|
 |
aspx_security thread: Problems getting form based authentication to start working
Message #1 by "Patrik von Heijne" <patrik@b...> on Thu, 24 Oct 2002 10:09:12
|
|
I must must have missed something basic.
I've got IIS running in Windows 2000 with .net framework sdk 1.0.3705.
In my virtual root "asp" I have put a web.config file looking like:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="login.aspx" />
</authentication>
</system.web>
</configuration>
I also have two files there named login.aspx and test.aspx, for details se
below.
In the preferences for the virtual root I have put autorization to
anonymous only and browsing is allowed.
When I try to browse the virtual root http://localhost/asp/ in Internet
Explorer it is allowed and if I go to http://localhost/asp/test.aspx it is
also OK, without first being redirected to login.aspx to handle the
autentication.
What have I done wrong?
Yours sincerely, Patrik
-------------------------------------------------------------------
test.aspx looks like:
<%@ Page Language="C#" %>
<script runat="server">
void Page_Load(Object sender, EventArgs e) {
lblMessage.Text="Vlkommen till autentieringstest med formulr i
ASP.NET";
}
</script>
<html>
<head>
</head>
<body>
<asp:Label id="lblMessage" runat="server"></asp:Label>
</body>
</html>
-------------------------------------------------------------------
login.aspx looks like:
<%@ Page Language="C#" %>
<script runat="server">
void login(Object o, EventArgs e) {
if (tbUserName.Text=="Pass" && tbPassword.Text=="Word") {
FormsAuthentication.SetAuthCookie(tbUserName.Text, false);
Response.Redirect("loggedIn.aspx");
} else {
lblMessage.Text="<font color=red>Wrong user name or password!
</font><p>";
}
}
</script>
<html>
<head>
</head>
<body>
<%Response.Write("Form authentication<p>");%>
<form runat="server">
<table>
<tbody>
<tr>
<td>
<asp:Label id="lblMessage"
runat="server"></asp:Label>
</td>
</tr>
<tr>
<td>
Enter<br />
</td>
</tr>
<tr>
<td>
User name:
</td>
<td>
<asp:Textbox id="tbUserName"
runat="server"></asp:Textbox>
<br />
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<asp:Textbox id="tbPassword" runat="server"
TextMode="password"></asp:Textbox>
</td>
</tr>
<tr>
<td>
<asp:Button id="Submit" onclick="login"
runat="server" Text="Login"></asp:Button>
</td>
</tr>
</tbody>
</table>
</form>
</body>
</html>
-------------------------------------------------------------------
Message #2 by Philip Steel <PhilipS@t...> on Thu, 24 Oct 2002 10:16:47 +0100
|
|
Patrick
Add an extra set of tags under system.web:
<authorization>
<deny users="?"/>
</authorization>
<authorization> Configures ASP.NET authorization support. The
<authorization> tag controls client
access to URL resources.
users: A comma-separated list of user names that are denied access to the
resource.
A question mark (?) allows anonymous users; an asterisk (*) indicates that
all users
are accepted.
Try that...let me know if you have any more problems: also make sure you
have a tag under system.web:
<sessionState mode="InProc" timeout="30[or whatever]"/>
Phil
-----Original Message-----
From: Patrik von Heijne [mailto:patrik@b...]
Sent: 24 October 2002 11:09
To: ASP .NET Security
Subject: [aspx_security] Problems getting form based authentication to
start working
I must must have missed something basic.
I've got IIS running in Windows 2000 with .net framework sdk 1.0.3705.
In my virtual root "asp" I have put a web.config file looking like:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="login.aspx" />
</authentication>
</system.web>
</configuration>
I also have two files there named login.aspx and test.aspx, for details se
below.
In the preferences for the virtual root I have put autorization to
anonymous only and browsing is allowed.
When I try to browse the virtual root http://localhost/asp/ in Internet
Explorer it is allowed and if I go to http://localhost/asp/test.aspx it is
also OK, without first being redirected to login.aspx to handle the
autentication.
What have I done wrong?
Yours sincerely, Patrik
-------------------------------------------------------------------
test.aspx looks like:
<%@ Page Language="C#" %>
<script runat="server">
void Page_Load(Object sender, EventArgs e) {
lblMessage.Text="Vlkommen till autentieringstest med formulr i
ASP.NET";
}
</script>
<html>
<head>
</head>
<body>
<asp:Label id="lblMessage" runat="server"></asp:Label>
</body>
</html>
-------------------------------------------------------------------
login.aspx looks like:
<%@ Page Language="C#" %>
<script runat="server">
void login(Object o, EventArgs e) {
if (tbUserName.Text=="Pass" && tbPassword.Text=="Word") {
FormsAuthentication.SetAuthCookie(tbUserName.Text, false);
Response.Redirect("loggedIn.aspx");
} else {
lblMessage.Text="<font color=red>Wrong user name or password!
</font><p>";
}
}
</script>
<html>
<head>
</head>
<body>
<%Response.Write("Form authentication<p>");%>
<form runat="server">
<table>
<tbody>
<tr>
<td>
<asp:Label id="lblMessage"
runat="server"></asp:Label>
</td>
</tr>
<tr>
<td>
Enter<br />
</td>
</tr>
<tr>
<td>
User name:
</td>
<td>
<asp:Textbox id="tbUserName"
runat="server"></asp:Textbox>
<br />
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<asp:Textbox id="tbPassword" runat="server"
TextMode="password"></asp:Textbox>
</td>
</tr>
<tr>
<td>
<asp:Button id="Submit" onclick="login"
runat="server" Text="Login"></asp:Button>
</td>
</tr>
</tbody>
</table>
</form>
</body>
</html>
-------------------------------------------------------------------
---
Visual Basic .NET Code Security Handbook
This book provides a practical guide to help you
utilize .NET's code access security system. This
important new feature of the .NET framework allows
you to protect your code from attackers even in
complex distributed computing environments. The
book demonstrates best practices for writing
secure code and the worst practices to avoid.
http://www.wrox.com/ACON11.asp?ISBN=1861007477
Message #3 by Philip Steel <PhilipS@t...> on Thu, 24 Oct 2002 10:21:12 +0100
|
|
also you should use
FormsAuthentication.RedirectFromLoginPage() to redirect after successful
login.
phil
-----Original Message-----
From: Patrik von Heijne [mailto:patrik@b...]
Sent: 24 October 2002 11:09
To: ASP .NET Security
Subject: [aspx_security] Problems getting form based authentication to
start working
I must must have missed something basic.
I've got IIS running in Windows 2000 with .net framework sdk 1.0.3705.
In my virtual root "asp" I have put a web.config file looking like:
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="login.aspx" />
</authentication>
</system.web>
</configuration>
I also have two files there named login.aspx and test.aspx, for details se
below.
In the preferences for the virtual root I have put autorization to
anonymous only and browsing is allowed.
When I try to browse the virtual root http://localhost/asp/ in Internet
Explorer it is allowed and if I go to http://localhost/asp/test.aspx it is
also OK, without first being redirected to login.aspx to handle the
autentication.
What have I done wrong?
Yours sincerely, Patrik
-------------------------------------------------------------------
test.aspx looks like:
<%@ Page Language="C#" %>
<script runat="server">
void Page_Load(Object sender, EventArgs e) {
lblMessage.Text="Vlkommen till autentieringstest med formulr i
ASP.NET";
}
</script>
<html>
<head>
</head>
<body>
<asp:Label id="lblMessage" runat="server"></asp:Label>
</body>
</html>
-------------------------------------------------------------------
login.aspx looks like:
<%@ Page Language="C#" %>
<script runat="server">
void login(Object o, EventArgs e) {
if (tbUserName.Text=="Pass" && tbPassword.Text=="Word") {
FormsAuthentication.SetAuthCookie(tbUserName.Text, false);
Response.Redirect("loggedIn.aspx");
} else {
lblMessage.Text="<font color=red>Wrong user name or password!
</font><p>";
}
}
</script>
<html>
<head>
</head>
<body>
<%Response.Write("Form authentication<p>");%>
<form runat="server">
<table>
<tbody>
<tr>
<td>
<asp:Label id="lblMessage"
runat="server"></asp:Label>
</td>
</tr>
<tr>
<td>
Enter<br />
</td>
</tr>
<tr>
<td>
User name:
</td>
<td>
<asp:Textbox id="tbUserName"
runat="server"></asp:Textbox>
<br />
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<asp:Textbox id="tbPassword" runat="server"
TextMode="password"></asp:Textbox>
</td>
</tr>
<tr>
<td>
<asp:Button id="Submit" onclick="login"
runat="server" Text="Login"></asp:Button>
</td>
</tr>
</tbody>
</table>
</form>
</body>
</html>
-------------------------------------------------------------------
---
Visual Basic .NET Code Security Handbook
This book provides a practical guide to help you
utilize .NET's code access security system. This
important new feature of the .NET framework allows
you to protect your code from attackers even in
complex distributed computing environments. The
book demonstrates best practices for writing
secure code and the worst practices to avoid.
http://www.wrox.com/ACON11.asp?ISBN=1861007477
Message #4 by "Patrik von Heijne" <patrik@b...> on Thu, 24 Oct 2002 11:28:25
|
|
Thanks a lot, Phil.
It took a few seconds ... and now it is working.
/Patrik
> I must must have missed something basic.
> ...
> ------------------------------------------------------------------
|
|
|
View Cart
