Stupid Forms Auth Question

[RC]

I'm new... please be gentle...

I've built a login form for a very simple website using C#/ASP.NET.
Security isn't that big of a deal, so I'm storing my passwords in clear
text in web.config. Here's my web.config:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<authentication mode="Forms">
<forms name="testcookie" loginUrl="/default.aspx">
<credentials passwordFormat="Clear">
<user name="username" password="password"/>
</credentials>
</forms>
</authentication>
</system.web>
</configuration>

And here's the problem - I can bypass the login screen and get to other
pages that should be protected. For example, when the credentials are
validated, the user is redirected to members.aspx (in the same
directory). But right now, I can access members.aspx without ever
logging in.

Is the cookie not being created? Is a session not being created? How
do I set up protected vs. non-protected pages (I don't want it to be
either/or - I would like some pages open to everyone and others open
only to a select few)? I'm so anxious to get off the ground, and I was
wondering if you could spare a minute to help?

[Svein Terje Gaup]

You seem to have forgotten to put in the "authorization" section of the
web.config file.

It should look somewhat like this:
<authorization>
<deny users="?" />
</authorization>

Take a look at this article for a nice QuickStart:
[url]http://samples.gotdotnet.com/quickstart/aspplus/doc/formsauth.aspx[/url]

Sincerely
Svein Terje Gaup

"RC" <nainlbb@yahoo.com> wrote in message
news:110igh6hu3bt6f8@corp.supernews.com...

> I'm new... please be gentle...
>
> I've built a login form for a very simple website using C#/ASP.NET.
> Security isn't that big of a deal, so I'm storing my passwords in clear
> text in web.config. Here's my web.config:
>
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
> <system.web>
> <compilation defaultLanguage="c#" debug="true" />
> <authentication mode="Forms">
> <forms name="testcookie" loginUrl="/default.aspx">
> <credentials passwordFormat="Clear">
> <user name="username" password="password"/>
> </credentials>
> </forms>
> </authentication>
> </system.web>
> </configuration>
>
> And here's the problem - I can bypass the login screen and get to other
> pages that should be protected. For example, when the credentials are
> validated, the user is redirected to members.aspx (in the same directory).
> But right now, I can access members.aspx without ever logging in.
>
> Is the cookie not being created? Is a session not being created? How do
> I set up protected vs. non-protected pages (I don't want it to be
> either/or - I would like some pages open to everyone and others open only
> to a select few)? I'm so anxious to get off the ground, and I was
> wondering if you could spare a minute to help?

[RC]

Thanks for the help. That did the trick.

I guess if I could differentiate protected/non-protected content by
using a separate folder with a separate web.config file. Feasible? Is
there a better way?

I'm fixing to read the link you sent me. Thank you.

> You seem to have forgotten to put in the "authorization" section of the
> web.config file.
>
> It should look somewhat like this:
> <authorization>
> <deny users="?" />
> </authorization>
>
> Take a look at this article for a nice QuickStart:
> [url]http://samples.gotdotnet.com/quickstart/aspplus/doc/formsauth.aspx[/url]

[Andy G]

This is what to do to unprotect one specific page or directory....I inserted
how to do this inside what you posted earlier. You use the <location> tag.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation defaultLanguage="c#" debug="true" />
<authentication mode="Forms">
<forms name="testcookie" loginUrl="/default.aspx">
<credentials passwordFormat="Clear">
<user name="username" password="password"/>
</credentials>
</forms>
</authentication>
</system.web>

<location path="Project1/unprotect.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

</configuration>


"RC" <nainlbb@yahoo.com> wrote in message
news:110iin34jruese4@corp.supernews.com...

> Thanks for the help. That did the trick.
>
> I guess if I could differentiate protected/non-protected content by
> using a separate folder with a separate web.config file. Feasible? Is
> there a better way?
>
> I'm fixing to read the link you sent me. Thank you.
>

> > You seem to have forgotten to put in the "authorization" section of the
> > web.config file.
> >
> > It should look somewhat like this:
> > <authorization>
> > <deny users="?" />
> > </authorization>
> >
> > Take a look at this article for a nice QuickStart:
> > [url]http://samples.gotdotnet.com/quickstart/aspplus/doc/formsauth.aspx[/url]