Last post Jun 23, 2017 02:25 PM by march11
Jun 23, 2017 01:59 PM|Black_Lion|LINK
Hello. I am using ASP.NET 2.0 on Windows Server 2008 and IIS 7. I have a website project which consists of two pages: Default.aspx and login.aspx. I have coded the login form on login.aspx using Forms Authentication in C# and I am successfully redirected
to Default.aspx if I provide the correct username and password on login.aspx (credentials are hardcoded in web.config file). My issue is that I have been trying to restrict anonymous users so that they can only access the login.aspx page. Despite adding the
necessary settings in the web.config, a user can directly visit the Default.aspx without being restricted. Below are the necessary changes I made to the website's web.config to attempt the restriction:
<!-- Enable forms authentication using hardcoded password -->
<forms loginUrl="login.aspx" defaultUrl="Default.aspx">
<user name="user" password="somepassword"/>
<!-- Restrict anonymous user access -->
<!-- only allow anonymous access to login.aspx -->
<allow users ="*" />
I have also enabled Forms Authentication and Anonymous Authentication in IIS for the website.
Jun 23, 2017 02:25 PM|march11|LINK
Ok you have some design issues here. First default.aspx is typically (almost always) the home page for the site and mapped that way by IIS. This means that any user coming to your site must land on this page. Its configurable so you can change it, but that
is much more work than you need to do.
I would suggest you do this.
Add a new page to your site call it authHomePage.aspx or something unique. In the Page Load event for this page add the following....
If Not Request.IsAuthenticated Then
This will send any non-authenticated user that tries to access your new web page back to the default.aspx home page.
And then in your logon control, when a user is authenticated, also send them to the new page. You could also add new folder to your project and place your new authHomePage.aspx file in that new folder and build out entirely secured access only section in
your web site. Then in this folder add a web config that only allows authenticated users.
Hope this helps.