I have created a website, which requires all users to login. I'm using Forms Authentication for this and have configured the web.config file to prevent users circumventing the login page, like so:
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I also require a separate area where Admin users can perform administrative tasks. I created a sub-folder in DOTNET, and configured it as an application under IIS. This subfolder has it's own web.config file, which I've renamed. I have edited the web.config
file in the following way:
<authentication mode="Forms">
<forms loginUrl="restricted.aspx"/>
</authentication>
<authorization>
<allow users="Admin" />
<deny users="?" />
</authorization>
When I test the login process with both an administrator and user account, it works as it should i.e. users who don't have admin privelages can't login to this restricted area.
However, the problem is that the login process can be circumvented if a user simply types in a url in the address field on their browser. So, if I went to the login page for this restricted area and then typed in the addresss of a resource located within it,
the browser will take me to the webpage, which it shouldn't.
I thought the line in my web config file (<forms loginUrl="restricted.aspx"/>) was meant to prevent this? What am i doing wrong and how can I put it right?
I've tried the code you posted and I'm geting an error saying that the 'loginUrl' attribute is not declared. I get the same error on 'cookiename' and 'defaulturl'.
mojo99
Member
311 Points
107 Posts
Preventing users form circumventing login for restricted area
Dec 04, 2009 12:45 PM|LINK
I have created a website, which requires all users to login. I'm using Forms Authentication for this and have configured the web.config file to prevent users circumventing the login page, like so:
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I also require a separate area where Admin users can perform administrative tasks. I created a sub-folder in DOTNET, and configured it as an application under IIS. This subfolder has it's own web.config file, which I've renamed. I have edited the web.config file in the following way:
<authentication mode="Forms">
<forms loginUrl="restricted.aspx"/>
</authentication>
<authorization>
<allow users="Admin" />
<deny users="?" />
</authorization>
When I test the login process with both an administrator and user account, it works as it should i.e. users who don't have admin privelages can't login to this restricted area.
However, the problem is that the login process can be circumvented if a user simply types in a url in the address field on their browser. So, if I went to the login page for this restricted area and then typed in the addresss of a resource located within it, the browser will take me to the webpage, which it shouldn't.
I thought the line in my web config file (<forms loginUrl="restricted.aspx"/>) was meant to prevent this? What am i doing wrong and how can I put it right?
TIA for any help.
Web.config file
Lyra Belaqua
Contributor
2673 Points
552 Posts
Re: Preventing users form circumventing login for restricted area
Dec 04, 2009 01:31 PM|LINK
Hi Mojo99,
You can place a customauthentication to prevent this kind of glitch.
Just place a following tag in the web.config file for preventing front users to view the forms of admin section.
Hope it is helpgul
Please don't forget to click "Mark as Answer" on the post that helped you.
Before printing, think about the environment, every 3000 A4 paper costs 1 tree.
mojo99
Member
311 Points
107 Posts
Re: Preventing users form circumventing login for restricted area
Dec 07, 2009 10:14 AM|LINK
Hello,
I've tried the code you posted and I'm geting an error saying that the 'loginUrl' attribute is not declared. I get the same error on 'cookiename' and 'defaulturl'.
Any ideas what I'm doing wrong?
Thanks.
mojo99
Member
311 Points
107 Posts
Re: Preventing users form circumventing login for restricted area
Dec 07, 2009 02:18 PM|LINK
BTW, here is what the entire web config file looks like:
<configuration>
<location path= "~/restrict">
<default url="~/restrict/default.aspx"> </default>
<system.web>
<authentication mode="Forms">
<forms loginUrl="restricted.aspx"/>
</authentication>
<authorization>
<allow users="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
guru_sarkar
All-Star
22198 Points
3463 Posts
Re: Preventing users form circumventing login for restricted area
Dec 07, 2009 04:21 PM|LINK
looks they are sharing the auth cookie...can you try giving different name, e.g.,
<authentication mode="Forms">
<forms name=".UsersAuth" loginUrl="login.aspx"/>
</authentication>
<authentication mode="Forms">
<forms name=".AdminAuth" loginUrl="restricted.aspx"/>
</authentication>
and yes...try removing the location tag that you added earlier.
mojo99
Member
311 Points
107 Posts
Re: Preventing users form circumventing login for restricted area
Dec 08, 2009 08:35 AM|LINK
Thanks very much for your response.
I have tried what you suggested and the situation is still the same. Users can still circumvent login by typing in a url.
guru_sarkar
All-Star
22198 Points
3463 Posts
Re: Preventing users form circumventing login for restricted area
Dec 08, 2009 04:17 PM|LINK
how about setting the authorization like this:
<allow users="Admin" />
<deny users="*" />
Also would like to confirm that Admin is a username correct and you are not referring it here as role ?
mojo99
Member
311 Points
107 Posts
Re: Preventing users form circumventing login for restricted area
Dec 09, 2009 07:06 AM|LINK
Thanks for the response. Still the same issue.
Does this issue have anything to do with IIS at all?
Hua-Jun Li -...
All-Star
75950 Points
5608 Posts
Re: Preventing users form circumventing login for restricted area
Dec 09, 2009 08:49 AM|LINK
Hi mojo99,
I guess that you set the cookie timeout is little, the cookie still exist, so you can access that webpage directly without logining it again.
Please set its value to more little value to avoid it.
Forms Authentication Configuration
The default attribute values for forms authentication are shown in the following configuration-file fragment.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
protection="All"
timeout="30"
name=".ASPXAUTH"
path="/"
requireSSL="false"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseDeviceProfile"
enableCrossAppRedirects="false" />
</authentication>
</system.web>
Please check the following link:
http://msdn.microsoft.com/en-us/library/aa480476.aspx
http://support.microsoft.com/kb/301240
http://www.15seconds.com/Issue/020220.htm
If you have any feedback about my replies, please contact msdnmg@microsoft.com.
Microsoft One Code Framework