Clever Geek Handbook

ASP.NET Application Login Page Denying Forms Access

I have a webapp running for which users have to login. WebConfig:

    <!--Logging in stuff-->
    <authentication mode="Forms">
        <forms loginUrl="login.aspx" timeout="2880"/>
    </authentication>
    <authorization>
        <deny users="?"/>
    </authorization>

And in the login.aspx page (name double checked) I have the following logic after validating user credentials with my own database:

    if (checkCredentials.searchCredentials(attemptedName, passwordBox.Text) != null)
            {
                FormsAuthentication.RedirectFromLoginPage(attemptedName,false);
            }

I know that the if statement works as it did with the previous method that I used to log in.

However, when I launch the application, the login page immediately opens with a 401.2 error. Help would be greatly appreciated :)

+1


source to share


2 answers


I am posting another answer as it addresses the typical problem of using Visual Studio 2017 with forms authentication and is an alternative to my previous answer.

Visual Studio 2017 will automatically add a named NuGet package Microsoft.AspNet.FriendlyUrls

to your website or web application project. Because of this package, forms authentication will not work and even the login page will not be displayed many times.

  • The solution described in my previous answer is to remove that package or line comment in the Application_Start event in global.asax that says RouteConfig.RegisterRoutes(RouteTable.Routes);

    . Your site will lose the benefits of friendlyUrls if you use this approach.

  • But there is a third solution, mentioned below in two different CONFIGURATIONS; you can use any of them.

    • CONFIGURATION 1 removes the aspx extension from the login and defaultUrl
      values.

    • CONFIGURATION 2 supports aspx extensions but adds special access permissions for freindlyurl matching login.aspx.

    ( ?

    in allowing access means all unauthenticated users and *

    means all users, that is, authenticated + unauthenticated users)

NOTE. I have tried and tested this solution.



CONFIGURATION 1 to configure form authentication using friendly addresses

<authentication mode="Forms">
<forms loginUrl="login" defaultUrl="home" 
   slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>

CONFIGURATION 2 to configure form authentication using friendly addresses

<system.web>
<!--keep the aspx extensions for login and default pages-->
<authentication mode="Forms">
    <forms loginUrl="login.aspx" defaultUrl="home.aspx" 
       slidingExpiration="true" timeout="20" name=".Auth" protection="All">
    </forms>
    </authentication>
</system.web>

<!-- add access permissions for friendly url corresponding to login.aspx-->
<location path="login">
        <system.web>
            <authorization>
                <allow users="?" />
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>
+2


source


Since you are using Visual Studio 2017, the first thing you need to check is to enable Microsoft.AspNet.FriendlyUrls package

. Go through the following steps.

  • comment out the line in Global.asax that says: RouteConfig.RegisterRoutes(RouteTable.Routes);

    and try your page now. But remember to clear the cache in your browser, otherwise the old cached version of this URL will be saved with a 401.2 error.
  • If you still see some problems, just remove the above package by selecting the "Solution" node in the solution explorer and then go to "Tools" => NuGet Package Manager => Manage Packages for Solution; check the installed list for this package, select it and select the solution check boxes on the right, then click uninstall.

Below are some other things that you should be sure.

Try to change the form tag in web config as follows. Change the defaultUrl value and timeout as per your requirement.

<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx" 
   slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
<authorization>
  <deny users="?" />
  <allow users="*" />
</authorization>


Also, your C # code should be in the click event of the button Login; if it's anywhere else, you might also see problems.

Allow Login.aspx for all unauthenticated users. Add this configuration just before </configuration>

the end of the web config file. Enter the path for Login.aspx if it is not in the root directory, for example Security/login.aaspx

, if the page is in the root security folder.

 <location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="?" />
        <deny users="*" />
      </authorization>
    </system.web>
 </location>

Open the IIS Management Console by going to Control Panel> Administrative Tools> Internet Services Manager. Then expand the websites node and select the website you are using. Now double click Authentication in the right pane and make sure Anonymous and Forms Authentication is enabled and other options are disabled, as shown in the following screenshot: IIS Website Security Settings

+1


source






More articles:


All Articles