Re: Forms Authentication - Cookie not being generated...

From: Hernan de Lahitte (hernan_at_lagash.com)
Date: 04/19/04

Next message: Hernan de Lahitte: "Re: Cache Dependent Key/Encryption"
Previous message: perceval: "Crypto and querystring"
In reply to: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Next in thread: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Reply: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Reply: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 19 Apr 2004 15:29:47 -0300

You should have only ONE web.config (root folder) with all these entries.
So the location element should be placed after the </system.web> closing
tag.

You Root/Main web.config file (and the ONLY config file) might look
something like this.

<system.web>
     <authentication mode="Forms">
             <forms loginUrl="login.aspx" protection="All" requireSSL="true"
                        timeout="10" name="CCAuth" path="/"
slidingExpiration="true">
                  <credentials passwordFormat="Clear">
                      <user name="1" password="1" />
                  </credentials>
             </forms>
   </authentication>

</configuration>

This assumes that you have a ClientCenter subfolder that you want to secure
access with Forms authentication so your login page (and all protected
pages) will be inside this folder.
Check out the authorization configuration in both the root and ClientCenter
location path. The former allows all users and the latter only the
authenticated users.

-- 
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl
This posting is provided "AS IS" with no warranties, and confers no rights.
"Nugs" <duncsjunk@comcast.net> wrote in message
news:-padnb_66rb69B3dRVn-tw@comcast.com...
> Ok, I did what you said and the result is that the ClientCenter directory
is
> accessible. I am not redirected to the login page. but the /ClientCenter
> web.config file shoud be denying anonymous users. I might have done
> something wrong, this is what I have now:
>
> Root/Main web.config file:
> <configuration>
>  <appSettings>
>   <add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
>   <add key="MM_CONNECTION_STRING_eOnConn"
> value="Provider=Microsoft.Jet.OLEDB.4.0;Data
> Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security
Info=False"
> />
>   <add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
>   <add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
>   <add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
>  </appSettings>
>
> <system.web>
>     <authentication mode="Forms">
>             <forms loginUrl="login.aspx" protection="All"
requireSSL="true"
> timeout="10" name="CCAuth" path="/" slidingExpiration="true">
>      <credentials passwordFormat="Clear">
>             <user name="1" password="1" />
>         </credentials>
>    </forms>
>   </authentication>
>
>   <authorization>
>    <allow users="?" />
>   </authorization>
>  </system.web>
> </configuration>
>
> And the web.config file located one directory up in /ClientCenter
directory.
> <configuration>
>  <location path="ClientCenter">
>     <system.web>
>      <authorization>
>     <deny users="?" />
>      </authorization>
>     </system.web>
>  </location>
> </configuration>
>
> You also mentioned SSL and i am not very knowledgeable about it. What do
you
> think is wrong with the above code?
>
> Nugs
>
>
> "Hernan de Lahitte" <hernan@lagash.com> wrote in message
> news:%23tvgikyIEHA.3240@TK2MSFTNGP12.phx.gbl...
> > Ok, I think I can figure out what might be happening here.
> > You said that you have a different web.config on the subfolder that you
> > whant to authenticate access. In this scenario, your second web.config
> file
> > is not taken into account so from only your root config file, every time
> you
> > hit the login button on your login page, you came bacj to the same login
> > page therefore the cookie is never created. What I suggest is to use
only
> > one main config file (root) with a location entry specifying the secure
> > folder.
> > Here you have a sample of this:
> >
> > <system.web>
> >     <authentication mode="Forms">
> >             <forms loginUrl="Secure\login.aspx"          Login page in
an
> > SSL protected folder
> >                         protection="All"
> Privacy
> > and integrity
> >                         requireSSL="true"
Prevents
> > cookie being sent over http
> >                         timeout="10"
> Limited
> > session lifetime
> >                         name="AppNameCookie"             Unique
> > per-application name
> >                         path="/FormsAuth"                        and
path
> >                         slidingExpiration="true" >               Sliding
> > session lifetime
> >              </forms>
> >    </authentication>
> > </system.web>
> >
> > <!-- The restricted folder is for authenticated and should be SSL access
> > only (recommended). -->
> > <location path="Secure" >
> >    <system.web>
> >        <authorization>
> >             <deny users="?" />
> >        </authorization>
> >    </system.web>
> > </location>
> >
> >
> > -- 
> > Hernan de Lahitte
> > Lagash Systems S.A.
> > http://weblogs.asp.net/hernandl
> >
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > "Nugs" <duncsjunk@comcast.net> wrote in message
> > news:vZCdnWYHS4jYeOPdRVn-tA@comcast.com...
> > > Nope that only denies access to my whole main site. I'm pretty sure my
> > > problem has to do with the cookie "creation".    <forms name=".CCAUTH"
> > > loginUrl="../login.aspx" protection="All"> I have no clue what though!
> > >
> > > Nugs
> > >
> > > "Hernan de Lahitte" <hernan@lagash.com> wrote in message
> > > news:%2303gXByIEHA.3220@TK2MSFTNGP12.phx.gbl...
> > > > On your root config authorization entry try change this;
> > > > <allow users="?" />
> > > >
> > > >  for this ;
> > > > <deny users="?" />
> > > >
> > > >
> > > >
> > > > -- 
> > > > Hernan de Lahitte
> > > > Lagash Systems S.A.
> > > > http://weblogs.asp.net/hernandl
> > > >
> > > >
> > > > This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > > >
> > > > "Nugs" <duncsjunk@comcast.net> wrote in message
> > > > news:k4qdnb1ML7LboePdRVn-vg@comcast.com...
> > > > > Hi there everyone, I'm new to this newsgroup so I hope you don't
> mind
> > me
> > > > > just asking a question, but it has been working me for way to long
> now
> > > and
> > > > I
> > > > > need some help. I'm fairly new to ASP.NET and VB.NET but have been
> > > > cramming
> > > > > for weeks now and hit a snag.It has to do with forms
authentication
> in
> > > > > ASP.NET. My problem is that when good credentials are sent from
the
> > > > > login.aspx page it doesn't seem to be generating a cookie for the
> user
> > > and
> > > > > sends the user back to the login page because they are still
> > > > > unauthenticated. I have been researching this allot and have been
> > buried
> > > > in
> > > > > books for way to long now. Creating the login system seems so easy
> to
> > do
> > > > > that there are little troubleshooting pages to be found. I did
find
> > one
> > > > that
> > > > > described my problem in one short paragraph:
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
> > > > > tml/SecNetch13.asp]
> > > > >   Using Forms Authentication
> > > > >   Make sure that the cookie name specified in the <forms> element
is
> > > being
> > > > > retrieved in the global.asax event handler correctly
> > > > > (Application_AuthenticateRequest). Also, make sure the cookie is
> being
> > > > > created. If the client is continuously sent back to the login page
> > > > > (specified by the loginUrl attribute on the <forms> element) this
> > > > indicates
> > > > > that the cookie is not being created for some reason, or an
> > > authenticated
> > > > > identity is not being placed into the context (HttpContext.User)
> > > > >
> > > > >
> > > > > The structure I have is fairly simple. I have the root of my main
> > > > > application open to anonymous users. I then have a secured
directory
> > > > called
> > > > > 'ClientCenter'. Both have there own web.config files specifying
> there
> > > > > separate authorization.
> > > > >
> > > > > At the root of my site I have my the main sites web.config file
> which
> > > > looks
> > > > > like so:
> > > > >
> > > > > [Code]
> > > > > <configuration>
> > > > >      <appSettings>
> > > > >           <add key="MM_CONNECTION_HANDLER_eOnConn"
> > > > value="default_oledb.htm"
> > > > > />
> > > > >           <add key="MM_CONNECTION_STRING_eOnConn"
> > > > > value="Provider=Microsoft.Jet.OLEDB.4.0;Data
> > > > > Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security
> > > > Info=False"
> > > > > />
> > > > >           <add key="MM_CONNECTION_DATABASETYPE_eOnConn"
> value="OleDb"
> > />
> > > > >           <add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
> > > > >           <add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
> > > > >      </appSettings>
> > > > >
> > > > >      <system.web>
> > > > >           <authentication mode="Forms">
> > > > >                <forms name=".CCAUTH" loginUrl="../login.aspx"
> > > > > protection="All">
> > > > >           <credentials passwordFormat="Clear">
> > > > >             <user name="1" password="1" />
> > > > >         </credentials>
> > > > >                </forms>
> > > > >           </authentication>
> > > > >           <authorization>
> > > > >                <allow users="?" />
> > > > >           </authorization>
> > > > >      </system.web>
> > > > > </configuration>
> > > > >
> > > > > My login page code (with some help from the MSDN) looks like so:
> > > > >
> > > > > [Code]
> > > > > <%@ Page Language="VB" AutoEventWireup="true" %>
> > > > > <html>
> > > > >    <head>
> > > > >       <script runat="server">
> > > > >          Sub LoginBtn_Click(sender as Object, e as EventArgs)
> > > > > '            If Page.IsValid Then
> > > > >                ' Call the authentication event handler delegate
(not
> > > > > included in this example).
> > > > >                If FormsAuthentication.Authenticate(UserName.Text,
> > > > > UserPass.Text) Then
> > > > >                   ' Return to the originally requested URL.
> > > > >
> > > FormsAuthentication.RedirectFromLoginPage(UserName.Text,
> > > > > Remember.Checked)
> > > > >                Else
> > > > >                   Msg.Text = "Invalid Credentials: Please try
again"
> > > > >                End If
> > > > > '            End If
> > > > >          End Sub
> > > > >       </script>
> > > > >
> > > > >     </head>
> > > > >
> > > > >    <body>
> > > > >       <form runat="server">
> > > > >          <h2>Login Page</h2>
> > > > >          <hr size="1" />
> > > > >          <table>
> > > > >             <tbody>
> > > > >             <tr>
> > > > >                <td>Username:</td>
> > > > >                <td><asp:TextBox id="UserName"
> > > > > runat="server"></asp:TextBox></td>
> > > > >                <td><asp:RequiredFieldValidator
> > > > id="RequiredFieldValidator1"
> > > > > runat="server" ControlToValidate="UserName"
> > > > >                   Display="Static"
> > > > > ErrorMessage="*"></asp:RequiredFieldValidator></td>
> > > > >             </tr>
> > > > >             <tr>
> > > > >                <td>Password:</td>
> > > > >                <td><asp:TextBox id="UserPass" runat="server"
> > > > > TextMode="Password"></asp:TextBox></td>
> > > > >                <td><asp:RequiredFieldValidator
> > > > id="RequiredFieldValidator2"
> > > > > runat="server" ControlToValidate="UserPass"
> > > > >                   Display="Static"
> > > > > ErrorMessage="*"></asp:RequiredFieldValidator></td>
> > > > >             </tr>
> > > > >             <tr>
> > > > >                <td colspan="3"> <asp:CheckBox id="Remember"
> > > > > runat="server"></asp:CheckBox>Remember credentials?</td>
> > > > >             </tr>
> > > > >          </tbody>
> > > > >          </table>
> > > > >          <asp:button id="LoginBtn" onclick="LoginBtn_Click"
> > > runat="server"
> > > > > text="Login"></asp:button>
> > > > >          <p><asp:Label id="Msg" runat="server"
> > > > > ForeColor="red"></asp:Label></p>
> > > > >       </form>
> > > > >    </body>
> > > > > </html>
> > > > >
> > > > > And lastly the ClientCenter/web.config file looks like this:
> > > > >
> > > > > [Code]
> > > > > <configuration>
> > > > >      <system.web>
> > > > >           <authorization>
> > > > >                <deny users="?" />
> > > > >                <allow users="*" />
> > > > >           </authorization>
> > > > >      </system.web>
> > > > > </configuration>
> > > > >
> > > > > Now from all the books and examples I have been through, this
should
> > be
> > > > all
> > > > > I need to get this login system up and running, right? Well
> something
> > is
> > > > > going on here and i have no clue what. Please could someone show
me
> > what
> > > I
> > > > > am doing wrong here and why it is not generating my cookie! How do
i
> '
> > > > Call
> > > > > the authentication event handler delegate' and what is that
exactly?
> > Do
> > > i
> > > > > have to set something in IIS for this to work? Please help!
> > > > >
> > > > > Thanks
> > > > > Nugs
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Next message: Hernan de Lahitte: "Re: Cache Dependent Key/Encryption"
Previous message: perceval: "Crypto and querystring"
In reply to: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Next in thread: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Reply: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Reply: Nugs: "Re: Forms Authentication - Cookie not being generated..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]