Re: Forms Authentication - Confused!

From: Simon Harris (too-much-spam_at_makes-you-fat.com)
Date: 01/27/05 

Date: Thu, 27 Jan 2005 21:33:27 -0000

Hi Again Bill,

I followed your steps - creating a fresh application worked fine.

I then followed your steps, checking my application - it did not work.
Again, the authentication occurs correctly, but the secured resource does
not think the user is authenticated, following the login. (I get redirected
straight back to the login page)

The only difference I am aware of is:

a) My root was previously defined in IIS, although it is an application, its
not a VS project
b) /contenteditor is a project in its own right
c) /adocommon is a project in its own right
Both projects are part of the sme solution.

Just to clarify:
http://localhost/ <-- Public part of site
http://localhost/contenteditor/ <-- Secured part of site
http://localhost/adocommon/authenticate.aspx <-- Login page

I don't see that whats part of, and not part of a project solution should
make any difference.

I must be missing something!!!

Simon.

"William F. Robertson, Jr." <theman@nameht.org> wrote in message
news:OFU2qp8AFHA.632@TK2MSFTNGP10.phx.gbl...
>I created a new webapplication called WebApplication2
>
> Made a folder called "contenteditor"
> Add page index.aspx.
> Made a folder called "adocommon"
> Add page authenticate.aspx
> Add code to authenticate.aspx
>
> Added page WebForm1.aspx off the root.
>
> Run the application.
>
> http://localhost/WebApplication2/WebForm1.aspx comes up with no problems.
>
> I added this to the web.config
>
> <authentication mode="Forms">
> <forms name="Ado" path="/" loginUrl="/adocommon/authenticate.aspx"
> protection="All" timeout="30">
> <credentials passwordFormat="Clear">
> <user name="admin" password="password" />
> </credentials>
> </forms>
> </authentication>
>
> <!-- YOU HAVE THIS LINE SOMEWHERE IN system.web -->
> <authorization>
> <allow users="*" />
> </authorization>
>
> ...and more snipped stuff here...
> </system.web>
> <location path="contenteditor">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
>
> I changed the loginUrl to:
> loginUrl="/WebApplication2/adocommon/authenticate.aspx" as the application
> is inside the virtual directory.
>
> Went to http://localhost/WebApplication2/contenteditor/index.aspx.
>
> The site redirected me
> http://localhost/WebApplication2/adocommon/authenticate.aspx
>
> I typed the login information and logged in.
>
> Here is the button click event source code:
> if ( FormsAuthentication.Authenticate( txtUsername.Text,
> txtPassword.Text ) )
> {
> FormsAuthentication.RedirectFromLoginPage( txtUsername.Text, false );
> }
>
> The site redirected me to
> http://localhost/WebApplication2/contenteditor/index.aspx as expected.
>
> I then took the site and moved it to a Virtual Server.
> http://bob.nameht.org/ and it worked after changing the loginUrl to
> "adocommon/authenticate.aspx"
>
> If you would like to zip your solution and email it to me (take out secure
> information) I will see if you have something configured incorrectly, but
> this does work as expected.
>
> bill
>
>
>
>
> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
> news:OZI8gX8AFHA.4044@TK2MSFTNGP14.phx.gbl...
>> Hi William,
>>
>> My /web.config file now contains:
>>
>> <authentication mode="Forms">
>> <forms name="Ado" path="/" loginUrl="/adocommon/authenticate.aspx"
>> protection="All" timeout="30">
>> <credentials passwordFormat="Clear">
>> <user name="admin" password="password" />
>> </credentials>
>> </forms>
>> </authentication>
>> ...and more snipped stuff here...
>> </system.web>
>> <location path="contenteditor">
>> <system.web>
>> <authorization>
>> <deny users="?" />
>> </authorization>
>> </system.web>
>> </location>
>>
>> I've deleted the /contenteditor/web.config file (No specific settings in
>> there) and tried again - The IIS log reads:
>>
>> 16:34:19 127.0.0.1 - GET /contenteditor/index.aspx 302
>> 16:34:25 127.0.0.1 MachineName\Simon POST /adocommon/authenticate.aspx
>> 302
>> 16:34:25 127.0.0.1 MachineName\Simon GET /contenteditor/index.aspx 302
>> 16:34:25 127.0.0.1 MachineName\Simon GET /adocommon/authenticate.aspx 200
>>
>> The result of FormsAuthentication.Authenticate(txtUser.Text,
>> txtPassword.Text) is now true, but /contenteditor/index.aspx still
> redirects
>> me back to the login page...
>>
>> I feel like I'm going round in circles! :-(
>>
>>
>> "William F. Robertson, Jr." <theman@nameht.org> wrote in message
>> news:ukedT06AFHA.3700@tk2msftngp13.phx.gbl...
>> >I will try to be more clear this time around.
>> >
>> > You will define the forms authentication inside the /web.config.
>> >
>> > If you place the forms authentication inside /contenteditor/web.config,
>> > when
>> > the server is processing a request from /adocommon, it will use the
>> > /adocommon/web.config. When you are calling the
>> > FormsAuthentication.Authenticate(), it will check the credentials
> defined
>> > in
>> > /adocommon/web.config. If there are none there, it will check
>> > /web.config.
>> > Because you have the user/pass defined in /contenteditor/web.config, it
>> > can
>> > (and never will) never validate the way you want.
>> >
>> > You need to define your forms authentication stuff "globally" to your
>> > site.
>> > You should by default allow all users regardless of authentication
> status.
>> > You should use the location tag to secure the contenteditor directory.
> I
>> > believe you can also add the <authorization> tag inside the
>> > /contenteditor/web.config, but try this one out first to remove any
> extra
>> > errors you might experience.
>> >
>> > You should place the following snippet inside your root /web.config
> file.
>> >
>> > (snippet)
>> >
>> > <configuration>
>> > <system.web>
>> > <!-- place all your forms authentication stuff in here -->
>> > </system.web>
>> >
>> > <!-- The next section will set the permissions for the directory you
> wish
>> > to
>> > protect-->
>> > <location path="contenteditor">
>> > <system.web>
>> > <authorization>
>> > <deny users="?" />
>> > <allow users="*" />
>> > </system.web>
>> > </location>
>> > </configuration>
>> >
>> > (/snippet)
>> >
>> > HTH,
>> >
>> > bill
>> >
>> > "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
>> > news:%23Llwfu4AFHA.608@TK2MSFTNGP15.phx.gbl...
>> >> Just updating my own thread...in the hope that it might be useful to
>> > someone
>> >> in the future...
>> >>
>> >> It seems the path attribute only sets the path of the cookie - It is
> not
>> >> relevent to the directory you are trying to secure.
>> >>
>> >> I'm even more lost now though, because after proving the above, I
> amended
>> >> the web.config file in the folder to be secured again, which now does
> not
>> >> return true for a valid username and password.
>> >>
>> >> Currently I have:
>> >>
>> >> /contenteditor
>> >> This is the folder to be secured, which contains the following
> web.config
>> >> info:
>> >>
>> >> <authentication mode="Forms">
>> >>
>> >> <forms name="AdoContentEditor" path="/"
>> >> loginUrl="/adocommon/authenticate.aspx" protection="All" timeout="30">
>> >>
>> >> <credentials passwordFormat="Clear">
>> >>
>> >> <user name="admin" password="password" />
>> >>
>> >> </credentials>
>> >>
>> >> </forms>
>> >>
>> >> </authentication>
>> >>
>> >> <deny users="?" />
>> >>
>> >> </authorization>
>> >>
>> >> When I access an ASPX page in the root of the site, as expected it
> serves
>> > it
>> >> up correctly.
>> >>
>> >> When I access an ASPX page in /contenteditor, as expected I am
> redirected
>> > to
>> >> my login page. I then enter admin and password - The result of
>> >> FormsAuthentication.RedirectFromLoginPage(txtUser.Text,
>> >> chkPersistLogin.Checked) is always false....
>> >>
>> >> Grrrrrr!!!! :-(
>> >>
>> >>
>> >> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
>> >> news:OQAJhpyAFHA.1188@tk2msftngp13.phx.gbl...
>> >> > The cookie is:
>> >> > simon@localhost/contenteditor/
>> >> >
>> >> > My IIS logs say:
>> >> > 21:41:13 127.0.0.1 - GET /contenteditor/index.aspx 302
>> >> > 21:41:13 127.0.0.1 - GET /adocommon/authenticate.aspx 401
>> >> > 21:41:13 127.0.0.1 MACHINENAME\Simon GET
>> >> > /adocommon/authenticate.aspx
>> > 200
>> >> > 21:41:13 127.0.0.1 MACHINENAME\Simon GET /adocommon/assets/main.css
> 200
>> >> > 21:41:24 127.0.0.1 MACHINENAME\Simon POST
> /adocommon/authenticate.aspx
>> > 302
>> >> > 21:41:24 127.0.0.1 - GET /contenteditor/index.aspx 302
>> >> > 21:41:24 127.0.0.1 MACHINENAME\Simon GET
>> >> > /adocommon/authenticate.aspx
>> > 200
>> >> >
>> >> > So, it looks like its reaching the page that requires
>> >> > authenitcation,
>> >> > bouncing the user to authenticate.aspx, which later bounces the user
>> > back
>> >> > to the page requiring authentication...which AGAIN sens us off to
>> >> > authenticate...
>> >> >
>> >> > Just a thought...My IIS is not configured for anonymous access, but
>> >> > from
>> >> > what I read this shouldnt make a difference - The IIS level of
>> >> > authenication is handled, then a token passed to the ASP.Net engine
>> > (Which
>> >> > should accept any token from IIS)
>> >> >
>> >> > I dont geddit....yet.
>> >> >
>> >> >
>> >> > "William F. Robertson, Jr." <theman@nameht.org> wrote in message
>> >> > news:uH8o68xAFHA.3504@TK2MSFTNGP12.phx.gbl...
>> >> >>I am purely speculating here, but perhaps the redirect is working,
> but
>> > the
>> >> >> path/cookie name isn't working properly. So when it tries to open
> the
>> >> >> page
>> >> >> again, it doesn't see the correct authentication cookie. Try going
>> >> >> directly
>> >> >> to your login page and login. It should redirect you to
> default.aspx
>> >> >> since
>> >> >> there is no ReturnUrl defined in the querystring.
>> >> >>
>> >> >> Are the text boxes clearing out after the RedirectFromReturnUrl? I
>> > mean
>> >> >> is
>> >> >> the page just sitting there, or does it re-request the page.
>> >> >>
>> >> >> bill
>> >> >>
>> >> >>
>> >> >> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
>> >> >> news:O6F4IewAFHA.4028@TK2MSFTNGP15.phx.gbl...
>> >> >>> Hi William,
>> >> >>>
>> >> >>> Thanks for your reply - I am getting:
>> >> >>> "Unrecognized configuration section 'location'"
>> >> >>>
>> >> >>> When I add this to my root web.config:
>> >> >>>
>> >> >>> <location path="/contenteditor">
>> >> >>> <authentication mode="Forms">
>> >> >>> <forms name="AdoContentEditor" path="/contenteditor"
>> >> >>> loginUrl="/adocommon/authenticate.aspx" protection="All"
>> >> >>>
>> >> >>> timeout="30">
>> >> >>> <credentials passwordFormat="Clear">
>> >> >>> <user name="admin" password="password" />
>> >> >>> </credentials>
>> >> >>> </forms>
>> >> >>> </authentication>
>> >> >>> <authorization>
>> >> >>> <deny users="?" />
>> >> >>> </authorization>
>> >> >>> </location>
>> >> >>>
>> >> >>> I have also tried putting the above into /web.config without the
>> >> >>> location
>> >> >>> tag, and had a little more success...
>> >> >>> FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text)
> now
>> >> >> returns
>> >> >>> true when expected (e.g. correct user/pass) however, the following
>> > line
>> >> >> does
>> >> >>> not seem to do anything:
>> >> >>>
>> >> >>> FormsAuthentication.RedirectFromLoginPage(txtUser.Text,
>> >> >>> chkPersistLogin.Checked)
>> >> >>>
>> >> >>> Not that I know I am reaching this part of the code, as I set a
>> >> >>> labels
>> >> >> value
>> >> >>> within the same if statement - The redirect simply doesnt occur
>> >> >>> for
>> > some
>> >> >>> reason!
>> >> >>>
>> >> >>> Cheers again,
>> >> >>>
>> >> >>> Simon.
>> >> >>>
>> >> >>>
>> >> >>> "William F. Robertson, Jr." <theman@nameht.org> wrote in message
>> >> >>> news:OuSdxRvAFHA.2156@TK2MSFTNGP10.phx.gbl...
>> >> >>> >I will try to help you with this one.
>> >> >>> >
>> >> >>> > \ (root directory)
>> >> >>> > \Admin
>> >> >>> > \Common
>> >> >>> >
>> >> >>> > You try to access \admin which has forms authentication defined
> in
>> >> >> there.
>> >> >>> > You are redirected to \Common\Login. When you call the
>> >> >>> > Authenticate
>> >> >>> > method,
>> >> >>> > it is looking in the \Common\web.config for the user/pass. It
>> >> >>> > can't
>> >> >> find
>> >> >>> > it, so it goes to the \(root) to look for user/pass. And can't
>> >> >>> > find
>> >> >>> > anything there so it returns false.
>> >> >>> >
>> >> >>> > You should place the forms authentication stuff in the root
>> > directory.
>> >> >>> > Then
>> >> >>> > use the location web.config attribute to control access to
> certain
>> >> >> folders
>> >> >>> > and such.
>> >> >>> >
>> >> >>> > This is the \(root)web.config
>> >> >>> > <system.web>
>> >> >>> > <!-- all your authentication/credentials are in here. -->
>> >> >>> > <authorization>
>> >> >>> > <allow users="*" /> <!-- Allows all unauthenticated
>> > users -->
>> >> >>> > </authorization>
>> >> >>> > </system.web>
>> >> >>> >
>> >> >>> > <location path="Admin/">
>> >> >>> > <system.web>
>> >> >>> > <authorization>
>> >> >>> > <deny users="?" /> <!-- Denies unauthenticated
> users -->
>> >> >>> > <allow users="*" /> <!-- Allows all users -->
>> >> >>> > </authorization>
>> >> >>> > </system.web>
>> >> >>> > </location>
>> >> >>> >
>> >> >>> > You probably will have to tweak my syntax (went by memory), but
>> >> >>> > I
>> >> >> believe
>> >> >>> > this should work, or atleast this is the directory I believe you
>> >> >>> > should
>> >> >>> > head
>> >> >>> > in.
>> >> >>> >
>> >> >>> > HTH,
>> >> >>> >
>> >> >>> > bill
>> >> >>> >
>> >> >>> >
>> >> >>> > "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in
>> >> >>> > message
>> >> >>> > news:egvXa4sAFHA.1396@tk2msftngp13.phx.gbl...
>> >> >>> >> Sorry - Slight mistake, my web.config file with the auth
>> >> >>> > mode/authroization
>> >> >>> >> sections actually resides in /admin
>> >> >>> >>
>> >> >>> >> With it in here, I am correctly redirected to my login page,
>> >> >>> >> but
>> >> >>> >> as
>> >> >>> >> mentioned, the user is not authenticated.
>> >> >>> >>
>> >> >>> >> Cheers,
>> >> >>> >> Simon.
>> >> >>> >>
>> >> >>> >> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in
> message
>> >> >>> >> news:...
>> >> >>> >> > Hi All,
>> >> >>> >> >
>> >> >>> >> > I'm trying to setup forms based authentication, so that the
> user
>> >> >>> >> > gets
>> >> >>> >> > prompted for a password when they try to access /admin (I
>> >> >>> >> > wont
>> >> >> actually
>> >> >>> >> > call it that in production of course!)
>> >> >>> >> >
>> >> >>> >> > I want the user/pass to be stored in web.config.
>> >> >>> >> >
>> >> >>> >> > This will be for a website that is otherwise open to
>> >> >>> >> > anonymous
>> >> >> access.
>> >> >>> >> >
>> >> >>> >> > At the moment, I have:
>> >> >>> >> >
>> >> >>> >> > /common/authenticate.aspx - My login page, with the
> following
>> >> >> code,
>> >> >>> >> > onclick of the login button:
>> >> >>> >> > If FormsAuthentication.Authenticate(txtUser.Text,
>> >> >>> > txtPassword.Text)
>> >> >>> >> > Then
>> >> >>> >> >
>> >> >> FormsAuthentication.RedirectFromLoginPage(txtUser.Text,
>> >> >>> >> > chkPersistLogin.Checked)
>> >> >>> >> > Else
>> >> >>> >> > Me.lblErrorMsg.Text = "Result of
>> >> >>> >> > authentication
>> >> >> attempt:
>> >> >>> > "
>> >> >>> >> > & FormsAuthentication.Authenticate(txtUser.Text,
>> > txtPassword.Text)
>> >> >>> >> > End If
>> >> >>> >> >
>> >> >>> >> > /admin/web.config, which contains:
>> >> >>> >> > <authentication mode="Forms">
>> >> >>> >> > <forms name="AdoContentEditor"
> path="/contenteditor"
>> >> >>> >> > loginUrl="/common/authenticate.aspx" protection="All"
>> > timeout="30">
>> >> >>> >> > <credentials passwordFormat="Clear">
>> >> >>> >> > <user name="admin" password="password" />
>> >> >>> >> > </credentials>
>> >> >>> >> > </forms>
>> >> >>> >> > </authentication>
>> >> >>> >> > <authorization>
>> >> >>> >> > <deny users="?" />
>> >> >>> >> > </authorization>
>> >> >>> >> >
>> >> >>> >> > When I try to access an aspx page in /admin, as expected I am
>> >> >>> >> > redirected
>> >> >>> >> > to /common/authenticate.aspx, how ever,
>> >> >>> >> > FormsAuthentication.Authenticate(txtUser.Text,
> txtPassword.Text)
>> >> >> always
>> >> >>> >> > returns 'false'.
>> >> >>> >> >
>> >> >>> >> > I suspect I have got my web.config locations wrong, but have
>> > tried
>> >> >>> >> > a
>> >> >>> >> > few
>> >> >>> >> > combinations...any help/advice will be much appreciated!
>> >> >>> >> >
>> >> >>> >> > Thanks,
>> >> >>> >> > Simon.
>> >> >>> >> >
>> >> >>> >> >
>> >> >>> >> >
>> >> >>> >>
>> >> >>> >>
>> >> >>> >
>> >> >>> >
>> >> >>>
>> >> >>>
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>