Hello,
Sorry this is a bit wordy, but it's a pretty simple question...
I have a web site, http://domain/ which is a public site, part of which
( http://domain/a/) is protected by forms authentication.
I would like to configure it so that anyone not logged in, trying to
access the protected part will not be redirected to the login page, but
will be sent to the main site's home page. The reason is because I have
a page in the protected part where the site owner prints out order
details to send to the customer. As most browsers put the URL at the
bottom of a printed web page, the customer will see http://domain/a/orders.aspx?orderid=23 and will then try to load that
page. If they are redirected to a login page, it encourages hackers to
try and break in. If they are redirected to the main home page, or given
a 404, they will not know of the existence of the protected part.
So, any ideas how I do this? I tried setting the loginUrl (in
web.config) to the home page, but this stops anyone from logging in,
even if they enter the URL to the login page.
Currently, the main site does not have a web.config, and the protected
part (which is a separate application) has the following...
<configuration>
<system.web>
<compilation defaultLanguage="c#" />
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
This works, except it shows the login page to everyone. Any idea how I
can prevent this? TIA
--
Alan Silver
(anything added below this line is nothing to do with me) 7 2428
If I understand correctly.....
.... you want to permit authorised users to be allowed to visit domain/a, but
you don't want to invoke the asp standard response of sending all unauth'd
requests to the login page. In this case you need to make your own link to
the username/password page from somewhere in domain/. Then you should
protect the domain/a directory with Forms authentication, but using as the
login page something like a 404, with no reference to logging in. This means
that genuine users need to know they should login officially using the link
you provide - they can't just navigate to domain/a and get redirected to the
login page. Otherwise I don't see how you can distinguish between genuine
"not logged in yet" users, and nasty creatures of the night.
"Alan Silver" <al*********@nospam.thanx> wrote in message
news:nc**************@nospamthankyou.spam... Hello,
Sorry this is a bit wordy, but it's a pretty simple question...
I have a web site, http://domain/ which is a public site, part of which (http://domain/a/) is protected by forms authentication.
I would like to configure it so that anyone not logged in, trying to access the protected part will not be redirected to the login page, but will be sent to the main site's home page. The reason is because I have a page in the protected part where the site owner prints out order details to send to the customer. As most browsers put the URL at the bottom of a printed web page, the customer will see http://domain/a/orders.aspx?orderid=23 and will then try to load that page. If they are redirected to a login page, it encourages hackers to try and break in. If they are redirected to the main home page, or given a 404, they will not know of the existence of the protected part.
So, any ideas how I do this? I tried setting the loginUrl (in web.config) to the home page, but this stops anyone from logging in, even if they enter the URL to the login page.
Currently, the main site does not have a web.config, and the protected part (which is a separate application) has the following...
<configuration> <system.web> <compilation defaultLanguage="c#" /> <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" /> </authentication> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>
This works, except it shows the login page to everyone. Any idea how I can prevent this? TIA
-- Alan Silver (anything added below this line is nothing to do with me)
Alan Silver wrote: Hello,
Sorry this is a bit wordy, but it's a pretty simple question...
I have a web site, http://domain/ which is a public site, part of which (http://domain/a/) is protected by forms authentication.
I would like to configure it so that anyone not logged in, trying to access the protected part will not be redirected to the login page, but will be sent to the main site's home page. The reason is because I have a page in the protected part where the site owner prints out order details to send to the customer. As most browsers put the URL at the bottom of a printed web page, the customer will see http://domain/a/orders.aspx?orderid=23 and will then try to load that page. If they are redirected to a login page, it encourages hackers to try and break in. If they are redirected to the main home page, or given a 404, they will not know of the existence of the protected part.
So, any ideas how I do this? I tried setting the loginUrl (in web.config) to the home page, but this stops anyone from logging in, even if they enter the URL to the login page.
Currently, the main site does not have a web.config, and the protected part (which is a separate application) has the following...
<configuration> <system.web> <compilation defaultLanguage="c#" /> <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" /> </authentication> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>
This works, except it shows the login page to everyone. Any idea how I can prevent this? TIA
Hi Alan,
Sounds a bit like chicken and egg. The forms authentication needs to
know which page is the login page, otherwise it cannot provide access
to that page and bypass the authentication for it.
That being said, you may be able to check the RETURNURL parameter in
the querystring during Page Load of your login page, and if you've come
from somewhere else, redirect to the homepage. (I don't use Forms
Authentication myself, and for all I know ASP.NET may sneakily hide
that parameter from you)
At the end of the day though, you're just practicing security through
obscurity. Sure, do this if you want to, but I'd rather devote time and
energy to making my site secure even if someone discovers the
"protected" site. And this page will only stay hidden for so long. Once
it's out in the open (and if it's believed the contents are high
valued, and people suspect that you've hidden the login page as a
security measure), you may be *more* likely to be attacked.
The simple fact of the matter is: all web servers/web sites which are
exposed to the internet get attacked.
Damien
>Sounds a bit like chicken and egg. The forms authentication needs to know which page is the login page, otherwise it cannot provide access to that page and bypass the authentication for it.
Guess so. I suppose I could have the login page in the main site (ie not
in the secured bit), so there wouldn't be any problem getting at it when
not logged in.
<snip>At the end of the day though, you're just practicing security through obscurity. Sure, do this if you want to, but I'd rather devote time and energy to making my site secure even if someone discovers the "protected" site. And this page will only stay hidden for so long. Once it's out in the open (and if it's believed the contents are high valued, and people suspect that you've hidden the login page as a security measure), you may be *more* likely to be attacked.
OK, maybe I didn't make myself quite clear enough. The problem I have is
that one of the pages in the secured folder generates a printable
invoice. This means that when the site owner prints an invoice, the URL
of this page will be shown in the footer. This is basically an
invitation to try loading the page. If an unauthorised user tries to
load the page, they get sent to the login page, which is an invitation
to try gaining access.
So, without any security measures, the simple act of sending out
invoices encourages ordinary people to try and hack the site.
My intention is to use URL rewriting so that the URL shown at the bottom
of the page is something like http://domain/order23.aspx, which is a
non-existent page. If they try to load it, they get a 404, which will
discourage 99.999% of people. That's a very good start.
Obviously there will always be determined hackers. This approach is not
expected to stop them, it is intended to keep the vast majority of
curious customers away from the protected part of the site. The issue of
securing the protected part from serious hackers is a separate one.
The simple fact of the matter is: all web servers/web sites which are exposed to the internet get attacked.
Correct, and anything you can do to protect the server is worthwhile.
This approach is intended to keep the vast majority of interested, but
non-malicious people away from the private section of the site.
Thanks for the reply. Any further comments?
--
Alan Silver
(anything added below this line is nothing to do with me)
>If I understand correctly..... ... you want to permit authorised users to be allowed to visit domain/a, but you don't want to invoke the asp standard response of sending all unauth'd requests to the login page.
Correct so far ;-)
In this case you need to make your own link to the username/password page from somewhere in domain/. Then you should protect the domain/a directory with Forms authentication, but using as the login page something like a 404, with no reference to logging in. This means that genuine users need to know they should login officially using the link you provide - they can't just navigate to domain/a and get redirected to the login page. Otherwise I don't see how you can distinguish between genuine "not logged in yet" users, and nasty creatures of the night.
OK, I tried that, but couldn't get it to work. I modified the web.config
file shown below to have the loginUrl set to the main home page. Trouble
was that even if I tried to load the login page directly, I just got
sent back to the home page!!
Any more ideas? Thanks
"Alan Silver" <al*********@nospam.thanx> wrote in message news:nc**************@nospamthankyou.spam... Hello,
Sorry this is a bit wordy, but it's a pretty simple question...
I have a web site, http://domain/ which is a public site, part of which (http://domain/a/) is protected by forms authentication.
I would like to configure it so that anyone not logged in, trying to access the protected part will not be redirected to the login page, but will be sent to the main site's home page. The reason is because I have a page in the protected part where the site owner prints out order details to send to the customer. As most browsers put the URL at the bottom of a printed web page, the customer will see http://domain/a/orders.aspx?orderid=23 and will then try to load that page. If they are redirected to a login page, it encourages hackers to try and break in. If they are redirected to the main home page, or given a 404, they will not know of the existence of the protected part.
So, any ideas how I do this? I tried setting the loginUrl (in web.config) to the home page, but this stops anyone from logging in, even if they enter the URL to the login page.
Currently, the main site does not have a web.config, and the protected part (which is a separate application) has the following...
<configuration> <system.web> <compilation defaultLanguage="c#" /> <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" /> </authentication> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>
This works, except it shows the login page to everyone. Any idea how I can prevent this? TIA
-- Alan Silver (anything added below this line is nothing to do with me)
--
Alan Silver
(anything added below this line is nothing to do with me)
Hey Alan...create another folder and in there put all pages that you want to
be accessed by everyone without login. That's what I normally do. In the
Web.Config file of that folder allow all users to access it.
Kev.
"Alan Silver" wrote: Hello,
Sorry this is a bit wordy, but it's a pretty simple question...
I have a web site, http://domain/ which is a public site, part of which (http://domain/a/) is protected by forms authentication.
I would like to configure it so that anyone not logged in, trying to access the protected part will not be redirected to the login page, but will be sent to the main site's home page. The reason is because I have a page in the protected part where the site owner prints out order details to send to the customer. As most browsers put the URL at the bottom of a printed web page, the customer will see http://domain/a/orders.aspx?orderid=23 and will then try to load that page. If they are redirected to a login page, it encourages hackers to try and break in. If they are redirected to the main home page, or given a 404, they will not know of the existence of the protected part.
So, any ideas how I do this? I tried setting the loginUrl (in web.config) to the home page, but this stops anyone from logging in, even if they enter the URL to the login page.
Currently, the main site does not have a web.config, and the protected part (which is a separate application) has the following...
<configuration> <system.web> <compilation defaultLanguage="c#" /> <authentication mode="Forms"> <forms loginUrl="~/Login.aspx" /> </authentication> <authorization> <deny users="?"/> </authorization> </system.web> </configuration>
This works, except it shows the login page to everyone. Any idea how I can prevent this? TIA
-- Alan Silver (anything added below this line is nothing to do with me)
Alan Silver wrote: Sounds a bit like chicken and egg. The forms authentication needs to know which page is the login page, otherwise it cannot provide access to that page and bypass the authentication for it.
Guess so. I suppose I could have the login page in the main site (ie not in the secured bit), so there wouldn't be any problem getting at it when not logged in.
<snip>At the end of the day though, you're just practicing security through obscurity. Sure, do this if you want to, but I'd rather devote time and energy to making my site secure even if someone discovers the "protected" site. And this page will only stay hidden for so long. Once it's out in the open (and if it's believed the contents are high valued, and people suspect that you've hidden the login page as a security measure), you may be *more* likely to be attacked.
OK, maybe I didn't make myself quite clear enough. The problem I have is that one of the pages in the secured folder generates a printable invoice. This means that when the site owner prints an invoice, the URL of this page will be shown in the footer. This is basically an invitation to try loading the page. If an unauthorised user tries to load the page, they get sent to the login page, which is an invitation to try gaining access.
So, without any security measures, the simple act of sending out invoices encourages ordinary people to try and hack the site.
My intention is to use URL rewriting so that the URL shown at the bottom of the page is something like http://domain/order23.aspx, which is a non-existent page. If they try to load it, they get a 404, which will discourage 99.999% of people. That's a very good start.
Obviously there will always be determined hackers. This approach is not expected to stop them, it is intended to keep the vast majority of curious customers away from the protected part of the site. The issue of securing the protected part from serious hackers is a separate one.
Have the secure website generate invoices in the non-secure site,
redirect to there, prompt for printing (and have a service that deletes
these temp files after (5, 30, 2400)) minutes, depending on your
security requirements. Or generate the invoices as rtf files (which
should download locally before printing).
Either way, accept the fact that people will attempt to hack your site.
There's nowt you can do to affect that.
Damien
>Have the secure website generate invoices in the non-secure site, redirect to there, prompt for printing (and have a service that deletes these temp files after (5, 30, 2400)) minutes, depending on your security requirements. Or generate the invoices as rtf files (which should download locally before printing).
Some good ideas there, thank you.
Either way, accept the fact that people will attempt to hack your site. There's nowt you can do to affect that.
Oh I know that. I have other security measures in place and am looking
into others.
Thanks for the reply.
--
Alan Silver
(anything added below this line is nothing to do with me) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: buran |
last post by:
Dear ASP.NET Programmers,
How can I post data to an ASP.NET login page and pass authentication? The
login page uses forms
authentication, users must supply usernames and password and have to...
|
by: feng |
last post by:
Right now I have my login.aspx protects all the pages in
my web application. This is done through the following
configuration:
<authentication mode="Forms">
<forms name="MyWeb" path="/"...
|
by: David W. Simmonds |
last post by:
I have a form that will prompt for a user name/password. In VS.NET, I have
the protected form in a folder named Admin. I have a Web.config file in that
folder as well. It contains the following...
|
by: nicholas |
last post by:
Hi,
Got an asp.net application and I use the "forms" authentication mode defined
in the web.config file.
Everything works fine.
But now I would like to add a second, different login page for...
|
by: SB |
last post by:
Hi
I'm trying to get forms-based authentication to authenticate different users
for differet pages, like this:
<configuration>
<location path="Member" allowOverride="true">
<system.web>...
|
by: pv |
last post by:
Hi everyone,
I need help with following scenario, please:
Users are accessing same web server from intranet (users previously
authenticated in Active Dir) and from extranet (common public...
|
by: sunniyeow |
last post by:
Hi, My question is regarding password protecting 2 different folders
inside a single virtual directory using forms authentication method.
Easier if I illustrate things out...
- <authentication...
|
by: dana lees |
last post by:
Hello,
I am developing a C# asp.net application.
I am using the authentication and authorization mechanism, which its timeout
is set to 60 minutes.
My application consists of 2 frames - a...
|
by: Samuel Shulman |
last post by:
Is there a method that will indicate the person who logged successfully is
Logged and therefore allowed to browse freely other then using the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |