By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,638 Members | 2,249 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,638 IT Pros & Developers. It's quick & easy.

ASP.NET Forms Authentication

P: n/a
I'm trying to figure out the ASP.NET Forms Auth

I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want to manually authenticate users to provide acess

My project has 2 web.config files... the default file
<authentication mode="Forms"><forms loginUrl="Login.aspx" protection="All" timeout="30" path="/SecureSite"/></authentication><authorization><allow users="?" /></authorization

This allows users accress to my default page, reg page and a few others..

if the user clicks on a link that takes them to the SecureSite dir, my app auto navaigates to the login page

on the login button

cCustomer oCust = new cCustomer()

if (oCust.LoginCustomer(txtUsername.Text.ToString(), txtPassword.Text.ToString()) ==true

HttpCookie cookie = FormsAuthentication.GetAuthCookie (txtUsername.Text.ToString(),chkPersist.Checked)
cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0))
Response.Cookies.Add (cookie)
Response.Redirect (FormsAuthentication.GetRedirectUrl (txtUsername.Text.ToString(),chkPersist.Checked))
and the web.config file in the SecureSite dir
<authorization><deny users="?" /></authorization

The problem is..

The code authorizes the user... it even runs Response.Redirect, with the correct page, but the page goes back to the login form endlessly... Do i have a config file setting wrong? What do you think

Any ideas

Thanks
Gavin Steven
ga***@yourcomputer.com
Nov 18 '05 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Have you tried using FormsAuthentication.RedirectFromLoginPage, rather than
setting the cookie manually and doing a Response.Redirect? Maybe the cookie
is being lost when Response.Redirect is called directly? (just guessing -
I've never tried it your way)

Pete Beech

"Gavin Stevens" <an*******@discussions.microsoft.com> wrote in message
news:9C**********************************@microsof t.com...
I'm trying to figure out the ASP.NET Forms Auth.

I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want to
manually authenticate users to provide acess.
My project has 2 web.config files... the default file:
<authentication mode="Forms"><forms loginUrl="Login.aspx" protection="All" timeout="30"
path="/SecureSite"/></authentication><authorization><allow users="?"
/></authorization>
This allows users accress to my default page, reg page and a few others...

if the user clicks on a link that takes them to the SecureSite dir, my app auto navaigates to the login page.
on the login button:

cCustomer oCust = new cCustomer();

if (oCust.LoginCustomer(txtUsername.Text.ToString(), txtPassword.Text.ToString()) ==true) {
HttpCookie cookie = FormsAuthentication.GetAuthCookie (txtUsername.Text.ToString(),chkPersist.Checked); cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
Response.Cookies.Add (cookie);
Response.Redirect (FormsAuthentication.GetRedirectUrl (txtUsername.Text.ToString(),chkPersist.Checked)); }

and the web.config file in the SecureSite dir:
<authorization><deny users="?" /></authorization>

The problem is...

The code authorizes the user... it even runs Response.Redirect, with the correct page, but the page goes back to the login form endlessly... Do i
have a config file setting wrong? What do you think?
Any ideas?

Thanks,
Gavin Stevens
ga***@yourcomputer.com

Nov 18 '05 #2

P: n/a
Yes, I tried that... I'm thinking the problem if more in the way I have the whole thing configured with the web.config files and the site structure rather than the methods... Not sure exactly..

Gavin
Nov 18 '05 #3

P: n/a
I've had a closer look at what you've got - I think the path setting in the
form element is at least part of the problem. The path attribute is not the
path to secure, but the path for the cookie..*

You've already secured the path in the web.config file using the
authorization element - so remove the path attribute from the <forms> tag,
and see if that helps.

Cheers,
Pete Beech
PS. In case that doesn't work, I also usually do the basic authentication
similar to this - i.e:

if (MyAuthenticateMethod(UserName.Text,
UserPassword.Text))
{
FormsAuthentication.RedirectFromLoginPage(UserName .Text,
Persist.Checked);
}

assuming UserName and UserPassword textboxes, and a Persist checkbox
* From the quickstart docs, it states that this is the "path to use for the
issued cookie. The default value is "/" to avoid difficulties with
mismatched case in paths, since browsers are strictly case-sensitive when
returning cookies. Applications in a shared-server environment should use
this directive to maintain private cookies. (Alternatively, they can specify
the path at runtime using the APIs to issue cookies.)"

"Gavin Stevens" <an*******@discussions.microsoft.com> wrote in message
news:55**********************************@microsof t.com...
Yes, I tried that... I'm thinking the problem if more in the way I have the whole thing configured with the web.config files and the site structure
rather than the methods... Not sure exactly...
Gavin

Nov 18 '05 #4

P: n/a
First, I don't see in your code, where did you set the Auth cookie? Use
FormsAuthentication.SetAuthCookie, not GetAuthCookie.
You do not have to set manually an expiration on that cookie - it is done in
the web.config.

Second - Problem is actually here - do you run 2 applications (I see 2
web.config files)? You don't have to. Just configure you first web.config
appropriately:
<?xml version="1.0"?>
<configuration>

<-- This is for you public part -->
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MyAuthCookie" timeout="30" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
...
</system.web>
...

<-- This is for you secure part -->
<location path="SecureSite/">
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MyAuthCookie"
timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
...
</system.web>
</location>

</configuration>

"Gavin Stevens" <an*******@discussions.microsoft.com> wrote in message
news:9C**********************************@microsof t.com...
I'm trying to figure out the ASP.NET Forms Auth.

I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want to
manually authenticate users to provide acess.
My project has 2 web.config files... the default file:
<authentication mode="Forms"><forms loginUrl="Login.aspx" protection="All" timeout="30"
path="/SecureSite"/></authentication><authorization><allow users="?"
/></authorization>
This allows users accress to my default page, reg page and a few others...

if the user clicks on a link that takes them to the SecureSite dir, my app auto navaigates to the login page.
on the login button:

cCustomer oCust = new cCustomer();

if (oCust.LoginCustomer(txtUsername.Text.ToString(), txtPassword.Text.ToString()) ==true) {
HttpCookie cookie = FormsAuthentication.GetAuthCookie (txtUsername.Text.ToString(),chkPersist.Checked); cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
Response.Cookies.Add (cookie);
Response.Redirect (FormsAuthentication.GetRedirectUrl (txtUsername.Text.ToString(),chkPersist.Checked)); }

and the web.config file in the SecureSite dir:
<authorization><deny users="?" /></authorization>

The problem is...

The code authorizes the user... it even runs Response.Redirect, with the correct page, but the page goes back to the login form endlessly... Do i
have a config file setting wrong? What do you think?
Any ideas?

Thanks,
Gavin Stevens
ga***@yourcomputer.com

Nov 18 '05 #5

P: n/a
The main problem actually seems to be the path setting in the forms tag -
try setting up a project and include the path setting, and you should find
that you can reproduce the behaviour Gavin mentions.

I agree about the use of GetAuthCookie, etc. I usually just let the
RedirectFromLoginPage function create the cookie for me.

You can do the web.config your way, but you can also have web.configs at
different levels - which some people prefer to do. In any case, this isn't
the cause of the problem.

Cheers,
Pete

"Viktor Jevdokimov" <vj*********@hotmail.com> wrote in message
news:OD*************@TK2MSFTNGP12.phx.gbl...
First, I don't see in your code, where did you set the Auth cookie? Use
FormsAuthentication.SetAuthCookie, not GetAuthCookie.
You do not have to set manually an expiration on that cookie - it is done in the web.config.

Second - Problem is actually here - do you run 2 applications (I see 2
web.config files)? You don't have to. Just configure you first web.config
appropriately:
<?xml version="1.0"?>
<configuration>

<-- This is for you public part -->
<system.web>
..
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MyAuthCookie" timeout="30" /> </authentication>
<authorization>
<allow users="*" />
</authorization>
...
</system.web>
...

<-- This is for you secure part -->
<location path="SecureSite/">
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="MyAuthCookie"
timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
...
</system.web>
</location>

</configuration>

"Gavin Stevens" <an*******@discussions.microsoft.com> wrote in message
news:9C**********************************@microsof t.com...
I'm trying to figure out the ASP.NET Forms Auth.

I have 3 or 4 pages i want to allow anonymous access to.. Then I have 5 or 6 pages I placed in another directory in the webproject. These I want

to manually authenticate users to provide acess.

My project has 2 web.config files... the default file:
<authentication mode="Forms"><forms loginUrl="Login.aspx" protection="All" timeout="30"
path="/SecureSite"/></authentication><authorization><allow users="?"
/></authorization>

This allows users accress to my default page, reg page and a few others...
if the user clicks on a link that takes them to the SecureSite dir, my

app auto navaigates to the login page.

on the login button:

cCustomer oCust = new cCustomer();

if (oCust.LoginCustomer(txtUsername.Text.ToString(),

txtPassword.Text.ToString()) ==true)
{
HttpCookie cookie = FormsAuthentication.GetAuthCookie

(txtUsername.Text.ToString(),chkPersist.Checked);
cookie.Expires = DateTime.Now.Add(new TimeSpan(30, 12, 30, 0));
Response.Cookies.Add (cookie);
Response.Redirect (FormsAuthentication.GetRedirectUrl

(txtUsername.Text.ToString(),chkPersist.Checked));
}

and the web.config file in the SecureSite dir:
<authorization><deny users="?" /></authorization>

The problem is...

The code authorizes the user... it even runs Response.Redirect, with the

correct page, but the page goes back to the login form endlessly... Do i
have a config file setting wrong? What do you think?

Any ideas?

Thanks,
Gavin Stevens
ga***@yourcomputer.com


Nov 18 '05 #6

This discussion thread is closed

Replies have been disabled for this discussion.