locked
Web.config and login.aspx RRS feed

  • Question

  • User1278566031 posted
    Hello friends,
    İ have an admin folder which includes login.aspx, page1.aspx, page2.aspx and page3.aspx
    Login page has user and pass entry which works fine and directs to page1.aspx.

    The problem is i can enter the page2 and page3 without login. Everybody can see the page with the link. Www.hhhh.com/admin/page2.aspx


    How can i fix it in web.config thank you.
    Wednesday, August 20, 2014 2:16 PM

Answers

  • User590927031 posted

    You can have a Web.Config per folder specific to that.

    As well as allowing or denying access by loged in or not logged in you can do much finer grained control by role per page

    The basics are fairly well illustrated by this link:

    http://support.microsoft.com/kb/316871

    <configuration>
    	<system.web>
    		<authentication mode="Forms" >
    			<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
    			</forms>
    		</authentication>
    <!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
    		<authorization>
    			<deny users="?" /> 
    		</authorization>
    	</system.web>
    <!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
    		<location path="default1.aspx">
    		<system.web>
    		<authorization>
    			<allow users ="*" />
    		</authorization>
    		</system.web>
    		</location>
    <!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder.  -->
    		<location path="subdir1">
    		<system.web>
    		<authorization>
    			<allow users ="*" />
    		</authorization>
    		</system.web>
    		</location>
    </configuration>

    You can additionally use roles:

    <authorization>
         <allow roles="Administrators, Supervisors" />
         <deny users="*" />
    </authorization>

    And there's probably a lot more than you wanted to read about it here:

    http://www.asp.net/web-forms/tutorials/security/roles/role-based-authorization-cs

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, August 20, 2014 4:18 PM
  • User-398246787 posted

    try this


    <location path="admin/login.aspx">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>

    <location path="admin/page1.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>

    <location path="admin/page2.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>

    <location path="admin/page3.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>

    It will be even easier, if you enable Roles

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, August 24, 2014 5:55 PM

All replies

  • User590927031 posted

    You can have a Web.Config per folder specific to that.

    As well as allowing or denying access by loged in or not logged in you can do much finer grained control by role per page

    The basics are fairly well illustrated by this link:

    http://support.microsoft.com/kb/316871

    <configuration>
    	<system.web>
    		<authentication mode="Forms" >
    			<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
    			</forms>
    		</authentication>
    <!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
    		<authorization>
    			<deny users="?" /> 
    		</authorization>
    	</system.web>
    <!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
    		<location path="default1.aspx">
    		<system.web>
    		<authorization>
    			<allow users ="*" />
    		</authorization>
    		</system.web>
    		</location>
    <!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder.  -->
    		<location path="subdir1">
    		<system.web>
    		<authorization>
    			<allow users ="*" />
    		</authorization>
    		</system.web>
    		</location>
    </configuration>

    You can additionally use roles:

    <authorization>
         <allow roles="Administrators, Supervisors" />
         <deny users="*" />
    </authorization>

    And there's probably a lot more than you wanted to read about it here:

    http://www.asp.net/web-forms/tutorials/security/roles/role-based-authorization-cs

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, August 20, 2014 4:18 PM
  • User1278566031 posted

    Thanks for the answer but i cannot achieve it

    This is my web.config and everyone can still enter these pages from outside

    <?xml version="1.0"?>
    <configuration>
      <connectionStrings>
        <add name="AccessFileName" connectionString="~/App_Data/ASPNetDB.mdb" providerName="System.Data.OleDb"/>
      </connectionStrings>
     
      <location path="~/admin/login.aspx">
        <system.web>
          <authorization>
           
             <allowusers="?"/>
          </authorization>
        </system.web>
      </location>
     
      <location path="~/admin/Tr.aspx">
        <system.web>
          <authorization>
            <allow users="web" />
            <deny users="?"/>
          </authorization>
        </system.web>
      </location>
     
      <location path="~/admin/Txt.aspx">
        <system.web>
          <authorization>
            <allow users="web" />
            <deny users="?"/>
          </authorization>
        </system.web>
      </location>


      <location path="~/admin/Txtgr.aspx">
        <system.web>
          <authorization>
            <allow users="web" />
            <deny users="?"/>
          </authorization>
        </system.web>
      </location>
      <system.web>
       
        <authentication mode="Forms">
          <forms domain="http://cast.com/" name=".ASPNET" protection="All"  loginUrl="~/admin/login.aspx" timeout="20" />
          
        </authentication>
        <authorization>
        
        </authorization>
        <!--
                The <customErrors> section enables configuration
                of what to do if/when an unhandled error occurs
                during the execution of a request. Specifically,
                it enables developers to configure html error pages
                to be displayed in place of a error stack trace.

            <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
                <error statusCode="403" redirect="NoAccess.htm" />
                <error statusCode="404" redirect="FileNotFound.htm" />
            </customErrors>
            -->

        <!--Provider-->
        <membership defaultProvider="AccessMembershipProvider">
          <providers>
            <clear/>
            <add name="AccessMembershipProvider" type="Samples.AccessProviders.AccessMembershipProvider, SampleAccessProviders" connectionStringName="AccessFileName" enablePasswordRetrieval="true" enablePasswordReset="false" requiresUniqueEmail="true" requiresQuestionAndAnswer="false" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="1" applicationName="/" hashAlgorithmType="SHA1" passwordFormat="Clear" maxInvalidPasswordAttempts="3" passwordAttemptWindow="5" passwordStrengthRegularExpression=""/>
          </providers>
        </membership>
        <!--Role Manager-->
        <roleManager enabled="true" cacheRolesInCookie="true" cookieTimeout="500" defaultProvider="AccessRoleProvider">
          <providers>
            <add connectionStringName="AccessFileName" applicationName="AccessSecurity" name="AccessRoleProvider" type="Samples.AccessProviders.AccessRoleProvider, SampleAccessProviders"/>
          </providers>
        </roleManager>
        <!--Profil Provider Daha sonraki bloglarda burada enteresan şeylerde yapacağız-->
        <profile enabled="true" defaultProvider="AccessProfileProvider">
          <providers>
            <add name="AccessProfileProvider" type="Samples.AccessProviders.AccessProfileProvider, SampleAccessProviders" connectionStringName="AccessFileName" applicationName="ssbys" description="Stores and retrieves profile data from an $safeprojectname$ database."/>
          </providers>
         
        </profile>
       

     
       
        <customErrors mode="On">
          <error statusCode="404" redirect="404.html" />
        </customErrors>
      </system.web>

     
      <system.webServer>
        <httpErrors errorMode="Custom">
          <remove statusCode="404"/>
          <error statusCode="404" path="404.html" responseMode="ExecuteURL"/>
        </httpErrors>
      </system.webServer>
    </configuration>

    Sunday, August 24, 2014 4:34 PM
  • User-398246787 posted

    try this


    <location path="admin/login.aspx">
    <system.web>
    <authorization>
    <allow users="*" />
    </authorization>
    </system.web>
    </location>

    <location path="admin/page1.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>

    <location path="admin/page2.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>

    <location path="admin/page3.aspx">
    <system.web>
    <authorization>
    <deny users="*" />
    <allow users="?" />
    </authorization>
    </system.web>
    </location>

    It will be even easier, if you enable Roles

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Sunday, August 24, 2014 5:55 PM