Security :: Forms Authentication In Web.config / Access To Folder Be Made Via Login Form?
May 28, 2010
i have a problem with forms authentication. i have a website and want to restrict access to an especific folder. i want the access to this folder be made via the login form this is what i have in the web.config
I have a few pages that need to use SSL and I am confused bc I read you should set the forms authentication section in the web.config to use SSL. so if this is the case, the user logs in (login page is using ssl) the forms auth cookie is created and now if i redirect to the non ssl enable home page, does this mean the auth cookie will not be transmitted, so i can't display like a welcome module or know the username of the user who logged in?
I have a web app, which contains a folder Uploads, to which users (authenticated) upload their files (for some reason it has to be a folder in the root of the web app).I want to deny access to this folder and files to all non-authenticated users.
In my web.config I have:
[Code]....
and everything seems to work in development, but on a staging server it redirects non-authenticated users to login page ONLY from aspx pages, but not when entering the url to the file in Uploads folder.
I would like to add form authentication only on Admin folder.
when I add this into Admin/web.config
[Code]....
I'm getting this error:
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
I have an "Admin" folder in my application that will include pages that I would not like to have anonymous access to. When a user attempts to load a page that resides in this folder, I would like to redirect them to a login page. Here is what I have in my config so far.
How is configure my both web configs to solve my issue. currently i am getting following error
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
my root web config has default settings and my Admin directory has following settings
I need to put windows authentication on a site (so when a user access the site they are prompted with a username/password box) but I need certain IP addresses to bypass this authentication.
I have developed an Interanet web application using the windows Active directory authentication if user find then it automaticaly authenticated working correctly now my user wants the capability of being able to login to the intranet site as another user by providing the username and Password . For example, Team lead needs to login on other team memeber System to pefrom some task on his behalf if he or she is not aviable in office .
I have created a standard MS Login Page. However when I try to login on the page only by providing the Username system authenitcate the user ( not validating the password of that user)
I have read the many posts of people trying to use two different login pages: one for users and one for admins. My question is very different. I have a Site.master page with a LoginView and LoginControl. I then have three root level pages Default.aspx, About.aspx, and Contact.aspx that derive from the Site.master. All three pages are set in the web.config to be allowed to all users. I then have a MemberPage in a Member folder which is only accessible to authenticated users. What I want to have happen is to be able to login from either the Default, About, or Contact pages and then be directed to the MemberPage.
I've encountered a problem with intranet ASP.NET Application using AD Form Authentcation. The login and authorization is built using this KB http://support.microsoft.com/kb/316748. It works fine on DEV but not in UAT and PROD.
Basically, the problem is:1. In DEV, users see login page and they enter domain user name and password and login process happens with no issue.
2. But in PROD and UAT, the same application when the users see the login page (first time) and they submit the login form no response. The login button does nothing. The user closes the browser and come back to login page and it works second time. Strange, this doesn't happen in DEV.
3. Further, on DEV by changing the LDAP path to PROD or UAT, the users can still login the first time. It's only the PROd and UAT that seems to be a problem. Not sure whether it's IIS setting or domain policy or something else.....
Not sure what's causing this issue. The only difference that I can see between DEV and UAT/PROD is:
1. DEV has no load balance but UAT and PROD has.
2. In DEV application is installed under Default Website and on PROD/UAT it's under new website.
The IIS settings has been setup as per given KB. I
I have a problem in my asp application. In my application I have an own authentication mechanism so in the web.config file I have <authentication mode="None"/>
Inside the application users can upload files to the folder I've created (App_Files). I would like to give access to the folder only once they are logged in (Session["Login"] is no null).
I dont want not logged in users to be able to access the files over a url address in the browser (like http://<server>/App_Files/Filename.pdf)
I have created a web application which has two section user and admin. Admin files are within ~/admin folder and user files are in ~/User folder. Admin and user has two different login page within respective directory.
Now I want two apply form authentication for admin and user section. Is it possible to apply form authentication for two different section in a web application?
I set up a secured folder in my website. When I access this folder via web page, it pop up a windows login form to ask for user name and password. I would like to code the asp.net page or java script to access this secured folder with username and password without pop up the login form. find the method for asp.net page accessing the secured folder automatically.
I've set up a system with forms based authentication and using the asp:Login control. When I put in an invalid password I get the approriate invalid password message. However when I put in a valid password, it does nothing...just returns to the login page again. I'm triple checked the login info. There is no error message, and the invalid attempts counter doesn't increment. When I put a break point in the Login_LoggedIn event of the Login form, it hits it, but User.Identity.IsAuthenticated is false. I'm not 100% sure it should be true at this point, as I'm pretty new to .NET but it seems kind of odd.
My user database is stored in a sqlserver 2005 db that already existed. I've added a new connection for it.In the authorization I have
I have a login ascx module that needs to handle logged in users.
I am solving this by enabling Session("IdUser") to take Id_User from my database if login and password are correct.
Ok, this works rather OK, but I am using the same button for login and logout, so when I login user I need manualy to reload the page before handler me.load have new values for current session, does anybody know how I can solve this isue.
we host a database for several users. We allow the users to host the login form on their own server. The form calls an ASP page that we host, which executes a stored procedure to authenticate the user.
We are in the process of moving to ASP.net. The "Forms" authentication method appears to only work if the login page is hosted locally. Is there a way to use Forms Authentication & allow the login form itself to be on a different server. I'm looking for a tutorial somewhere that will get me pointed in the right direction
I am required to control access to a specific file on our server. I suggested, for the time being (rather than affording time for other routes until we can), that we simply use the web.config to lock this file down to everyone by means of a location/system.web/authorization setting.
This soon failed to protect the resource and I quickly became aware why (I think). It is a public site and is not using Forms authentication (currently just defaulting to Windows).
So, for clarity, here are the relevant parts the config file...
Can I secure this resource without turning on Forms authentication? Or can I turn authentication on but never actually require authentication to occur, by allowing all resources but the ones explicitly stated, or by explicitly stating all allowed and denied resources?
I am trying to implement forms authentication in my application. It has a folder named User and an .aspx Page named Welcome.aspx. I am trying to restrict Access to this page by directly typing address in the browser. For this I have done following setting in web.config:
It works fine for the first time and redirects to Login page when I type the URL directly in browser. But when I press back button in browser and again try to redirect, this time it redirects to Welcome.aspx. How can I avoid such a situation (Don;t want to disable back button). Also If i try to Set Location Path="User", it gices error i.e. I am not able to set folder level security
I am trying to use HTTPWebRequest to login to a site and then retrieve the page after login. However, it seems as if I can't get past the login. I also investigated with Fiddler and tried mimicking Fiddler almost completely and still no luck.
I have a problem with using login controls form authentication ! as my website serves some pages for guest users(Anonymous user) and some pages are for only secure user(they must have to login for those requested pages)...... my problem is this that when i apply form authentication in web.config file to login control then visual studio directly shows only login page where i want that in general case only : guest user pages must be shown and if user clicks on login then after login the requested page he may open !
how can i specify two different login pages in root web.config file since i need to have authentication for two folders.for securing My Account module i did like this in the root folder i need to have it for another folder called EBox also.
