First off, I'd like to note what a great resource this site is. I've enjoyed browsing through it during my endevors of getting a handle on ASP2.0
That being said, I'm working on setting up Forms Authentication on my site. I'm a bit confused though. Here's my setup:
I have certian parts of this site I'd like to have open to the public, no authentication necessary. The option to login is always going to be in my Master page as a custom form I created that authenticates with a sql database (this is functional). As of right now authentication just redirects to a specified page (with a master page that has login info such as the username and last login date).
If I'm right, every page that in the project, when loaded, looks for the authentication cookie (provided if user is authenticated) and if it doesn't find it it redirects to the LoginURL specified in the web.config. If it finds it then it lets the user view the page right? My question is how do I set the pages to look for the cookie programatically? I only want certian pages to do this because many will be open to anonymous users. I've noticed the FormsAuthentication class but I'm not sure how it ties in with forms authentication setup in the web.config (which I haven't configured yet)
Thanks alot for any help directed my way. I've gotten pretty keen in developing websites with the visual studio series, I've just never gotten my head around securing them and programatically keeping my grasp on authentication as the user moves through the site.
![]() |
0 |
![]() |
Forms authentication and Url authorization work together to force logins and protect pages. Out of the box there is a Url authorization rule in the root web.config file (look in the CONFIG subdirectory underneath where the framework is installed):
<authorization>
<allow users="*" />
</authorization>This rule allows everyone to have access. If you instead put the following into your web.config, then only authenticated users are allowed in:
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>Forms authentication gets special handling with these rules because ASP.NET still allows anonymous access to the login page specified in the <forms /> configuration element (which is login.aspx by default).
The net result is that with the modified authorization rules, attempts to access any page in the site other than login.aspx end up with a redirect to login.aspx. Once the user logs in successfully (the login page should check creds and issue a forms auth cookie if the creds are good - this is what the login control does automatically for you), a forms auth cookie now flows back to the server from the browser on every subsequent page hit.
When ASP.NET sees this cookie it validates that the cookie is still good - and if so it sets up a programmatic representation of the user on HttpContext.Curent.User (usually access on .aspx pages directly from the User property). As a result the authorization rule shown earlier will pass since the user is not long anonymous.
If you want certain areas of the site always open to the public, and other areas always locked down, you can specify multiple URL authorization rules like this:
<location path="SecuredDirectory">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location><location path="PublicDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>The value of the path attribute can be a directory or a specific page in a directory.
-Stefan
----------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
![]() |
0 |
![]() |
Thats great! And it makes sense, but I'm having a wierd problem.
I wrote everything to make the application authenticate with sql and update a timestamp to mark the login attempt and success datetime. All this works great. But when I use IE6, I provide my credentials and login and it takes me straight back to the login page, this doesn't happen when I'm debugging the application, it works just as programmed. Which is why I'm confused. Here's my web.config
<!-- I added this SessionState after having problems but I'm not sure if its helping -->
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="180"/>
<authentication mode="Forms">
<forms name="CooperWebCookie" defaultUrl="Cooper.aspx" loginUrl="cooperlogin.aspx" protection="All" timeout="180" path="/"></forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
And here is my VB Code:
' The Validate class is what I wrote to verify the credentials against a SQL DB
If Validate.ValidateUser(txtUsername.Text, txtPassword.Text) = True Then
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)
Response.Redirect(FormsAuthentication.DefaultUrl)
Else
Response.Redirect("cooperlogin.aspx?Auth=1")
End If
I cannot figure out why this only works when I'm debugging. When I run the web app in IE6 it redirects to the defaultUrl after I provide my credentials, but it still seems to authenticate because it runs the Validate.ValidateUser function... Please help! Thank you again!!
![]() |
0 |
![]() |
Try removing the Response.Redirect from the code branch for successful login. When you call RedirectFromLoginPage ASP.NET will issue a cookie and then automatically redirect you to either the page you were originally trying to access, or if you hit the login page directly it will navigate you to the page indicated by the "defaultUrl" attribute in config (Cooper.aspx in your case).
One other thing to check is make sure the issued cookie is actually reaching the browser. You can turn on privacy options in IE to always prompt for cookies. Then use a fully qualified domain name to access your site (or for simplicity if this is localhost use http://127.0.0.1/cooperlogin.aspx ). This will cause IE to prompt you to accept the forms auth cookie. If things are working properly you should ge prompted to accept the forms auth cookie.
-Stefan
----------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
![]() |
0 |
![]() |