Re: Forms Authentication behavior on request denial

From: David Dabbs (david@dabbs.net)
Date: 03/29/03

Next message: MS News: "Microsoft Certificate Services"
Previous message: John Saunders: "Re: Forms Auth root "/" not authenticating sub folders and files"
In reply to: John Saunders: "Re: Forms Authentication behavior on request denial"
Next in thread: Paul Hatcher: "Re: Forms Authentication behavior on request denial"
Reply: Paul Hatcher: "Re: Forms Authentication behavior on request denial"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "David Dabbs" <david@dabbs.net>
Date: Fri, 28 Mar 2003 18:20:01 -0600

"John Saunders" <john.saunders@surfcontrol.com> wrote in message

> You're seeing the expected behavior. This is how Forms Authentication
works.

John,

Thanks for the reply.

Shouldn't a user who is not allowed access to a resource be redirected to an
"Access Denied" page as opposed to the Login page?

I get the same (undesired) behavior when I set the <authorization> as
follows in the protected directory.

As expected, all users are redirected to login.
But ALL authenticated users who redirect back to the originally requested
page
are allowed access, not simply the ones who have the "Allowed Role" role.
Shouldn't the authenticated users NOT in the <allow roles> setting be denied
access?
If not, then I need to PROGRAMMATICALLY add checks for IsInRole() to every
page. Yuck.

Thanks,

David Dabbs

Next message: MS News: "Microsoft Certificate Services"
Previous message: John Saunders: "Re: Forms Auth root "/" not authenticating sub folders and files"
In reply to: John Saunders: "Re: Forms Authentication behavior on request denial"
Next in thread: Paul Hatcher: "Re: Forms Authentication behavior on request denial"
Reply: Paul Hatcher: "Re: Forms Authentication behavior on request denial"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Forms Authentication & Application_AuthenticateRequest
... If you don't have a login, then a person clicks on the Registration button ... to redirect to the page of their choice. ... HttpApplication app = sender; ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Default.aspx - newbie Q`
... check and redirect to the ReturnURL or Selected.aspx depending on the case. ... > and replace it with something that takes then straight to the login page. ... >> Curt Christianson ... >>> authentication ...
(microsoft.public.dotnet.framework.aspnet)
Re: Default.aspx - newbie Q`
... check and redirect to the ReturnURL or Selected.aspx depending on the case. ... > and replace it with something that takes then straight to the login page. ... >> Curt Christianson ... >>> authentication ...
(microsoft.public.dotnet.framework.aspnet)
Re: doesnt redirect
... Look under the Security tab. ... One of them is called the Internet zone and probably the one you are using. ... or better explain what you mean by>> redirect ... I think there are 2 interstitchal pages after submitting those login credentials before you get to the mailbox web page. ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Login problem
... redirect the user. ... Samuel Shulman wrote: ... Use either Forms Authentication or Basic Authentication. ... If the user types in the url the Login.aspx file then enters the username and the password, clicks the login button and the form validates the values against values from the database ...
(microsoft.public.dotnet.framework.aspnet)