Form Authentication Bypass

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Form Authentication Bypass

Message

21/06/2013 15:42:55

William Kuhn
The Kuhn Group, Inc.
St Marys, Kansas, États-Unis

21/06/2013 15:37:19

Dmitry Litvak
Massachusetts, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Autre

Titre:

Re: Form Authentication Bypass

Versions des environnements

Environment:

VB 9.0

OS:

Windows Server 2012

Network:

Windows 2008 Server

Database:

MS SQL Server

Application:

Web

Divers

Thread ID:

01576850

Message ID:

01576858

Vues:

>>>>>Hi,
>>>>>I am trying to figure out how to allow user to one page of the ASP.NET application that bypasses the authentication form. Let me describe:
>>>>>When using form authentication (in web.config) I specify that a user has to be authenticated before allowing him/her to see any page. Here is the code in the web.config:
>>>>>

>>>>><authentication mode="Forms">
>>>>>       <forms name="MyAppName" path="/" loginUrl="MyAppLogonForm.aspx"/>
>>>>></authentication>
>>>>>

>>>>>
>>>>>But I want to add to the MyAppLogonForm an option/button for user to register. So in order for the user to register he/she has to be allowed to the registration form. But the Form authentication stops it. So I am in the Catch 22.
>>>>>
>>>>>Is there a method to allow a certain page to "bypass" the authentication form?
>>>>
>>>>Normally we set our top level folder to allow all (this is done in web.config), and set subfolders to be restricted to authenticated users (or admin role or whatever you define). This is all done in web.config - you would have separate web.configs for subfolders.
>>>>
>>>>>
>>>>>TIA
>>>
>>>I will have to learn how to separate pages into folders and have separate web.config for subfolders. Thank you.
>>
>>An example web.config for a subfolder (and you can google the authorization section to see why this works)..
>>

>><configuration>
>>  <appSettings />
>>  <connectionStrings />
>>  <system.web>
>>    <authorization>
>>      <deny users="?" />
>>      <allow roles="Admin,Counselor,Management,Staff" />
>>      <deny users="*" />
>>    </authorization>
>>    <compilation>
>>      <assemblies />
>>    </compilation>
>>  </system.web>
>></configuration>
>>

>
>Thank you. So you create physical folders on the server right? For example, my app resides in one folder on the server. E.g.:
>c:\inetpub\wwwroot\MyAppFolder
>
>But my understanding is that you create subfolders as:
>c:\inetpub\wwwroot\MyAppMainFolder
>c:\inetpub\wwwroot\MyAppMainFolder\Subfolder1
>c:\inetpub\wwwroot\MyAppMainFolder\Subfolder2
>
>And then various pages (aspx) go to different folder (subfolder1, subfolder2) and each subfolder has its own web.confg. Do I understand correctly?

You are correct.

The web.config in the root folder has all the major configuration options (everything to make the site function). The web.configs in the subfolders only have the authorization settings to restrict/allow access to the subfolder.

____________________________________

Don't Tread on Me

Overthrow the federal government NOW!
____________________________________

Répondre

Fil

Voir

Click here to load this message in the networking platform