RE: newbie -- forms authentication

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Nikander & Margriet Bruggeman (NikanderMargrietBruggeman_at_discussions.microsoft.com)
Date: 02/17/05 

Date: Thu, 17 Feb 2005 03:27:02 -0800

We actually tried your code and it works fine. Maybe if it helps, here's the
content of our test web.config file.

Kind regards,
Nikander & Margriet Bruggeman

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    
  <system.web>

    <!-- DYNAMIC DEBUG COMPILATION
          Set compilation debug="true" to enable ASPX debugging. Otherwise,
setting this

value to
          false will improve runtime performance of this application.
          Set compilation debug="true" to insert debugging symbols (.pdb
information)
          into the compiled page. Because this creates a larger file that
executes
          more slowly, you should set this value to true only when debugging
and to
          false at all other times. For more information, refer to the
documentation about
          debugging ASP.NET files.
    -->
    <compilation
         defaultLanguage="c#"
         debug="true"
    />

    <!-- CUSTOM ERROR MESSAGES
          Set customErrors mode="On" or "RemoteOnly" to enable custom error
messages, "Off"

to disable.
          Add <error> tags for each of the errors you want to handle.

          "On" Always display custom (friendly) messages.
          "Off" Always display detailed ASP.NET error information.
          "RemoteOnly" Display custom (friendly) messages only to users not
running
           on the local Web server. This setting is recommended for security
purposes, so
           that you do not display application detail information to remote
clients.
    -->
    <customErrors
    mode="RemoteOnly"
    />

    <!-- AUTHENTICATION
          This section sets the authentication policies of the application.
Possible modes

are "Windows",
          "Forms", "Passport" and "None"

          "None" No authentication is performed.
          "Windows" IIS performs authentication (Basic, Digest, or
Integrated Windows)

according to
           its settings for the application. Anonymous access must be
disabled in IIS.
          "Forms" You provide a custom form (Web page) for users to enter
their credentials,

and then
           you authenticate them in your application. A user credential
token is stored in a

cookie.
          "Passport" Authentication is performed via a centralized
authentication service

provided
           by Microsoft that offers a single logon and core profile services
for member

sites.
    -->
    <!--authentication mode="Windows" /-->
    
    <authentication mode="Forms">
  <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
timeout="30">
   <credentials passwordFormat="Clear">
    <user name="Mickey" password="Mouse"/>
   </credentials>
  </forms>
    </authentication>
  

        <!-- AUTHORIZATION
          This section sets the authorization policies of the application.
You can allow or

deny access
          to application resources by user or role. Wildcards: "*" mean
everyone, "?" means

anonymous
          (unauthenticated) users.
    -->

    <authorization>
      <deny users="?" />
        <!-- allow users="*" /--> <!-- Allow all users -->
            <!-- <allow users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

    <!-- APPLICATION-LEVEL TRACE LOGGING
          Application-level tracing enables trace log output for every page
within an

application.
          Set trace enabled="true" to enable application trace logging. If

pageOutput="true", the
          trace information will be displayed at the bottom of each page.
Otherwise, you

can view the
          application trace log by browsing the "trace.axd" page from your
web application
          root.
    -->
    <trace
        enabled="false"
        requestLimit="10"
        pageOutput="false"
        traceMode="SortByTime"
                localOnly="true"
    />

    <!-- SESSION STATE SETTINGS
          By default ASP.NET uses cookies to identify which requests belong
to a particular

session.
          If cookies are not available, a session can be tracked by adding a
session

identifier to the URL.
          To disable cookies, set sessionState cookieless="true".
    -->
    <sessionState
            mode="InProc"
            stateConnectionString="tcpip=127.0.0.1:42424"
            sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
            cookieless="false"
            timeout="20"
    />

    <!-- GLOBALIZATION
          This section sets the globalization settings of the application.
    -->
    <globalization
            requestEncoding="utf-8"
            responseEncoding="utf-8"
   />
   
 </system.web>

</configuration>

"Dan" wrote:

> Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
> forms authentication: I have created a VS solution and added to it a new web
> application project; then I added some dummy pages to the project. Now I'd
> like to protect an administrative section of this dummy website, so I
> created a new folder named "admin" in my webapp project (in VS2003,
> right-clicking the project and selecting Add/New Folder). I have then placed
> in this folder (adding new items to the VS project):
>
> 1) a login web form (login.aspx).
> 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages.
> 3) a Web.config file to override the default (root) settings, with the
> following code:
>
> <system.web>
> <authentication mode="Forms">
> <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
> timeout="30">
> <credentials passwordFormat="Clear">
> <user name="Mickey" password="Mouse"/>
> </credentials>
> </forms>
> </authentication>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
>
> Now when I click the hyperlink to the protected (i.e. under path admin/)
> HTML page, the login form is NOT invoked and I can access the page as if it
> had no protection. What I'm doing wrong?
>
> Thanks guys...
>
>
>

Relevant Pages

  • Re: Session Hijacking over HTTP
    ... How to protect yourself. ... The fact that each HTTP connection is a different IP session makes using ... To protect session cookies you can set the cookie property: ...
    (Pen-Test)
  • Re: expire session
    ... and I want to prevent users from diabling the session ... offline files and Fast User Switching ... Protect your PC! ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IE 6
    ... Please respond in Newsgroup. ... Protect your PC ... "Steve Jones" wrote in message ... >session and replacing it with adverts. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Avoid GET method
    ... : Is there a way to make a text link post to a form without passing all: the parameters in the url? ... protect that id from being known or accessible or usable from the 'hidden' information. ... one method is to create a record in the session of ... Gravity beer in Essex. ...
    (comp.lang.php)
  • Re: Page load frequency
    ... This way i want to protect the DB from being queried rediculously ... Of course this check will slow down each request to the page a little, ... but if the load of running the whole page is much higher, ... first question: Session. ...
    (comp.lang.php)