ASP.NET Authentication exception case

  • Thread starter Thread starter Jay
  • Start date Start date
J

Jay

I have authentication set for my site but I need one page to be an exception
case. Namely my forgot password page. How do I tell the webconfig file to
authenciate all pages except one page?

Thank You for any input on this matter!
 
Hi Jay,
Web.Config decides authentication for the whole application.
However, you can ensure a separate authentication level for a set of web
pages by partitioning your application. You need to create a subdirectory to
collect all the secure pages and set a different authentication for them in
web.config.
Refer the following articles in MSDN to get detailed informatio
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh10.asp

Also refer use of the tag <location> that tells you how to set
authorization for different sub directories.
I hope it helps. Thank you

Guest
 
I think you want something like the following - this states that no
unauthorised users can access any page in the app then goes on to define the
exception case where any users can access the ForgotPassword.aspx page. If
you need multiple pages to be excepted then you can add multiple <location>
entities under the <configuration> root.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="ForgotPassword.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
 
It doesn't seem to like the authorization tag underneath the location tag

I added it at the end after the closing tag of system.web and with in the
configuration tag?

Is that right?
<?xml version="1.0" encoding="utf-8" ?>

<configuration>

<appSettings>

<add key="ConnectionString"

value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=F:\data\library.mdb;Persist Security Info=False">

</add>

</appSettings>

<system.web>

<!-- DYNAMIC DEBUG COMPILATION

Set compilation debug="true" to enable ASPX debugging. Otherwise, setting
this value to

false will improve runtime performance of this application.

Set compilation debug="true" to insert debugging symbols (.pdb information)

into the compiled page. Because this creates a larger file that executes

more slowly, you should set this value to true only when debugging and to

false at all other times. For more information, refer to the documentation
about

debugging ASP.NET files.

-->

<compilation

defaultLanguage="c#"

debug="true"

/>

<!-- CUSTOM ERROR MESSAGES

Set customErrors mode="On" or "RemoteOnly" to enable custom error messages,
"Off" to disable.

Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.

"Off" Always display detailed ASP.NET error information.

"RemoteOnly" Display custom (friendly) messages only to users not running

on the local Web server. This setting is recommended for security purposes,
so

that you do not display application detail information to remote clients.

-->

<customErrors

mode="RemoteOnly"

/>

<!-- AUTHENTICATION

This section sets the authentication policies of the application. Possible
modes are "Windows",

"Forms", "Passport" and "None"

"None" No authentication is performed.

"Windows" IIS performs authentication (Basic, Digest, or Integrated Windows)
according to

its settings for the application. Anonymous access must be disabled in IIS.

"Forms" You provide a custom form (Web page) for users to enter their
credentials, and then

you authenticate them in your application. A user credential token is stored
in a cookie.

"Passport" Authentication is performed via a centralized authentication
service provided

by Microsoft that offers a single logon and core profile services for member
sites.

-->

<authentication mode="Forms">

<forms name=".COOKIEDEMO"

loginUrl="register.aspx?tab=register"

protection="All"

timeout="30"

path="/"/>

</authentication>

<!-- AUTHORIZATION

This section sets the authorization policies of the application. You can
allow or deny access

to application resources by user or role. Wildcards: "*" mean everyone, "?"
means anonymous

(unauthenticated) users.

-->

<authorization>

<deny users="?" />

<!-- Allow all users -->

<!-- <allow users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

<deny users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

<allow users="*" />

-->

</authorization>

<!-- APPLICATION-LEVEL TRACE LOGGING

Application-level tracing enables trace log output for every page within an
application.

Set trace enabled="true" to enable application trace logging. If
pageOutput="true", the

trace information will be displayed at the bottom of each page. Otherwise,
you can view the

application trace log by browsing the "trace.axd" page from your web
application

root.

-->

<trace

enabled="false"

requestLimit="10"

pageOutput="false"

traceMode="SortByTime"

localOnly="true"

/>

<!-- SESSION STATE SETTINGS

By default ASP.NET uses cookies to identify which requests belong to a
particular session.

If cookies are not available, a session can be tracked by adding a session
identifier to the URL.

To disable cookies, set sessionState cookieless="true".

-->

<sessionState

mode="InProc"

stateConnectionString="tcpip=127.0.0.1:42424"

sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"

cookieless="false"

timeout="20"

/>

<!-- GLOBALIZATION

This section sets the globalization settings of the application.

-->

<globalization

requestEncoding="utf-8"

responseEncoding="utf-8"

/>

</system.web>

<location path="Password.aspx">

<authorization>

<allow users="*" />

</authorization>

</location>

</configuration>
 
Include <system.web></system.web> inside <location> tag. So, your location
section would look like
<location path="Password.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

let me know if that helps

Guest


Jay said:
It doesn't seem to like the authorization tag underneath the location tag

I added it at the end after the closing tag of system.web and with in the
configuration tag?

Is that right?
<?xml version="1.0" encoding="utf-8" ?>

<configuration>

<appSettings>

<add key="ConnectionString"

value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=F:\data\library.mdb;Persist Security Info=False">

</add>

</appSettings>

<system.web>

<!-- DYNAMIC DEBUG COMPILATION

Set compilation debug="true" to enable ASPX debugging. Otherwise, setting
this value to

false will improve runtime performance of this application.

Set compilation debug="true" to insert debugging symbols (.pdb information)

into the compiled page. Because this creates a larger file that executes

more slowly, you should set this value to true only when debugging and to

false at all other times. For more information, refer to the documentation
about

debugging ASP.NET files.

-->

<compilation

defaultLanguage="c#"

debug="true"

/>

<!-- CUSTOM ERROR MESSAGES

Set customErrors mode="On" or "RemoteOnly" to enable custom error messages,
"Off" to disable.

Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.

"Off" Always display detailed ASP.NET error information.

"RemoteOnly" Display custom (friendly) messages only to users not running

on the local Web server. This setting is recommended for security purposes,
so

that you do not display application detail information to remote clients.

-->

<customErrors

mode="RemoteOnly"

/>

<!-- AUTHENTICATION

This section sets the authentication policies of the application. Possible
modes are "Windows",

"Forms", "Passport" and "None"

"None" No authentication is performed.

"Windows" IIS performs authentication (Basic, Digest, or Integrated Windows)
according to

its settings for the application. Anonymous access must be disabled in IIS.

"Forms" You provide a custom form (Web page) for users to enter their
credentials, and then

you authenticate them in your application. A user credential token is stored
in a cookie.

"Passport" Authentication is performed via a centralized authentication
service provided

by Microsoft that offers a single logon and core profile services for member
sites.

-->

<authentication mode="Forms">

<forms name=".COOKIEDEMO"

loginUrl="register.aspx?tab=register"

protection="All"

timeout="30"

path="/"/>

</authentication>

<!-- AUTHORIZATION

This section sets the authorization policies of the application. You can
allow or deny access

to application resources by user or role. Wildcards: "*" mean everyone, "?"
means anonymous

(unauthenticated) users.

-->

<authorization>

<deny users="?" />

<!-- Allow all users -->

<!-- <allow users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

<deny users="[comma separated list of users]"

roles="[comma separated list of roles]"/>

<allow users="*" />

-->

</authorization>

<!-- APPLICATION-LEVEL TRACE LOGGING

Application-level tracing enables trace log output for every page within an
application.

Set trace enabled="true" to enable application trace logging. If
pageOutput="true", the

trace information will be displayed at the bottom of each page. Otherwise,
you can view the

application trace log by browsing the "trace.axd" page from your web
application

root.

-->

<trace

enabled="false"

requestLimit="10"

pageOutput="false"

traceMode="SortByTime"

localOnly="true"

/>

<!-- SESSION STATE SETTINGS

By default ASP.NET uses cookies to identify which requests belong to a
particular session.

If cookies are not available, a session can be tracked by adding a session
identifier to the URL.

To disable cookies, set sessionState cookieless="true".

-->

<sessionState

mode="InProc"

stateConnectionString="tcpip=127.0.0.1:42424"

sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"

cookieless="false"

timeout="20"

/>

<!-- GLOBALIZATION

This section sets the globalization settings of the application.

-->

<globalization

requestEncoding="utf-8"

responseEncoding="utf-8"

/>

</system.web>

<location path="Password.aspx">

<authorization>

<allow users="*" />

</authorization>

</location>

</configuration>
Click to expand...
 
Back
Top