Forms auth / Location element

[Mark Teague]

Greetings!

I am attempting to secure the root of an IIS virtual directory and an Admin subdirectory separately from one another. At first, I attempted to create an additional Web.Config in the /Admin folder to direct unauthenticated access attempts to URLs within this directory to a different login page. The ASP.Net runtime complained that the <authentication/> element should only be used at the root level (or perhaps it was the <forms/> element).

After returning to the drawing board, I attempted to create two <location/> elements within the root level Web.Config file. The contents of the root Web.Config file are inserted below. There are two <location/> elements. One for the root of the virtual directory and another for the /Admin subdirectory.

Unauthenticated attempts to access root level URLs are properly redirected to /Login.aspx. However, once authenticated to this folder the client may request any URL within the /Admin folder without being subject to the additional authentication/authorization that I would like to enforce upon administrative use.

Is it the case that "Forms" based authentication can only be employed once during a client's session? (i.e. Once they are authenticated, they are authenticated ... period!) And also, that only one form can be established for a particular IIS virtual directory or application? If this is not the case, then any guidance as to what I have configured wrong will be greatly appreciated.


Thanks in advance,
Mark

Contents of Web.Config follow:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<location>
<system.web>
<compilation defaultLanguage="vb" debug="true" />

<customErrors mode="Off" />

<authentication mode="Forms">
<forms name=".rootAccessCookie" loginUrl="Login.aspx" protection="All" timeout="30" path="/" />
</authentication>

<authorization>
<deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->

</authorization>

<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />

<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>

<globalization requestEncoding="utf-8" responseEncoding="utf-8" />

</system.web>
</location>

<location path="Admin/">
<system.web>

<compilation defaultLanguage="vb" debug="true" />

<customErrors mode="Off" />

<authentication mode="Forms">
<forms name=".adminAccessCookie" loginUrl="Admin/Login.aspx" protection="All" timeout="30" path="Admin/" />
</authentication>

<authorization>
<deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->

</authorization>

<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />

<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>

<globalization requestEncoding="utf-8" responseEncoding="utf-8" />

</system.web>
</location>

</configuration>

[Dominick Baier [DevelopMentor]]

Hello Mark,

you so far only used deny="?" -

there are also <allow user=".." /> and <allow role=".." />

to give different users different access rights to your application, you
have to couple the users with roles, a common place to do this is in the
AuthenticateRequest event in gobal.asax or a HttpModule...

your web.config could look like this then:

<location path="Admin/">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>

for an example how to do it - you can download this sample:
[url]http://www.leastprivilege.com/content/binary/FormsAuthBestPractice.zip[/url]


---------------------------------------
Dominick Baier - DevelopMentor
[url]http://www.leastprivilege.com[/url]

> Greetings!
>
> I am attempting to secure the root of an IIS virtual directory and an
> Admin subdirectory separately from one another. At first, I attempted
> to create an additional Web.Config in the /Admin folder to direct
> unauthenticated access attempts to URLs within this directory to a
> different login page. The ASP.Net runtime complained that the
> <authentication/> element should only be used at the root level (or
> perhaps it was the <forms/> element).
>
> After returning to the drawing board, I attempted to create two
> <location/> elements within the root level Web.Config file. The
> contents of the root Web.Config file are inserted below. There are
> two <location/> elements. One for the root of the virtual directory
> and another for the /Admin subdirectory.
>
> Unauthenticated attempts to access root level URLs are properly
> redirected to /Login.aspx. However, once authenticated to this folder
> the client may request any URL within the /Admin folder without being
> subject to the additional authentication/authorization that I would
> like to enforce upon administrative use.
>
> Is it the case that "Forms" based authentication can only be employed
> once during a client's session? (i.e. Once they are authenticated,
> they are authenticated ... period!) And also, that only one form can
> be established for a particular IIS virtual directory or application?
> If this is not the case, then any guidance as to what I have
> configured wrong will be greatly appreciated.
>
> Thanks in advance,
> Mark
> Contents of Web.Config follow:
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
> <location>
> <system.web>
> <compilation defaultLanguage="vb" debug="true" />
> <customErrors mode="Off" />
>
> <authentication mode="Forms">
> <forms name=".rootAccessCookie" loginUrl="Login.aspx"
> protection="All" timeout="30" path="/" />
> </authentication>
> <authorization>
> <deny users="?" /> <!-- Deny all unauthenticated/unauthorized
> users -->
> </authorization>
>
> <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>
> <sessionState
> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data
> source=127.0.0.1;Trusted Connection=yes"
> cookieless="false"
> timeout="20"
> />
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
>
> </system.web>
> </location>
> <location path="Admin/">
> <system.web>
> <compilation defaultLanguage="vb" debug="true" />
>
> <customErrors mode="Off" />
>
> <authentication mode="Forms">
> <forms name=".adminAccessCookie" loginUrl="Admin/Login.aspx"
> protection="All" timeout="30" path="Admin/" />
> </authentication>
> <authorization>
> <deny users="?" /> <!-- Deny all unauthenticated/unauthorized
> users -->
> </authorization>
>
> <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>
> <sessionState
> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data
> source=127.0.0.1;Trusted Connection=yes"
> cookieless="false"
> timeout="20"
> />
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
>
> </system.web>
> </location>
> </configuration>
>