Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 358
  • Last Modified:

Forms Authentication not protecting html files

Hi Experts I have a sub folder with .aspx and .html files. I have Forms Authentication set up in such a way to allow access to the entire site but restrict access to an admin folder. I have noticed that navigating to the full path of an HTML file inside the admin folder allows me access however all .aspx files operate as expected i.e. redirect to login page if user is not authenticated. Any ideas?

Root web.config is as follows;

    <authentication mode="Forms">
      <forms name="appNameAuth" loginUrl="login.aspx" timeout="30" defaultUrl="~/Admin/Tools.aspx">
      </forms>
    </authentication>
    <authorization>
      <allow users="*" />
    </authorization>

  </system.web>

  <location path="Admin">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

Open in new window

0
takwirirar
Asked:
takwirirar
  • 2
  • 2
1 Solution
 
Shaun KlineLead Software EngineerCommented:
Change the extension of the pages to .aspx. ASPX pages are handled through an add-on in IIS, while HTML pages are handled directly by IIS.
0
 
takwirirarAuthor Commented:
Hi Shaun, thanks for that, what would happen then if I had other file types to be protected that I could not change to .aspx without breaking they way they work e.g. a .PDF file?
0
 
Shaun KlineLead Software EngineerCommented:
One suggestion is to add the following to the system.webserver section of your web.config file:
<modules runAllManagedModulesForAllRequests="false">
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
      <remove name="RoleManager" />
      <add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
      <remove name="DefaultAuthentication" />
      <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>

Open in new window


The first module handles the forms authentication that you are already doing. The second module handles URL authentication (Microsoft website.
The third module handles role authentication, if you are using it.
The fourth module verifies that the user has been authenticated.
0
 
takwirirarAuthor Commented:
Wow!!!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now