Ask a Question related to ASP.NET Security, Design and Development.
-
Laurie Dvorak #1
Form Authentication - Roles - Always returns to login screen
I'm using forms authentication and I want to limit access to certain
directories only to users with certain roles. I have the following code
(simplified to isolate problem):
Web.config (main directory)
<authentication mode="Forms">
<forms name="WhsWebAuth" loginUrl="~/login.aspx" protection="None"
timeout="30"/>
</authentication>
Web.config (directory I want to protect)
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
login.aspx.cs
protected void OnButtonLoginClick(object sender,
System.Web.UI.ImageClickEventArgs e)
{
FormsAuthentication.RedirectFromLoginPage(textBoxU sername.Text, false);
}
global.asax.cs
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (HttpContext.Current.Request.IsAuthenticated)
{
string[] roles = new string[]{"Admin"};
HttpContext.Current.User = new
GenericPrincipal(HttpContext.Current.User.Identity , roles);
}
}
This works fine on my devolopment machine and I've used it before on another
website. However, I'm working a new website and when I run it on the
client's ISP's server I can never get past the login screen. If I try to
go to a page in the protected directory it brings up the login screen
(fine). I login and then it immediately returns to the login screen. Even
if I try to manually type in the page I'm trying to go to after the login,
it returns me back to the login screen (so it's not just a matter of the
redirect failing). It's as if the roles that are being set in the
global.asax.cs file are being lost somehow.
I'm thinking the problem must lie in how the ISP has the IIS server setup
since this works fine on my machine and has worked on another website.
However since it is an ISP, I cannot look at the server myself and I'm not
sure what would cause this anyways.
Ideas anyone?
Thanks in advance,
Laurie
Laurie Dvorak Guest
-
Custom Login Form for Windows Authentication?
Hello: I need to have a custom login form page for a site with Windows Authentication and internally i make the 'authentication windows process'.... -
forms authentication returns 401 instead of going to login page
Hi, I have an app in the 1.1 framework that uses forms authentication . In the normal case, if the user requests a page and is not logged in,... -
Is there a way to determe reason for authentication in login form?
I can't find a way to tell if the login form has been run as a result of accessing a directory the user is not authorized for. I am using forms... -
Form Authentication with Remote Login.aspx
I know this is an old question, but searching all over the internet plus several MS security conferences, still haven't got a straight anwser. ... -
Form authentication, what about normal login?
Hello, Let's assume we have setup from-based authentication in a website. And the front page of this website is a login page with some welcome... -
Brock Allen #2 Re: Form Authentication - Roles - Always returns to login screen
In your login page (for diagnostic reasons) print out the User.Identity.Name
and User.IsInRole("Admin"). Typically when you login and then are redirected
back to the login page, you are still logged in, it's just that security
for that page disallowed access. So, print out that diagnostic info to see
if you're really losing the auth info.
-Brock
DevelopMentor
[url]http://staff.develop.com/ballen[/url]
> I'm using forms authentication and I want to limit access to certain
> directories only to users with certain roles. I have the following
> code (simplified to isolate problem):
>
> Web.config (main directory)
> <authentication mode="Forms">
> <forms name="WhsWebAuth" loginUrl="~/login.aspx" protection="None"
> timeout="30"/>
> </authentication>
>
> Web.config (directory I want to protect)
> <authorization>
> <allow roles="Admin" />
> <deny users="*" />
> </authorization>
> login.aspx.cs
> protected void OnButtonLoginClick(object sender,
> System.Web.UI.ImageClickEventArgs e)
> {
> FormsAuthentication.RedirectFromLoginPage(textBoxU sername.Text,
> false);
> }
> global.asax.cs
> protected void Application_AuthenticateRequest(Object sender,
> EventArgs e)
> {
> if (HttpContext.Current.Request.IsAuthenticated)
> {
> string[] roles = new string[]{"Admin"};
> HttpContext.Current.User = new
> GenericPrincipal(HttpContext.Current.User.Identity , roles);
> }
> }
> This works fine on my devolopment machine and I've used it before on
> another website. However, I'm working a new website and when I run
> it on the client's ISP's server I can never get past the login screen.
> If I try to go to a page in the protected directory it brings up the
> login screen (fine). I login and then it immediately returns to the
> login screen. Even if I try to manually type in the page I'm trying
> to go to after the login, it returns me back to the login screen (so
> it's not just a matter of the redirect failing). It's as if the
> roles that are being set in the global.asax.cs file are being lost
> somehow.
>
> I'm thinking the problem must lie in how the ISP has the IIS server
> setup since this works fine on my machine and has worked on another
> website. However since it is an ISP, I cannot look at the server
> myself and I'm not sure what would cause this anyways.
>
> Ideas anyone?
>
> Thanks in advance,
> Laurie
Brock Allen Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
