Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

password protection with web.config

Posted on 2013-05-19
9
Medium Priority
?
618 Views
Last Modified: 2013-05-28
I have set up password protection for my entire site using web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <connectionStrings>
    <add name="ApplicationServices" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|\aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" />
  </connectionStrings>
  <system.web>
    <authentication mode="Forms">
      <forms name="testing" loginUrl="~/Account/Login.aspx" protection="All" timeout="30" path="/">
        <credentials passwordFormat="Clear">
          <user name="user" password="password"/>
        </credentials>
      </forms>
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>
    
    <compilation targetFramework="4.0" />
    <pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" />
  </system.web>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
        <defaultDocument>
            <files>
                <clear />
                <add value="default.aspx" />
                <add value="Default.htm" />
                <add value="Default.asp" />
                <add value="index.htm" />
                <add value="index.html" />
                <add value="iisstart.htm" />
            </files>
        </defaultDocument>
  </system.webServer>
</configuration>

Open in new window


Here is my cs file fro the login page
public partial class login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
    protected void Button1_Click(object sender, EventArgs e)
    {
        if (FormsAuthentication.Authenticate(UserName.Value,
                                             UserPass.Value))
        {
            FormsAuthentication.RedirectFromLoginPage(UserName.Value, true);
        }
        else
        {
            Msg.Text = "Invalid Credentials: Please try again";
        }
    }
}

Open in new window


This works if I type in the domain name plus a page name, but if i type in only the domain name itself, the redirect aspect of the url for the login page has no page in the url query string, so redirectfromloginpage method has no page argument that it can get from the url and instead it keeps coming back to the login page, even after a successful login.

So how do i solve this problem?
0
Comment
Question by:BobHavertyComh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 29

Expert Comment

by:Kumaraswamy R
ID: 39190226
0
 
LVL 11

Expert Comment

by:madgino
ID: 39190925
You have a number of options:
- add default.aspx to project which will be loaded if you use only domain name
- add defaultUrl value in webconfig / authentication section / forms tag
- check for page argument using GetRedirectUrl and use SetAuthCookie instead RedirectFromLoginPage
0
 
LVL 9

Author Comment

by:BobHavertyComh
ID: 39200733
rkworlds, that is a good answer but it wasn't really relevant to my question as far as I can tell.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 9

Author Comment

by:BobHavertyComh
ID: 39200741
madgino

option one - default.aspx iset set as the default in the IIS
option two -  can you give me an example of such an entry?

I do have an entry but not where you say
<modules runAllManagedModulesForAllRequests="true" />
        <defaultDocument>
            <files>
                <clear />
                <add value="default.aspx" />
                <add value="Default.htm" />
                <add value="Default.asp" />
                <add value="index.htm" />
                <add value="index.html" />
                <add value="iisstart.htm" />
            </files>
        </defaultDocument>

option 3 -  I don't know what you mean. I can see the page url and after the query string, it has no url redirect value only 2f because it's not picking up a particular page that was requested when i just type the domain name in. It DOES works if I type in domainname/default.aspx. Then that page shows up in the return url value after the query string on the login page
0
 
LVL 11

Expert Comment

by:madgino
ID: 39200772
option 2, in web.config
<authentication mode="Forms">
      <forms loginUrl="Login.aspx" protection="All" timeout="10" name="AuthCookie" path="/" requireSSL="true" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false">
      </forms>
</authentication>

Open in new window


option 3
if (FormsAuthentication.Authenticate(UserName.Value, UserPass.Value))
{
	if (FormsAuthentication.GetRedirectUrl(UserName.Value,false)!="")
    {
        FormsAuthentication.RedirectFromLoginPage(UserName.Value, true);
    }
    else
    {
        FormsAuthentication.SetAuthCookie(UserName.Value, true);
        response.redirect("default.aspx",true);
    }
}
else
{
    Msg.Text = "Invalid Credentials: Please try again";
}

Open in new window

0
 
LVL 9

Author Comment

by:BobHavertyComh
ID: 39201825
Okay, won't option 2  and 3 always redirect to default.aspx?

RedirectFromLoginPage uses a url recorded in the query string you see in the login page that saves what the requested page was and uses it to redirect to that page after successful. So if I tried to go directly to mydomain.com/frib.aspx,  and haven't signed in, it is supposed to redirect to the login page and put frib.aspx in the query string so that it goes to that page rather than default.aspx if that was the page i was trying to get to.

So am i missing something?

One thing that I know is that the requested page has to be in the url query string of the login page to tell RedirectFromLoginPage where to go after successful login. Sometimes they may want to go directly to a sub page, or their login has timed out, so a value of either the requested page or the current page they were on has to show up in the query string when the login page comes up.

It does show up in the query string if I try to access an explicit page, but if I just type in domainname.com, expecting it to default to default.aspx, as it has done before I added the password stuff, no page shows up in the query string of the url of the login page.

So I'm giving you lots of hints, and i actually know what I'm doing, but I just can't seem to figure this one out. Maybe it's because I'm running off of localhost when i access it internally and somehow my IIS or something else is not set up correctly?
0
 
LVL 11

Accepted Solution

by:
madgino earned 2000 total points
ID: 39202226
All the options I gave you are for the case when the redirect url is missing, which from what I understood is your case. If you have an url in querystring it will redirect the user to it after login.
0
 
LVL 9

Author Comment

by:BobHavertyComh
ID: 39203009
But if I merely type in mydomain.com,  default.aspx doesn't show up in the query string of the URL of the login page to make the RedirectFromLoginPage method on login.aspx.cs know which original page that the user was trying to get to if they typed in mydomain.com. If a specific page after the domain name is typed in, such as mydomain.com/default.aspx. or even mydomain.com/frib.aspx, then default.aspx and frib.aspx show up in the query string  of the login page url and the RedirectFromLoginPage  method has a page to use as an argument for it's method call for where to redirect to after successful login.

I'm sorry if I am either explaining this so badly, or I just don't understand something, but I read the documentation of the RedirectFromLoginPage method, and it needs a page value from the login.aspx  query string of it's url in order to redirect somewhere.

I'm sorry if I'm being completely clueless, but i have "some" understanding of these things.. i read the documentation of the RedirectFromLoginPage method. So am i missing something completely obvious in your explanation? If so, i apologize, but can you spell it out for me? Thank you.
0
 
LVL 9

Author Closing Comment

by:BobHavertyComh
ID: 39203014
Sorry, I was missing something. Thanks.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question