I want to allow unauthenticated (logged out) web users to be able to access several special pages. For example, if a user has trouble logging in, he/she should still be able to navigate to a “HelpMe” page.
Background:
First, this is a working application. It allows access by authenticated users just fine, and unauthenticated users are redirected to the login page as usual. The web site uses forms authentication. We’re only having a problem when we try to allow anyone
to navigate to the HelpMe.aspx page without logging in first.
We’re running VS2010 Pro and IIS 7, on both Windows 7 and Server 2008R2 with all updates.
Here are the relevant sections in web.config:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" slidingExpiration="true" timeout="120" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
...
<location path="HelpMe.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
... (there are more <location> sections defined for subdirectories below)
The section for HelpMe.aspx should allow access by unauthenticated (logged out) users. However, the user is always redirected to the login page. I’ve tried all combinations of “?” and “*” in both the HelpMe.aspx section and the general <authorization> sections
above. Plus, I’ve tried all combinations of including and deleting the two sections.
Question:
So, how should I set up this web site to allow unauthenticated users to navigate to our HelpMe.aspx page? I’m sure we’re missing something dumb, but does anyone have a suggestion?
Update July 3:
This is getting ridiculous. I’ve commented out nearly everything in the config.web file (only a reference to the System.Data.Linq assembly remains, so the project can compile). I’ve even removed the section for Forms Authentication. And yet, IIS still redirects
to the login page when I try to open the HelpMe page.
I cannot find any reference to Login.aspx remaining anywhere in the project. In IIS Manager, Forms Authentication is turned off for the site as well as in IIS’s default settings. What is telling IIS to redirect to the login page?
Solved!
Finally found the problem -- pilot error. We had initialization code buried deep that was causing the redirect to the login page, and it was executed because the user wasn't logged in. In this case, the user wasn't supposed to be logged in in the
first place, but the code didn't understand that. All's well now. Thanks to everyone for your help!
This says first deny anon users, then allow all users (order is important).
So then for your <location> element -- it actually looks correct. It's saying allow anon users.
So having said all of this, I can't understand why (from what you've shown so far) you're getting redirected to login -- none of those config sections are requiring authentication. Is there any code you're not showing that's triggering a 401 response status
code?
Yes, I agree. I removed the <deny user="?" /> line as part of troubleshooting, to avoid any accidental "deny" effect. Basically, this should make all pages accessible to anyone as the default. And yet I still have this odd problem.
I have a number of other <location> elements that restrict subdirectories to certain roles. Plus, I have a <location> element for the Default.aspx home page that includes a <denyusers="?" /> element. Other than that, I don't have any other <location> elements defined.
I don't think I have any code that would cause a redirect to the login page. I have code in Global.asax to handle the Session_Start and Application_BeginRequest events, but they only do something if Request.IsAuthenticated is
true, not false. Is there any way to track down where the redirect to the login page happens?
Maybe start over -- remove any authentication, then add back in one piece at a time. Another approach is to enable
FREB and run it in IIS and get a detailed trace of what modules run and when/why the web server returns with a 401.
The section for HelpMe.aspx should allow access by unauthenticated (logged out) users.
sandygettings
So, how should I set up this web site to allow unauthenticated users to navigate to our HelpMe.aspx page? I’m sure we’re missing something dumb, but does anyone have a suggestion?
I've removed all authentication references, and it still wants to redirect to the login page (see my update in the original post). I'l look into FREB next; thanks for the tip!
Finally found the problem -- pilot error. We had initialization code buried deep that was causing the redirect to the login page, and it was executed because the user wasn't logged in. In this case, the user wasn't
supposed to be logged in in the first place, but the code didn't understand that. All's well now. Thanks to everyone for your help!
Marked as answer by mbanavige on Jul 06, 2012 02:42 AM
sandygetting...
Member
14 Points
17 Posts
Unauthenticated users can’t access “help” page without logging in
Jul 04, 2012 11:49 PM|LINK
Goal:
I want to allow unauthenticated (logged out) web users to be able to access several special pages. For example, if a user has trouble logging in, he/she should still be able to navigate to a “HelpMe” page.
Background:
First, this is a working application. It allows access by authenticated users just fine, and unauthenticated users are redirected to the login page as usual. The web site uses forms authentication. We’re only having a problem when we try to allow anyone to navigate to the HelpMe.aspx page without logging in first.
We’re running VS2010 Pro and IIS 7, on both Windows 7 and Server 2008R2 with all updates.
Here are the relevant sections in web.config:
<system.web> <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" slidingExpiration="true" timeout="120" /> </authentication> <authorization> <allow users="*" /> </authorization> </system.web> ... <location path="HelpMe.aspx"> <system.web> <authorization> <allow users="?" /> </authorization> </system.web> </location> ... (there are more <location> sections defined for subdirectories below)The section for HelpMe.aspx should allow access by unauthenticated (logged out) users. However, the user is always redirected to the login page. I’ve tried all combinations of “?” and “*” in both the HelpMe.aspx section and the general <authorization> sections above. Plus, I’ve tried all combinations of including and deleting the two sections.
Question:
So, how should I set up this web site to allow unauthenticated users to navigate to our HelpMe.aspx page? I’m sure we’re missing something dumb, but does anyone have a suggestion?
Update July 3:
This is getting ridiculous. I’ve commented out nearly everything in the config.web file (only a reference to the System.Data.Linq assembly remains, so the project can compile). I’ve even removed the section for Forms Authentication. And yet, IIS still redirects to the login page when I try to open the HelpMe page.
I cannot find any reference to Login.aspx remaining anywhere in the project. In IIS Manager, Forms Authentication is turned off for the site as well as in IIS’s default settings. What is telling IIS to redirect to the login page?
Solved!
Finally found the problem -- pilot error. We had initialization code buried deep that was causing the redirect to the login page, and it was executed because the user wasn't logged in. In this case, the user wasn't supposed to be logged in in the first place, but the code didn't understand that. All's well now. Thanks to everyone for your help!
BrockAllen
All-Star
28114 Points
4997 Posts
MVP
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 01:23 AM|LINK
So the basic <authorization> element you have should allow any user in:
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
This says allow all users. If you want most pages to require authentication and only some pages to allow anon, then you want something like this:
<system.web>
<authorization>
<deny user="?" />
<allow users="*" />
</authorization>
</system.web>
This says first deny anon users, then allow all users (order is important).
So then for your <location> element -- it actually looks correct. It's saying allow anon users.
So having said all of this, I can't understand why (from what you've shown so far) you're getting redirected to login -- none of those config sections are requiring authentication. Is there any code you're not showing that's triggering a 401 response status code?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
sandygetting...
Member
14 Points
17 Posts
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 01:43 AM|LINK
Yes, I agree. I removed the <deny user="?" /> line as part of troubleshooting, to avoid any accidental "deny" effect. Basically, this should make all pages accessible to anyone as the default. And yet I still have this odd problem.
I have a number of other <location> elements that restrict subdirectories to certain roles. Plus, I have a <location> element for the Default.aspx home page that includes a <deny users="?" /> element. Other than that, I don't have any other <location> elements defined.
I don't think I have any code that would cause a redirect to the login page. I have code in Global.asax to handle the Session_Start and Application_BeginRequest events, but they only do something if Request.IsAuthenticated is true, not false. Is there any way to track down where the redirect to the login page happens?
BrockAllen
All-Star
28114 Points
4997 Posts
MVP
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 02:00 AM|LINK
Maybe start over -- remove any authentication, then add back in one piece at a time. Another approach is to enable FREB and run it in IIS and get a detailed trace of what modules run and when/why the web server returns with a 401.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
oned_gk
All-Star
36200 Points
7374 Posts
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 02:48 AM|LINK
Try this :
<location path="~/HelpMe.aspx">
Suwandi - Non Graduate Programmer
sandygetting...
Member
14 Points
17 Posts
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 01:33 PM|LINK
Thanks for the suggestion, but no joy.
Ruchira
All-Star
44372 Points
7194 Posts
MVP
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 01:34 PM|LINK
Hello,
Try by allowing anonymous access to that page, as below
<location path="HelpMe.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>
My Tech blog | My YouTube ChannelPlease 'Mark as Answer' if this post helps you.sandygetting...
Member
14 Points
17 Posts
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 01:42 PM|LINK
Thanks, I tried hat as well, but no luck.
sandygetting...
Member
14 Points
17 Posts
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 07:33 PM|LINK
I've removed all authentication references, and it still wants to redirect to the login page (see my update in the original post). I'l look into FREB next; thanks for the tip!
sandygetting...
Member
14 Points
17 Posts
Re: Unauthenticated users can’t access “help” page without logging in
Jul 05, 2012 10:37 PM|LINK
Finally found the problem -- pilot error. We had initialization code buried deep that was causing the redirect to the login page, and it was executed because the user wasn't logged in. In this case, the user wasn't supposed to be logged in in the first place, but the code didn't understand that. All's well now. Thanks to everyone for your help!