Re: Problem with web.config access-restricted subdirectory

From: Hernan de Lahitte (hernan_at_lagash.com)
Date: 01/22/04 

Date: Thu, 22 Jan 2004 09:39:38 -0300

I think you should delete the <location> entry. This should be triggering
the login page when you acces the /Parent/Child/Default.aspx page. There is
a good article about this here:

http://www.theserverside.net/articles/article.aspx?l=FormAuthentication

Regards,
Hernan. 

-- 
Hernan de Lahitte - MSDE
Lagash Systems S.A. - Buenos Aires, Argentina
http://www.lagash.com
"David Pyper" <David.Pyper@MUHC.McGill.CA> wrote in message
news:a1a1388f.0401211300.7871d058@posting.google.com...
> Hi,
>
> I have a problem with web.config unsuccessfully controlling access to
> a subdirectory.  I'm using VS03 and IIS5.0 on NT2K.  I have been able
> to reproduce this behaviour on two machines (the 2nd being a WXP
> machine) and both times I'm having the same result.
>
> I created a simplified example to illustrate the problem.  Here's the
> directory structure:
>
> /
> /Parent
> /Parent/Child
>
>
> In the /Parent directory, I have 3 files:  web.config, Login.aspx and
> Default.aspx.  In Child I just have Default.aspx.  In both directories
> there's a bin/ directory that contains Parent.dll and Child.dll (I'm
> using code-behind files).  Only Login.aspx has a code-behind (in vb)
> which I'll show below.
>
> Here's the code from /Parent/web.config:
>
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
>   <system.web>
>     <compilation defaultLanguage="vb" debug="true" />
>     <customErrors mode="RemoteOnly" />
>     <authentication mode="Forms">
> <forms loginUrl="/Parent/Login.aspx" />
>     </authentication>
>     <authorization>
>         <deny users="?" />
>         <allow users="*" />
>     </authorization>
>     <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>     <sessionState
>             mode="InProc"
>             stateConnectionString="tcpip=127.0.0.1:42424"
>             sqlConnectionString="data
> source=127.0.0.1;Trusted_Connection=yes"
>             cookieless="false"
>             timeout="20"
>     />
>     <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
>   </system.web>
>   <location allowOverride="false" path="Child">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
>   </location>
> </configuration>
>
>
> And now here's the contents of /Parent/Default.aspx:
>
> <%@ Page Language="vb" AutoEventWireup="false"
> Codebehind="Default.aspx.vb" Inherits="Parent._Default" trace="True"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML>
> <HEAD>
> <title>Default Page</title>
> <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
> <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
> <meta name="vs_defaultClientScript" content="JavaScript">
> <meta name="vs_targetSchema"
> content="http://schemas.microsoft.com/intellisense/ie5">
> </HEAD>
> <body>
> <form id="Form1" method="post" runat="server">
> This is the default page.
> </form>
> </body>
> </HTML>
>
>
> And now the content of /Parent/Login.aspx:
>
>
> <%@ Page Language="vb" AutoEventWireup="false"
> Codebehind="Login.aspx.vb" Inherits="Parent.Login" trace="True"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML>
> <HEAD>
> <title>Login Page</title>
> <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
> <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
> <meta name="vs_defaultClientScript" content="JavaScript">
> <meta name="vs_targetSchema"
> content="http://schemas.microsoft.com/intellisense/ie5">
> </HEAD>
> <body>
> <form id="Form1" method="post" runat="server">
> <asp:TextBox id="txtUser" runat="server">Username</asp:TextBox>
> <asp:TextBox id="txtPassword" runat="server">Password</asp:TextBox>
> <asp:Button id="btnSubmit" runat="server"
> Text="Submit"></asp:Button>
> </form>
> </body>
> </HTML>
>
>
> And now the code for /Parent/Login.aspx.vb:
>
>
> Imports System.Web.Security
>
> Public Class Login
>     Inherits System.Web.UI.Page
>
> #Region " Web Form Designer Generated Code "
>
>     'This call is required by the Web Form Designer.
>     <System.Diagnostics.DebuggerStepThrough()> Private Sub
> InitializeComponent()
>
>     End Sub
>     Protected WithEvents txtUser As System.Web.UI.WebControls.TextBox
>     Protected WithEvents txtPassword As
> System.Web.UI.WebControls.TextBox
>     Protected WithEvents btnSubmit As System.Web.UI.WebControls.Button
>
>     'NOTE: The following placeholder declaration is required by the
> Web Form Designer.
>     'Do not delete or move it.
>     Private designerPlaceholderDeclaration As System.Object
>
>     Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
> System.EventArgs) Handles MyBase.Init
>         'CODEGEN: This method call is required by the Web Form
> Designer
>         'Do not modify it using the code editor.
>         InitializeComponent()
>     End Sub
>
> #End Region
>
>     Private Sub btnSubmit_Click(ByVal sender As System.Object, _
>         ByVal e As System.EventArgs) Handles btnSubmit.Click
>
>         FormsAuthentication.RedirectFromLoginPage(txtUser.Text, False)
>
>     End Sub
>
> End Class
>
>
>
> And now finally /Parent/Child/Default.aspx:
>
> <%@ Page Language="vb" AutoEventWireup="false"
> Codebehind="WebForm1.aspx.vb" Inherits="Child._Default" trace="True"%>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML>
> <HEAD>
> <title>WebForm1</title>
> <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
> <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
> <meta name="vs_defaultClientScript" content="JavaScript">
> <meta name="vs_targetSchema"
> content="http://schemas.microsoft.com/intellisense/ie5">
> </HEAD>
> <body>
> <form id="Form1" method="post" runat="server">
> This is the default child page.
> </form>
> </body>
> </HTML>
>
>
> So to re-iterate, only Login.aspx has any code-behind functionality.
> Now that all that's all clear, here's what happens.  When I access
> /Parent/Default.aspx, I am redirected to
> http://localhost/Parent/Login.aspx?ReturnUrl=%2fParent%2fDefault.aspx,
> which is what I expected would happen.  I click btnSubmit and a cookie
> is set (.ASPXAUTH) and I'm redirected to /Parent/Default.aspx, also as
> expected.  Now the problem: when I access /Parent/Child/Default.aspx,
> I'm redirected back to
>
http://localhost/Parent/Login.aspx?ReturnUrl=%2fParent%2fChild%2fDefault.aspx
> and prompted for the login again.  That's unexpected.  I expect that
> once I login to /Parent/Login.aspx I should be able to access
> /Parent/Child/Default.aspx.  But even when I re-login to
> /Parent/Login.aspx, the redirect still brings me back to
>
http://localhost/Parent/Login.aspx?ReturnUrl=%2fParent%2fChild%2fDefault.aspx.
>
> Can someone please shed some light here?  What am I not getting?
>
> Thanks!
>
> David.Pyper_DONTSPAM@NOSPAM.MUHC.McGill.CA