployed the website works fine, however when trying to access it from a different machine(placed in same network), using the same credentials, it shows that I am not an authenticated user.
I am trying to implement a simple role based authorization using forms authentication in ASP.net. It works perfectly fine in my local system but fails when I deploy in production (shared hosting). Whenever I try to log in, rather than taking me to the default page in specified directory it throws me back to the login page. I suspect that there is some issues with the configuration but not sure where the problem is. The code is provided below:
Web.config (root):
[Code]....
Web.config (Member directory):
[Code]....
Login.aspx:
[Code]....
Global.asax:
[Code]....
Works fine in local machine but shared hosting is not taking the authenticated user to the pages inside the secured folders. What can be the issue?
Just to describe the scenario. I have a website. This lives on a webserver. On that webserver is an SQL server. The website connects to this database using windows authentication. I have written a windows form application that connects to the SQL Server on the webserver. This application is being run from a location on out intranet. The Winform application use SQL authentication to connect to the database. The SQL Server didn't have mix mode authentication enabled. So I enabled it. The winform application could now connect to the SQL Server.
This is where it starts getting a little strange.
The Website that was already connecting find using integrated authentication starts failing with:
Login failed for user 'NT AUTHORITYNETWORK SERVICE'
When you are enabling mixed mode authentication, you are adding another authentication method, why would the original Windows authentication fail?
sir when any connction or error or exception generated in a page then control will go to where(which section)in the web.config file. i have to create a page when any exception or error or connection fails occurs from that it will redirect to login page so what code i have to write under web.config file pl tell me?
I am using ASP.Net's forms authentication, but do not want the default behavior of redirecting to a login page when a restricted area is accessed. Instead I would like to invoke a javascript JQuery dialog for the login on the current page, preventing the content behind from loading.My only issue is that by default the forms authentication wants to redirect. Is there a handler that I can hook into, or some other option to prevent the redirect?
I am currently having a spot of bother in something im trying to create. I want it so when a user who is in a certain role logs in they are directed to a certain page, and any other normal users are directed to another page.
I think i have this sorted via code but...
-The first time it will work, the 'admin' user will get directed to the appropriate page
-I then log out and log in as a normal user and get directed to the appropriate page
-then when i log out of that users account and back into the admin one i get directed to the normal users page instead.
-additional to this, I tried it on a different machine logging in as the admin user only to be redirected to the normal users page (is my session being stored somewhere?)
Ive traced through the problem and the user name and password being subbmitted are what they should be, yet it skips the true part of my IF statement for being in that role.
Here is my code I am using on the login form:
[Code]....
-When stepping through if seen it work and not work with the same values, I cant understand the logic of its inconsistency
the code i am using for the logout is (this is on my masterpage):
We just switched to VS2010 and seems like the forms authentication is behaving differently.
Our setup is that we have a default page (default.aspx) so that if you link to the root folder of the site, rather than a specific page, you get switched to default.aspx.
In addition, we have a working forms authentication system set up so that if you try to go to any of the pages you get redirected to a login.aspx page.
The login page can either redirect you to the forms authentication default page (default.aspx) or to the requested URL.
I'm not the one that configured this originally, but it looks like we are getting the originally requested URL from the authentication redirect, since Page.Request.Url = "http://.../Login.aspx/ReturnURL=<requestedpage>"
The problem is that this is failing to work when the original url is the root folder. In VS2008, <requestedpage> would be "/rootfolder/default.aspx", whereas now (in VS2010) we're getting "/rootfolder/". In other words, the site redirect used to be happening before the authentication check, and now it seems to be happening afterwards.
This is a problem because when we are checking to see if we need to redirect to something other than the default page, we check to see if the return URL is empty or matches the authentication defaultURL (which is also "default.aspx". If it matches, we go straight to the default page. If it doesn't we do some processing and then do the redirect. The extra processing is producing strange results when the browser is redirected to the rootfolder and therefore to the default page.
For now, I'm able to additionally test for Request + "default.aspx" (which resolved to the authenticaiton defaultURL), but this feels clunky and I can see headaches in the future if we ever need to rename default.aspx.
P.S. It has occurred to me that it's possible that something changed in web.config or another setup file when we did our conversion to VS2010. I can't find it, but that doesn't mean it's not there.
how to redirect to a custom URL on Forms Authentication timeout? The timeout is working but it is only caught when I try to go to a page in my application because each Page_Load method is wrapped in a custom IsLoggedIn method. Here is the settings I have so far in the Web.config.
I've got a site called domain.com and also another product on product.domain.com. The product.domain.com requires authentication to access it. For consistancy in the user experience I have set the login url in the web.config on product.domain.com to be http://domain.com/Login.aspx. This redirection is working ok - and a sample url would be:
The problem is that the RedirectURL does not take into account that the request originally came from product.domain.com so when the authentication is successful the user is not redirected back to product.domain.com
I have come up with a solution for this but would like feedback if possible.
I changed the loginURL in the web.config to http://domain.com/Login.aspx?domain=product.domain.com so the sample url is now:
I then override the LoggedIn event in the membership control and check to see if the domain value pair is specified and if it is I redirect to the domain + ReturnURL.
As I said previously i'd appreciate any comments or other ways to achieve the same result.
I have a web application (intranet based) which uses Windows Authentication. Unfortunately there are public computers that have public logins at some company locations. My web app doesn't support these public logins because I need to know the user workingSo, even though these public users are windows authentication users, my app will fail because I have no user account setup for that particular account. I want to then try Active Directory Authentication.In my Default.aspx.cs I'd have something like this
protected void Page_Load(object sender, EventArgs e) {try userContext = new UserContext(); // If the authenticated user isn't a user in my system then throw an exception } [code]...
In an asp.net mvc website, the site has enable forms authentication. The form login page is located in an area such as:
Area: Area1, Controller: Account, Action: Login
When a user is not yet authenticated and click on a link that requires authentication, the user is redirected to the login page. This does occur and redirect to the login page specify above. However during debug, it was found the area value is not included in the RouteData.Values object. That is, the RouteData.Values object has ONLY the follow value:
Controller: Account Action: Login
In this case, it is presumed that the MVC application by default searches for the appropriate controller and action without consideration for including the area value. On contrast when I direct click on a link that directs to login page, all processing occurs as expected, i.e. the area value is included in the RouteData.Values object. Is there a work around for this?
I have an application that uses ASP.NET Forms Authentication. For the most part, it's working great, but I'm trying to add support for a simple API via an .ashx file. I want the ashx file to have optional authentication (i.e. if you don't supply an Authentication header, then it just works anonymously). But, depending on what you do, I want to require authentication under certain conditions.
I thought it would be a simple matter of responding with status code 401 if the required authentication was not supplied, but it seems like the Forms Authentcation module is intercepting that and responding with a redirect to the login page instead. What I mean is, if my ProcessRequest method looks like this:
[code]....
Then instead of getting a 401 error code on the client, like I expect, I'm actually getting a 302 redirect to the login page.
For nornal HTTP traffic, I can see how that would be useful, but for my API page, I want the 401 to go through unmodified so that the client-side caller can respond to it programmatically instead.
Now is it possible to make the user choose which page to be redirected to prior to login? for example the user chooses from a list the page to login to prior to login then when authenticated be redirected to this page instead of the default.aspx page. is that possible and if so how can this be done?
I am a beginner of asp.net..I currently have a login page with forgot password link button on the bottom of the screen. I am also using forms authentication to prevent an unauthorized user from accessing the other pages. The authentication seems to be working fine except for one thing. It prevents the user from accessing the password recovery page once the user click on the link button. How do I allow all users access to the login/password pages and also prevent them from viewing the other pages if they are not authenticated?The code below is to prevent from other anonymous view other pages without access. But i got no idea on how to allow them to access password recovery page...
<authentication mode="Forms"> <forms loginUrl="/Presentation/Display/Login.aspx" name=".ASPNETAUTH" protection="All" path="/" timeout="120" cookieless="UseDeviceProfile" slidingExpiration="true"/> </authentication> <!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. --> <authorization> <deny users="?"/> </authorization>
I am having problems getting the security.aspx to load up on my primary development computer which is using Windows 7 Ultimate and Windows IE 8. Clicking on the ASP.NET Configuration icon from the IDE in the Solution Explorer within Visual Web Developer 2008 Express Edition loads up default.aspx with no problem. But when I click on the "Security" hyperlink to access "security.aspx" I get a message along the lines of "The configured SQL data source provider is not properly configured". It goes on to state a list of potential reasons for this problem. One that includes not having the proper credentials or permissions. Im almost 100% sure it has something to do with permissions because I can't even get to the "security.aspx" page from opening a new empty project. I have recently installed Visual Web Developer 2008 Express Edition on my laptop which is running Vista with all latest updates and this issue does "not" exists. I can click the "ASP.NET" icon, load up "default.aspx" and click "Security" and it loads the page with absolutely no issues.
I have discovered a weird workaround but I don't like having to do this. If I add the following lines to my "web.config" file from any given project I can get to the "security.aspx" page without getting any SQL messages about improper configuration or permissions.
Basically, what I have to do to get to the security page to load without error is add a remove statement and then I just cut'n'paste almost the exact same connectionString from machine.config in the Microsoft.netFrameWorkV2.0.5027config directory. This does away with the "Improperly configured SQL datasource message" and gets me a new error message along the lines of "Could not create a SQL instance". My memory is fuzzy on exact error messages since Im not at development computer right now. However, when I change the User Instance attribute from true to false, then I have success at last.
We have a system in production, part of which is now failing. The failing part worked as follows:A user would upload a document, the type could be word, excel (1997 - 2007 format) or pdf. Then they would create an email in our application. The email would have a link to an aspx page which when visited, would parse the query string to find the readers information in the database, update a record to indicate that they clicked the link to read the document, then do a response.redirect to the document.
In my asp.net webforms application I am using plain and simple forms authentication hooked up into my database (with the standard membership provider). Everything works well, I can log in , log out, get roles, etc...However, after deploying my site to the intranet IIS server I noticed that IE cannot be authenticated. The actual authentication process for logging in works (as it does tell you when your password/username is wrong) but after authentication completes it claims you aren't logged in.
This is only on my deployed IIS environment as locally while in my VS environment everything works just fine in IE. While in the deployed IIS chrome and Firefox work just fine.The only thing I can tell is it looks like IE isn't getting or saving the authentication cookie. This is not IE setting related as I have my IE8 set to accept all cookies, and I tested on a coworker's IE8 machine and another's IE7 with the same results. My web.config is using the following settings:
Edit: I have been forced to fix this issue now, since my webserver is not working well with URL authentication.I have used fiddler and figured out that IIS7 is not sending any cookies to me when I am in IE. No cookies are in the headers. The cookies are correctly in the headers when serving the site to Mozilla and Chrome browsers though. I am at a loss as to why.....
Edit2: As a side note, when I log into the web server directly, if I go to Http://localhost/ IIS sends IE the cookies fine, but if I go to http://qa_build/ (that's the computer name for the server) IIS won't send the cookies to IE.
When user right click on the link and select open in new tab (or) open in new window then i need to redirect him to login page in the new tab or new window.
I have my website in which there are free links and links that require login. Free links open even if the user is not logged in. But in case of links that require login, redirect to login.aspx specified in Web.Config in loginURL tag.
I want some way to override this and show Ajax modal popup (Ajax extender toolkit) with login control for only thos links that require login (not for the free links).
