locked
asp.net 4.5 Framework Identity Block anonymous users RRS feed

All replies

  • User281315223 posted

    It almost looks like you have some kind of loop within your code as your QueryString continually repeats the Account/Login values for your ReturnUrl value.

    If you are using ASP.NET MVC, one of the easiest methods to avoid unauthorized users would be to simply place an [Authorize] attribute on a particular Controller / Action that you don't want to allow anonymous users to access :

    [Authorize]
    public class SecureController : Controller
    {
         // All of the actions in this area will require the user to be authorized to access
    }

    Additionally, you could always extend the amount of characters that your QueryString accepts as mentioned in this Stack Overflow discussion by adding the following to your web.config :

    <system.webServer>
      <security>
        <requestFiltering>
          <requestLimits maxQueryString="YourMaxSizeHere"/>
        </requestFiltering>
      </security>
    </system.webServer>

    and / or :

    <httpRuntime maxQueryStringLength="32768" maxUrlLength="65536"/>

    Monday, April 14, 2014 4:23 PM
  • User1442286028 posted

    This is an asp.net web forms site

    This is the authentication in web.config

    <authentication mode="Forms">
    <forms loginUrl="/Account/Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx"
    cookieless="UseDeviceProfile" />
    </authentication>

    <location path="Account/Login.aspx">
    <system.web>
    <authorization>
    <allow users ="*"/>
    </authorization>
    </system.web>
    </location>
    <system.web>
    <authorization>
    <deny users ="?"/>
    </authorization>
    </system.web>

    When I put a break on the page load even of  Login,  Default, and site.Master  the code never gets to any of those locations

    I can see that it looks like I am in and endless loop just trying to figure out what is causing this loop

    Monday, April 14, 2014 4:31 PM
  • User1140095199 posted

    Hi,

    This is the authentication in web.config

    <authentication mode="Forms">
    <forms loginUrl="/Account/Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx"
    cookieless="UseDeviceProfile" />
    </authentication>

    <location path="Account/Login.aspx">
    <system.web>
    <authorization>
    <allow users ="*"/>
    </authorization>
    </system.web>
    </location>
    <system.web>
    <authorization>
    <deny users ="?"/>
    </authorization>
    </system.web>

    When I put a break on the page load even of  Login,  Default, and site.Master  the code never gets to any of those locations

    I can see that it looks like I am in and endless loop just trying to figure out what is causing this loop

    Above issue is occuring because the configuration is NOT right. It is trying to access and redirecting again and again and appending data to URL hence it's surpassing the Max Length of the QueryString.

    Replace the Code with:

    <configuration>
       <location path="~/Account/Login.aspx">
          <system.web>
             <authorization>
                <allow users="*"/>
                <deny users="?"/>
             </authorization>
          </system.web>
       </location>
    </configuration>

    AND:

    <authentication mode="Forms">
     <forms loginUrl="~/Account/Login.aspx" timeout="2880" defaultUrl="~/" 
     cookieless="UseDeviceProfile" />
     </authentication>
     <forms loginUrl="/Account/Login.aspx" 

    Keep it simple. Remove things that are NOT required. I use a simple one. Here is my configuration that works perfectly:

        <authentication mode="Forms">
          <forms loginUrl="~/Account/Login" timeout="2880" defaultUrl="~/" />     
        </authentication>
    
    
        <authorization>
          <allow roles="Admin"/>
          <allow users="*"/>
          <deny users="?"/>
        </authorization>

    Hope it helps!

    Best Regards!

    Wednesday, April 16, 2014 12:06 AM
  • User1442286028 posted

    I am still getting the same error

    The Main Web.donfog

      <location path="~/Default.aspx">

          <system.web>

             <authorization>

                <allow users="*"/>

             </authorization>

          </system.web>

       </location>

       <system.web>

              <authorization>

                    <allow roles="Admin,Client"/>

                    <deny users ="?"/>

               </authorization>

           </system.web>

    then in the Account folder I have a web.config

    <?xml version="1.0"?>

    <configuration>

       <location path="Manage.aspx">

        <system.web>

          <authorization>

            <deny users="?"/>

          </authorization>

        </system.web>

      </location>

      <location path="Register.aspx">

        <system.web>

          <authorization>

            <allow roles="Admin"/>

            <deny users="*"/>

          </authorization>

        </system.web>

      </location>

      <location path="Login.aspx">

        <system.web>

          <authorization>

            <allow users ="*"/>

          </authorization>

        </system.web>

      </location>

      <location path="ForgotPassword.aspx">

        <system.web>

          <authorization>

            <allow users ="*"/>

          </authorization>

        </system.web>

      </location>

     </configuration>

    Wednesday, April 16, 2014 8:06 AM
  • User1442286028 posted

    GMT Location: /Account/Login.aspx?ReturnUrl=%2fDefault.aspx Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 X-SourceFiles: =?UTF-8?B?

    is in the first log file  then with each log file I get

    localhost:49582/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252fDefault.aspx Server: Microsoft-IIS/8.0 X-AspNet-Version: 4.0.30319 X-SourceFiles: =?UTF-8?B?

    It seems like it is in an endless loop that it tries to navigate to default that forces it to redirect to login page but instead of showing the login page  it creates another another return url to the query string.

    I have put a break on the Page_Load Event of the login page and default page but it never makes it to the break

    Thursday, April 17, 2014 9:13 AM
  • User465171450 posted

    You've set it so that only logged in users can view your login page.

    <allow users="*"> tells it only logged in users. You need to allow anonymous users, otherwise how will they be able to login?

    Thursday, April 17, 2014 3:26 PM
  • User1442286028 posted

    Ok I swtich it and still the same error.

    it is now

    <location path="Login.aspx">
        <system.web>
          <authorization>
            <allow users ="?"/>
            <deny users="*"/>
          </authorization>
        </system.web>
      </location>

    Ok so that error is bacuse the page is being blocked.  I get the same error when I deny access to the login page.  The real question is why is it being blocked

    When I have

    <system.web>
        <authorization>
          <deny users ="?"/>
        </authorization>
      </system.web>

    It get blocked, when I remove it and block indivual pages it works fine.  I added a web.config to the Account FOlder so that it would override the main web.config but I get the same error.

    Thursday, April 17, 2014 4:16 PM
  • User1442286028 posted

    Ok after some more changes I no longer get the error page

    Now I simply get the "This page can't be displayed" page

    the address it is trying to connect to is http://localhost:49582/Default.aspx

    for some reason it is not getting redirected to the Account/Login.aspx page

    If I navagte to http://localhost:49582/account/login it works

    Monday, April 21, 2014 12:15 PM