locked
Default page in subfolder RRS feed

  • Question

  • User-1802931265 posted

    We have a webforms website with the normal web.config in the site root.   In the config, we have the lines..

        <authentication mode="Forms">
          <forms name=".OurAuth" loginUrl="~/secure/Login.aspx" protection="All" timeout="25" slidingExpiration="true" />
        </authentication>

    and

      <location path="secure/Login.aspx">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
    
      <location path="m/index.htm">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>

    When the user logs in, they're taken to   /mysite/secure/login.aspx    On that page, there's a link to the subfolder m which also has a web.config which contaijns....

        <defaultDocument enabled="true">
          <files>
            <clear/>
            <add value="index.htm" />
          </files>
        </defaultDocument>
      </system.webServer>
    
      <location path="login.asp">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>

    So the default document in subfolder M is index.htm, which seems to  just has a meta refresh to login.asp  (yes asp!)

    Since upgrading from framework 3.5 to framework 4.5 the login.asp is never reached, it's just redirected back to the site's normal /secure/login.aspx   However, if we go directly to m/login.asp from the first screen then it works fine. 

    So there's a simple fix, but I'm trying to work out what's changed between the two versions.

    Tuesday, May 5, 2020 9:13 AM

Answers

  • User-1802931265 posted

    Aha, found it..  the difference is that in the new version, you have to explicitly set the sub folder permission whereas in the old one you didn't.. so adding 

      <location path="m">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>

    Fixes the problem.

    All sorted now.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, May 6, 2020 10:35 AM

All replies

  • User1535942433 posted

    Hi Adrian_Parker,

    Accroding to your description, as far as I think,you have set form authentication,once a user is authenticated, forms authentication maintains an authentication ticket in a cookie or in the URL so that an authenticated user does not need to supply credentials with each request.So,you always return to secure/Login.aspx,

    Besides, allow users * is allow all users and '?' allow users which isn't logged in.

    Could you tell us what you want to know about the different of the framework 3.5 and 4.5?

    More details,you could refer to below codes:

    root web.config:

    <authentication mode="Forms">
          <forms name=".OurAuth" loginUrl="Login.aspx" protection="All" timeout="25" slidingExpiration="true" />
        </authentication>
        <authorization>
          <deny users="?" />
        </authorization>

    subfold web.config:

      <system.webServer>
        <defaultDocument>
          <files>
            <clear />
            <add value="index.aspx" />
          </files>
        </defaultDocument>
      </system.webServer>
      <location path="entry.asp">
        <appSettings>
          <add key="Message" value="Subpage"/>
        </appSettings>
        <system.web>
          <authorization>
            <allow users="?" />
          </authorization>
        </system.web>
      </location>

    More details,you could refer to below articles:

    https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication?view=netframework-4.8

    https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/introduction/an-overview-of-forms-authentication-cs

    Best regards,

    Yijing Sun

    Wednesday, May 6, 2020 7:46 AM
  • User-1802931265 posted

    In framework 3.5 (vs2008), you could just refer to the m folder and the default page (index.htm) would be loaded and it would meta load the login.asp file.  In 4.5 (vs2019) it never even tries to load the index.htm and just redirects back to /secure/login.aspx.  The web.config sections are identical in both cases..  the iis is different  7.5  vs  10 

    fiddler4 shows the 3.5 as...

    GET http://localhost/iweb79/m 301 Redirect to http://localhost/iweb79/m/
    Response:
    <head><title>Document Moved</title></head>
    <body><h1>Object Moved</h1>This document may be found <a HREF="http://localhost/iweb79/m/">here</a></body>

    GET http://localhost/iweb79/m/ 200 OK (text/html)
    Response:
    <!DOCTYPE html>
    <html>
    <head><meta http-equiv="refresh" content="0;URL='login.asp'" /></head>
    <body></body>
    </html>

    GET http://localhost/iweb79/m/login.asp 200 OK (text/html)

    Fiddler 4 shows the 4.5 as..

    GET http://localhost/iweb79/m   302 Redirect to /iweb79/secure/Login.aspx?ReturnUrl=%2fiweb79%2fm

    Response:
    <html><head><title>Object moved</title></head><body>
    <h2>Object moved to <a href="/iweb79/secure/Login.aspx?ReturnUrl=%2fiweb79%2fm">here</a>.</h2>
    </body></html>

    GET http://localhost/iweb79/secure/Login.aspx?ReturnUrl=%2fiweb79%2fm   200 OK (text/html)

    Wednesday, May 6, 2020 8:46 AM
  • User-1802931265 posted

    Aha, found it..  the difference is that in the new version, you have to explicitly set the sub folder permission whereas in the old one you didn't.. so adding 

      <location path="m">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>

    Fixes the problem.

    All sorted now.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, May 6, 2020 10:35 AM