Forms authentication bug?

From: Fouad Daniëls (fouad.daniels@webregio.nl)
Date: 07/26/02

Next message: RP: "Re: restricting access by IP addresses"
Previous message: Fouad Daniëls: "Re: Forms based security without cookies?"
Next in thread: Srinivas: "Re: Forms authentication bug?"
Reply: Srinivas: "Re: Forms authentication bug?"
Reply: Jason Jing: "RE: Forms authentication bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Fouad Daniëls <fouad.daniels@webregio.nl>
Date: Fri, 26 Jul 2002 03:59:58 -0700

Hi All,

I read alot of posts about forms authentication and came
to the conclusion that alot of people have the same
question.

The question / situation is simple:
A web application with a non secured root. so open to
anonymous users. And a directory named secured wich is as
the name implies NOT open for anonymous users.

my web config file looks like this

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
        <system.web>
                <compilation defaultLanguage="vb"
debug="false" />
                <customErrors mode="Off"/>
                <authentication mode="Forms">
                        <forms name="UserAutenticated"
path="/" loginUrl="Login.aspx" protection="All"
timeout="30" />
                </authentication>
                <authorization>
                        <allow users="*" />
                </authorization>
        </system.web>
        <location path="secured">
                <system.web>
                        <authorization>
                                <deny users="?" />
                        </authorization>
                </system.web>
        </location>
</configuration>

This does not work!! but if I swap the nodes allow and
deny users ( So infact blocking anonymous users from the
root and allowing anonymous users in the dir secured ) It
works perfectly. Is this a bug? I can't believe MS has
designed ASP.NET forms authentication intentionally to
behave like this.

please MS respond to this as I need help badly.
Thanks in advance,
Fouad Daniëls
WebRegio B.V.

Next message: RP: "Re: restricting access by IP addresses"
Previous message: Fouad Daniëls: "Re: Forms based security without cookies?"
Next in thread: Srinivas: "Re: Forms authentication bug?"
Reply: Srinivas: "Re: Forms authentication bug?"
Reply: Jason Jing: "RE: Forms authentication bug?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Forms authentication bug?
... I can get access root folder ... without authentication, while to secured folder, I need to logon. ... | Content-Class: urn:content-classes:message ... | the name implies NOT open for anonymous users. ...
(microsoft.public.dotnet.framework.aspnet.security)
RE: Authentication in ASP.NET: best practice?
... but the authentication and authorization stuff is ... >users and some that are NOT available for anonymous users (i.e. need ... >redirect every unkown user to my login-form. ...
(microsoft.public.dotnet.framework.aspnet.security)
dynamically allowing anonymous users to web pages???
... My problem is that each site has a login page and a register page. ... When an anonymous users try to access a page, ... Authenticaticate event) but still using Forms authentication. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Forms authentication bug?
... I read alot of posts about forms authentication and came ... the name implies NOT open for anonymous users. ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Capturing the Windows NT Username from IE 5.5+
... IIS Virtual Directory should allow anonymous users (not all users will ... ASP.NET web.config authentication should implement forms authentication ... > StringBuilder result = new StringBuilder; ...
(microsoft.public.dotnet.framework.aspnet.security)