locked
Restricting anonymous access to login page not working RRS feed

  • Question

  • User-542418535 posted

    Hello. I am using ASP.NET 2.0 on Windows Server 2008 and IIS 7. I have a website project which consists of two pages: Default.aspx and login.aspx. I have coded the login form on login.aspx using Forms Authentication in C# and I am successfully redirected to Default.aspx if I provide the correct username and password on login.aspx (credentials are hardcoded in web.config file). My issue is that I have been trying to restrict anonymous users so that they can only access the login.aspx page. Despite adding the necessary settings in the web.config, a user can directly visit the Default.aspx without being restricted. Below are the necessary changes I made to the website's web.config to attempt the restriction:

    <configuration>
        <system.web>
    
            <!-- Enable forms authentication using hardcoded password -->
            <authentication mode="Forms">  
                <forms loginUrl="login.aspx" defaultUrl="Default.aspx">  
    	        <credentials passwordFormat="Clear">  
    	            <user name="user" password="somepassword"/>  
    	        </credentials>  
                </forms>  
            </authentication>
    	
            <!-- Restrict anonymous user access -->
            <authorization>  
                <deny users="?"/>  
            </authorization>
        </system.web>
    
        <!-- only allow anonymous access to login.aspx -->
        <location path="login.aspx">
            <system.web>
                <authorization>
    	        <allow users ="*" />
    	    </authorization>
    	</system.web>
        </location>
    
    </configuration>

    I have also enabled Forms Authentication and Anonymous Authentication in IIS for the website.

    Friday, June 23, 2017 1:59 PM

Answers

  • User-359936451 posted

    Ok you have some design issues here. First default.aspx is typically (almost always) the home page for the site and mapped that way by IIS. This means that any user coming to your site must land on this page. Its configurable so you can change it, but that is much more work than you need to do.

    I would suggest you do this.

    Add a new page to your site call it authHomePage.aspx or something unique. In the Page Load event for this page add the following....

    If Not Request.IsAuthenticated Then
         Server.Transfer("~\Default.aspx")
    End If
    

    This will send any non-authenticated user that tries to access your new web page back to the default.aspx home page.

    And then in your logon control, when a user is authenticated, also send them to the new page. You could also add new folder to your project and place your new authHomePage.aspx file in that new folder and build out entirely secured access only section in your web site. Then in this folder add a web config that only allows authenticated users.

    Hope this helps.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 23, 2017 2:25 PM