Trying to understand FormsAuthentication

First off, I'd like to note what a great resource this site is.  I've enjoyed browsing through it during my endevors of getting a handle on ASP2.0

That being said, I'm working on setting up Forms Authentication on my site.  I'm a bit confused though.  Here's my setup: 

I have certian parts of this site I'd like to have open to the public, no authentication necessary.  The option to login is always  going to be in my Master page as a custom form I created that authenticates with a sql database (this is functional).  As of right now authentication just redirects to a specified page (with a master page that has login info such as the username and last login date).

If I'm right, every page that in the project, when loaded, looks for the authentication cookie (provided if user is authenticated) and if it doesn't find it it redirects to the LoginURL specified in the web.config.  If it finds it then it lets the user view the page right?  My question is how do I set the pages to look for the cookie programatically?  I only want certian pages to do this because many will be open to anonymous users.  I've noticed the FormsAuthentication class but I'm not sure how it ties in with forms authentication setup in the web.config (which I haven't configured yet)

Thanks alot for any help directed my way.  I've gotten pretty keen in developing websites with the visual studio series, I've just never gotten my head around securing them and programatically keeping my grasp on authentication as the user moves through the site.
0
drpcken
12/16/2005 4:46:17 PM
asp.net.security 27051 articles. 1 followers. Follow

3 Replies
364 Views

Similar Articles

[PageSpeed] 18

Forms authentication and Url authorization work together to force logins and protect pages.  Out of the box there is a Url authorization rule in the root web.config file (look in the CONFIG subdirectory underneath where the framework is installed):

        <authorization>
            <allow users="*" />
        </authorization>

This rule allows everyone to have access.  If you instead put the following into your web.config, then only authenticated users are allowed in:

        <authorization>

            <deny users="?" />
            <allow users="*" />
        </authorization>

Forms authentication gets special handling with these rules because ASP.NET still allows anonymous access to the login page specified in the <forms /> configuration element (which is login.aspx by default). 

The net result is that with the modified authorization rules, attempts to access any page in the site other than login.aspx end up with a redirect to login.aspx.  Once the user logs in successfully (the login page should check creds and issue a forms auth cookie if the creds are good - this is what the login control does automatically for you), a forms auth cookie now flows back to the server from the browser on every subsequent page hit.

When ASP.NET sees this cookie it validates that the cookie is still good - and if so it sets up a programmatic representation of the user on HttpContext.Curent.User (usually access on .aspx pages directly from the User property).  As a result the authorization rule shown earlier will pass since the user is not long anonymous.

If you want certain areas of the site always open to the public, and other areas always locked down, you can specify multiple URL authorization rules like this:

<location path="SecuredDirectory">
    <system.web>
      <authorization>
        <deny users="?" />
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

<location path="PublicDirectory">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

The value of the path attribute can be a directory or a specific page in a directory.


-Stefan
----------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
0
sschack
12/16/2005 9:25:26 PM
Thats great!  And it makes sense, but I'm having a wierd problem.  
I wrote everything to make the application authenticate with sql and update a timestamp to mark the login attempt and success datetime.  All this works great.  But when I use IE6, I provide my credentials and login and it takes me straight back to the login page, this doesn't happen when I'm debugging the application, it works just as programmed.  Which is why I'm confused.  Here's my web.config


<!-- I added this SessionState after having problems but I'm not sure if its helping -->
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false"  timeout="180"/>

<authentication mode="Forms">
     <forms name="CooperWebCookie" defaultUrl="Cooper.aspx"  loginUrl="cooperlogin.aspx" protection="All" timeout="180" path="/"></forms>
</authentication>
<authorization>
     <deny users="?"/>
     <allow users="*"/>
</authorization>

And here is my VB Code:

            ' The Validate class is what I wrote to verify the credentials against a SQL DB
            If Validate.ValidateUser(txtUsername.Text, txtPassword.Text) = True Then
                FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, False)
                Response.Redirect(FormsAuthentication.DefaultUrl)
            Else
                Response.Redirect("cooperlogin.aspx?Auth=1")
            End If

I cannot figure out why this only works when I'm debugging.  When I run the web app in IE6 it redirects to the defaultUrl after I provide my credentials, but it still seems to authenticate because it runs the Validate.ValidateUser function...  Please help!  Thank you again!!
0
drpcken
12/27/2005 10:15:24 PM

Try removing the Response.Redirect from the code branch for successful login.  When you call RedirectFromLoginPage ASP.NET will issue a cookie and then automatically redirect you to either the page you were originally trying to access, or if you hit the login page directly it will navigate you to the page indicated by the "defaultUrl" attribute in config (Cooper.aspx in your case).

One other thing to check is make sure the issued cookie is actually reaching the browser.  You can turn on privacy options in IE to always prompt for cookies.  Then use a fully qualified domain name to access your site (or for simplicity if this is localhost use http://127.0.0.1/cooperlogin.aspx ).  This will cause IE to prompt you to accept the forms auth cookie.  If things are working properly you should ge prompted to accept the forms auth cookie.


-Stefan
----------------------------------------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
0
sschack
1/1/2006 12:11:42 AM
Reply:

Similar Artilces:

Newbie trying to Understand the FormsAuthentication.RedirectFromLoginPage method.
Am I correct to understand that if I use the ASP.NET 2.0  Login control, I won’t have to code any  FormsAuthentication.RedirectFromLoginPage method because it will be taken care of automatically.    That is to say, after a successful login, I will be take to the originally requested page? DannyDep wrote: Am I correct to understand that if I use the ASP.NET 2.0  Login control, I won’t have to code any  FormsAuthentication.RedirectFromLoginPage method because it will be taken care of automatically.    That is to say, after a successful login, I...

Newbie Needs Help: Trying to understand wireless network security
I have been reading posts and websites and I feel like I'm getting bits and pieces of the story. I'm trying to understand security over a wireless network. I have read a few people saying that they are confident that they have a secure wireless network. I was wondering if there is a good resource for beginners who would like to set up a secure network. I understand up to using WPA, that disabling SSID doesn't really make a difference and that's about it. I want to also know if one sets up a home network system, will the transmission between the desktop and ...

.Net security update KB917283) won't install and repeatedly tries
Help - this security update will not install for some reason and continues to try to download and install. How do I kill this inane action? thx -- Lionel B. Dyck <>< AIM ID: lbdyck Homepage http://www.lbdsoftware.com I've found that some updates require you to Start > shutdown and reboot your computer before it will finish the install. Torrance Lionel B. Dyck wrote: > Help - this security update will not install for some reason and > continues to try to download and install. > > How do I kill this inane action? > > thx Torran...

(IN)SECURE Magazine from Net-Security (PDF download)
A little more light reading :-) Latest issue, #13: http://www.net-security.org/insecuremag.php (86 pages, with ads [not animated ads] - like a printed magazine) Archives of past issues: http://www.net-security.org/insecure-archive.php ISSUE 13 (September 2007) * Interview with Janne Uusilehto, Head of Nokia Product Security * Social engineering social networking services: a LinkedIn example * The case for automated log management in meeting HIPAA compliance * Risk decision making: whose call is it? * Interview with Zulfikar Ramzan, Senior Principal Re...

about net security
Name: Nasir Email: nasi81ataoldotcom Product: Firefox Summary: about net security Comments: Dear Sir Please tell me that if I use firefox for browsing any type of web site, can it would be checked by my administrator that which type of web sites are to be open at my system or not? Mean the Administrator can check or not the sites which I used to open at my system? Waiting your reply Thanks & Regards Nasir Browser Details: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 From URL: http://hendrix.mozilla.org/ Note ...

Trying to understand
Ok, I'm been trying to understand the new ADO.net thing, and it seems pretty simple, as long as your using databound controls.Unfortunatly, I have a lot of pages that I can just ad a grid view to and make the things look right, so I'm trying to understand how to programatically access ADO.net.Below is an example of some of the simplest code I need to convert and any help would be aprreciated.set connectionToDatabase=server.createobject("adodb.connection")connectionToDatabase.connectiontimeout=60connectionToDatabase.open "DSN=ServiceCalls"set rc=server.CreateObject...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

Trying to understand...
Someone just hit me over 70 times inside 3 minutes on TCP ports over 63700 from 200.192.240.8. I dropped my connection and picked up a new IP, but is there really anything other than an attempt to invade my box that this kind of activity could be? Just trying to get an education... nospam@myaddress.com wrote: > > Someone just hit me over 70 times inside 3 minutes on TCP ports over > 63700 from 200.192.240.8. I dropped my connection and picked up a new > IP, but is there really anything other than an attempt to invade my box > that this kind of activity could be? J...

Is .NET Secure?
Here's the scenario. I want to develop a website that is hosted by a third party (shared web host initially) that contains sensitive data.    I encrypt / decrypt the data (that is stored on the SQL server encrypted) at the data access tier to StringBuilders and pass them up the business logic layer to the presentation layer. When the data hits the presentation tier, in this case the web page, I must convert them to String so that I can display them as you cannot simply point web controls to StringBuilders . When the page is rendered, these strings&nbs...

trying and trying
Name: otto de koningh Email: ottodotdedotkoninghatskynetdotbe Product: Firefox Release Candidate Summary: trying and trying Comments: what a weird robot !! please refrain from using these horrendous figures i like the motorcycle though shown on the add-ons page i am having trouble because there is an unknown dump on firefox - never encountered this ! your browser is otherwise top of the bill !! from Firefox Setup 1.5.0.3 onwards in May 2006 Firefox has become a true companion ! now with Firefox Setup 3.0 RC1 i have error reports ! how come ? Browser Details: Mozilla/5.0 (...

Security Briefs: Security Enhancements in the .NET Framework 2.0
Security Briefs: Security Enhancements in the .NET Framework 2.0 http://msdn.microsoft.com/msdnmag/issues/05/01/SecurityBriefs/default.aspx *********************************************************** Quote *********************************************************** As I write this column, version 2.0 of the Microsoft .NET Framework is at Beta 1. When I got my bits, I hacked together a little program to dump all of the public members of all public types in the entire Framework and ran it on version 1.1 as well as 2.0. I then used WINDIFF.EXE to compare the two text files, and s...

.net Security
Hi.Please explain me about declarative security & imperative security.Thanks in advance.(If this has answered your question, please click on "Mark as Answer" on this post. Thank you!)Best Regards,Michael SyncMicrosoft WPF & Silverlight InsiderBlog : http://michaelsync.net Declarative security is where you establish Code Access Security requirements through the use of attributes attached to classes and methods. Imperative security is where you interact with the security engine using method calls.RegardsDave Thanks so much..(If this has answered your question, please clic...

Security in .NET
hi All, I m make a application, here, user can view some page or some not, So which type of security i can use, Page Level security means, every time when page,this check user is valid or not, or User level, means every time user login, check those pages user can visit. which type of tecnique is best regarding security and performence... plz discuss in detial thanx in advance Sajjad Please Mark as Answer, if the post Solve your Problem__________________________Regards,Sajjad RizviC U ON NETreply me : sajjaddotnet@yahoo.com Windows authentication  - for intranet scenarios. F...

Web resources about - Trying to understand FormsAuthentication - asp.net.security

FormsAuthentication on ASP.NET sites with the Google Chrome Browser on iOS
... Chrome apps as well as trouble with applications that use hosted Safari inside of UIWebView (which is what Chrome is). If you're using FormsAuthentication ...

Don't use FormsAuthentication.HashPasswordForStoringInConfigFile()
So, a ninja of my acquaintance told me yesterday that MD5 and SHA-1 hashes were not really considered acceptable for hashing passwords nowadays ...

Ajax and forms authentication
Forms authentication is nice way to protect your asp.net web pages from unauthorized views. The good thing is that it shields all request for ...

Authentication, Authorization and OWIN - Who Moved My Cheese?
With the introduction of OWIN-based security and Identity management in ASP.NET 4.5, the configuration of authentication and authorization have ...

shanselman/AspNetPersonaId · GitHub
AspNetPersonaId - Example of integrating ASP.NET Membership and Mozilla's Persona ID System

Hands on debugging an Azure application – what to do when it works locally but not in the cloud
I have been writing a Facebook application hosted on Microsoft Azure. I hit a problem where my application worked fine on the local development ...

Authentication Providers - JuniorRoute
... routing framework for .NET This provider greatly simplifies the process of integrating forms authentication by encapsulating ASP.net’s FormsAuthentication ...

Archive
Articles Blog Videos Archive The Good, The Bad, and Everything In Between Sep 2014 Features Of ES6 Part 5: The Spread Aug 2014 Karma Is Not Just ...

carson63000-tech
... . Show all posts Home Subscribe to: Posts (Atom) carson63000-tech endorses.. Followers Blog Archive ▼ 2010 (1) ▼ August (1) Don't use Forms ...

Scott Hanselman
Scott Hanselman on Programming, User Experience, The Zen of Computers and Life in General

Resources last updated: 12/21/2015 9:32:31 PM