Form Authentication Bypass

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

Form Authentication Bypass

Message

From

21/06/2013 16:27:49

Rob Jasinski
I/O Technologies
Wisconsin, United States

21/06/2013 15:44:23

Dmitry Litvak
Massachusetts, United States

General information

Forum:

ASP.NET

Category:

Other

Title:

Re: Form Authentication Bypass

Environment versions

Environment:

VB 9.0

OS:

Windows Server 2012

Network:

Windows 2008 Server

Database:

MS SQL Server

Application:

Web

Miscellaneous

Thread ID:

01576850

Message ID:

01576868

Views:

>>>>>>>Hi,
>>>>>>>I am trying to figure out how to allow user to one page of the ASP.NET application that bypasses the authentication form. Let me describe:
>>>>>>>When using form authentication (in web.config) I specify that a user has to be authenticated before allowing him/her to see any page. Here is the code in the web.config:
>>>>>>>

>>>>>>><authentication mode="Forms">
>>>>>>>       <forms name="MyAppName" path="/" loginUrl="MyAppLogonForm.aspx"/>
>>>>>>></authentication>
>>>>>>>

>>>>>>>
>>>>>>>But I want to add to the MyAppLogonForm an option/button for user to register. So in order for the user to register he/she has to be allowed to the registration form. But the Form authentication stops it. So I am in the Catch 22.
>>>>>>>
>>>>>>>Is there a method to allow a certain page to "bypass" the authentication form?
>>>>>>
>>>>>>Normally we set our top level folder to allow all (this is done in web.config), and set subfolders to be restricted to authenticated users (or admin role or whatever you define). This is all done in web.config - you would have separate web.configs for subfolders.
>>>>>>
>>>>>>>
>>>>>>>TIA
>>>>>
>>>>>I will have to learn how to separate pages into folders and have separate web.config for subfolders. Thank you.
>>>>
>>>>An example web.config for a subfolder (and you can google the authorization section to see why this works)..
>>>>

>>>><configuration>
>>>>  <appSettings />
>>>>  <connectionStrings />
>>>>  <system.web>
>>>>    <authorization>
>>>>      <deny users="?" />
>>>>      <allow roles="Admin,Counselor,Management,Staff" />
>>>>      <deny users="*" />
>>>>    </authorization>
>>>>    <compilation>
>>>>      <assemblies />
>>>>    </compilation>
>>>>  </system.web>
>>>></configuration>
>>>>

>>>
>>>Thank you. So you create physical folders on the server right? For example, my app resides in one folder on the server. E.g.:
>>>c:\inetpub\wwwroot\MyAppFolder
>>>
>>>But my understanding is that you create subfolders as:
>>>c:\inetpub\wwwroot\MyAppMainFolder
>>>c:\inetpub\wwwroot\MyAppMainFolder\Subfolder1
>>>c:\inetpub\wwwroot\MyAppMainFolder\Subfolder2
>>>
>>>And then various pages (aspx) go to different folder (subfolder1, subfolder2) and each subfolder has its own web.confg. Do I understand correctly?
>>
>>You are correct.
>>
>>The web.config in the root folder has all the major configuration options (everything to make the site function). The web.configs in the subfolders only have the authorization settings to restrict/allow access to the subfolder.
>
>I am glad that ASP.NET is designed in such way that web.config in sub-folder "inherits" the settings in the main folder. Thank you.

If you do need to override the security for one page in a folder, you can also specify it through the location element in the web.config file: http://support.microsoft.com/kb/316871

Map

View

Click here to load this message in the networking platform