Hi,
I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently, users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?
I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in the
same directory.
I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now, DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text, true));
Am I on the right path ? Any help appreaciated.
regards,
andrew
5  3245 
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users
<configuration>
<appSettings/>
<connectionStrings/>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>
</configuration
Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com... Hi,
I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?
I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.
I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));
Am I on the right path ? Any help appreaciated.
regards,
andrew
hi,
thanks for your reply.
what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
Any help appreciated. Am I on the right track ?
regards,
andrew
"Patrick.O.Ige" wrote: You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users
<configuration>
<appSettings/>
<connectionStrings/>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>
</configuration
Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com... Hi,
I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?
I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.
I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));
Am I on the right path ? Any help appreaciated.
regards,
andrew
i forgot to add that it is not working.
my login page keeps getting redirected back to itself. the url is: http://localhost/MainFolder/UserLogi...erA%2fxxx.aspx
Note: xxx.aspx is located within FolderA of the MainFolder.
"Andrew" wrote: hi,
thanks for your reply.
what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
Any help appreciated. Am I on the right track ?
regards,
andrew
"Patrick.O.Ige" wrote:
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users
<configuration>
<appSettings/>
<connectionStrings/>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>
</configuration
Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com... Hi,
I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?
I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.
I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));
Am I on the right path ? Any help appreaciated.
regards,
andrew
Andrew,
Yeah, your on right track and I have divined that you've used the asp.net
configuration tool security tab because you have a web.config file in your
sub folder.
Proplem:
deny users="?" reads deny users that aren't authenticated to asp.net once
logged in they could go to the admin folder.
Solution: deny users="*" wild card to exclude everyone.
The authorization works top to bottom your in or your out. There is no
middle ground logical processing so you have to allow admin first then deny
everyone.
Your new web.config for the admin folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="Admin"/> /*admin is allowed */
<deny users="*"/> /* man nobody gets by the wildcard */
</authorization>
</system.web>
</configuration>
Try it watch how asp.net adds a query string "ReturnUrL" to redirect after
login. Cool stuff it will pick up the location of the login page from the
root web.config and automatically redirect there if it needs to, once you log
in asp.net will automatically redirect you back to the page that needs
authentication like any page in the admin folder.
Good Luck
DWS
"Andrew" wrote: hi,
thanks for your reply.
what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
Any help appreciated. Am I on the right track ?
regards,
andrew
"Patrick.O.Ige" wrote:
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users
<configuration>
<appSettings/>
<connectionStrings/>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>
</configuration
Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com... Hi,
I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?
I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.
I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));
Am I on the right path ? Any help appreaciated.
regards,
andrew
Hi,
I should have said that I am still using aspnet1.0.
I did as u suggested n i got an error saying that "Threat is being aborted"
when it hits the "Response.Redirect" line in my UserLogin.aspx page, it then
jumps to my catch(Exception ex) error handler. I put here an excerpt of my
login page:
string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "UserLogin.aspx";
lblMessage.Text = returnUrl;
Response.Redirect(returnUrl);
When using the debugger I could see that the returnURL value is:
/MainFolder/FolderA/AdminMenu.aspx
which is correct.
Dun know why.. Help ??
regards,
andrew
"DWS" wrote: Andrew,
Yeah, your on right track and I have divined that you've used the asp.net
configuration tool security tab because you have a web.config file in your
sub folder.
Proplem:
deny users="?" reads deny users that aren't authenticated to asp.net once
logged in they could go to the admin folder.
Solution: deny users="*" wild card to exclude everyone.
The authorization works top to bottom your in or your out. There is no
middle ground logical processing so you have to allow admin first then deny
everyone.
Your new web.config for the admin folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="Admin"/> /*admin is allowed */
<deny users="*"/> /* man nobody gets by the wildcard */
</authorization>
</system.web>
</configuration>
Try it watch how asp.net adds a query string "ReturnUrL" to redirect after
login. Cool stuff it will pick up the location of the login page from the
root web.config and automatically redirect there if it needs to, once you log
in asp.net will automatically redirect you back to the page that needs
authentication like any page in the admin folder.
Good Luck
DWS
"Andrew" wrote:
hi,
thanks for your reply.
what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
Any help appreciated. Am I on the right track ?
regards,
andrew
"Patrick.O.Ige" wrote:
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users
<configuration>
<appSettings/>
<connectionStrings/>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" />
<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>
</configuration
Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com...
> Hi,
>
> I have a default.aspx which allows the user to choose between module Admin
> and module B. When the user clicks either one, he will be redirected to a
> FormsAuthentication login page. The problem I have is that currently,
> users
> of one module are able to access the other since I have only 1 login page.
> How do I prevent this ?
>
> I am not sure how to go about configuring the web.config file for having 2
> modules that have a separate set of users for each. The files are all in
> the
> same directory.
>
> I've written the code for the login using the genericprincipal class etc.
> However, I got the error at "Thread was aborted" on my Login.aspx. I can't
> figure out why. The debugger jumps to the exception at the
> "Response.Redirect" (last) line:
>
> FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
> (string)Session["UserLoginName"], DateTime.Now,
> DateTime.Now.AddMinutes(30),
> false, (string)Session["UserDomain"]);
> // Encrypt the ticket
> string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
> // Create a cookie and add the encrypted ticket as data
> HttpCookie authCookie = new
> HttpCookie(FormsAuthentication.FormsCookieName,
> encryptedTicket);
> // Add the cookie to the outgoing cookies collection
> Response.Cookies.Add(authCookie);
> Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
> true));
>
> Am I on the right path ? Any help appreaciated.
> regards,
> andrew
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: tommy |
last post by:
hello everbody,
i write a little asp-application with forms-authentication.
i copy my aspx-files with web.config to my webspace and i get the
error above...
i tried to set the...
|
by: Adam Getchell |
last post by:
I'm attempting to write a custom Authentication module using http://www.15seconds.com/Issue/020417.htm
I looked at http://support.microsoft.com/default.aspx?scid=kb;EN-US;307996, but it doesn't...
|
by: naija naija |
last post by:
Hello eveyone,
I have a web config like this below:-
<location path="finance.aspx">
<system.web>
<authorization>
<allow users="?"/>
<deny users="?"
roles="Security_Group"/>
</authorization>...
|
by: cmrchs |
last post by:
Hi,
I'm having problems with the interpretation of roles in the <authentication> entries in web.config
Scenario :
I'm logging on as 'Administrator' and try to access a site for which the...
|
by: Matthias S. |
last post by:
Hi,
here is what I'm trying to do: I have a virtual directory called
"WebApp". Under this one I've got 2 physical directories called
"Customers" and "Admins".
I implemented Forms-based...
|
by: aa |
last post by:
VS2005 BETA2
in web.config it is written:
<location path="Gedimai/Ataskaitos">
<system.web>
<authorization>
<allow roles="Dispeceriai,SDispeceriai,SVisi"/>
<deny users="*"/>...
|
by: Smokey Grindle |
last post by:
I have a virtual website or what ever it's really called in IIS6 under my
root intranet site both use ASP.NET 2.0... my intrante site has a roles
provider in it, which is set as the default...
|
by: Vincent |
last post by:
Hi,
When the application doesn't use Roles, this configuration (web.config)
works:
<configuration>
<connectionStrings>
<clear/>
<add name="myconn" connectionString="Data...
|
by: daokfella |
last post by:
I have a custom web.config section similar to the following:
<CustomAuthSettings attr1="" attr2="">
<Locations RedirectUrl="Invalid.aspx">
<add Path="test.aspx" Roles="1,2,3" Permissions="4,5,6"...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
