Re: Can I force 401 error when user not authenticated?

From: Ken Schaefer (kenREMOVE_at_THISadOpenStatic.com)
Date: 04/24/04


Date: Sat, 24 Apr 2004 23:31:31 +1000

Hi,

What type of authentication are you talking about? If you are talking about
HTTP Authentication, you can't (as a general rule [1]) do this with a form.
Why? Because you need to authenticate *before* the form can be loaded
(before ASP.NET even kicks in). This happens directly between the webserver
and webbrowser.

If you are talking about forms auth, then you specify your own login page.
Forms Auth is an ASP.NET authentication mechanism. As far as IIS is
concerned, all user access is "anonymous". It is ASP.NET that keeps track of
users, and who's authenticated etc.

Cheers
Ken

[1] There is a customauth tool in the IIS 6.0 Res Kit that allows HTTP auth
via a form. Whether this also works with ASP.NET I don't know, and it's not
an officially supported product. The source code for this tool is in the
Windows 2003 Platform SDK.

"Bigtoga" <bigtoga@maratrane.com> wrote in message
news:n6tic.1445$UP.281@newssvr15.news.prodigy.com...
: Excellent info - thanks very much.
:
: So, if I have a page/section that requies authentication and a user who is
: not authenticated tries to visit, can I redirect to a different page than
: the loginUrl specified inweb.config?
:
: Essentially, I'm using
: <?xml version="1.0" encoding="utf-8" ?>
: <configuration>
: <system.web>
: <authorization>
: <allow roles="SuperPeople"/>
: <deny users="*" />
: </authorization>
: </system.web>
: </configuration>
:
: in my web.config file for each "secure" drectory. If the user is already
: logged in but doesn't belong to the SuperPeople role, it sends them to the
: login page (but they've already logged in).
:
: Any ideas would be helpful
:
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:eXlMpJcKEHA.2396@TK2MSFTNGP12.phx.gbl...
: > Hi
: >
: > When using forms authentication, you are never sending back a 403
header.
: > You are just redirecting the user to another ASP.NET page. A 403 header
: > forces the browser to use HTTP authentication (e.g. Basic, IWA, Digest
: etc).
: >
: > Forms auth never involves these HTTP status codes - all pages are 200
OK.
: It
: > is at the application layer (of your ASP.NET app) that you enforce
: > authentication, not at the lower HTTP level.
: >
: > Cheers
: > Ken
:
:



Relevant Pages

  • [Full-disclosure] Paper: Weaning the Web off of Session Cookies
    ... While it's primarily an argument for fixing HTTP authentication, ... limitations of both cookie-based session management and HTTP digest ... demonstrating how digest authentication is clearly the ...
    (Full-Disclosure)
  • Paper: Weaning the Web off of Session Cookies
    ... While it's primarily an argument for fixing HTTP authentication, ... limitations of both cookie-based session management and HTTP digest ... demonstrating how digest authentication is clearly the ...
    (Bugtraq)
  • Re: Protecting a whole directory - PHP Authentication
    ... you must be aware that you won't be able to use a custom login form if you use HTTP authentication. ... there's no way to tell the browser what to send for authentication credentials except through the HTTP authentication mechanism (i.e. no PHP or Javascript code can force it). ...
    (comp.lang.php)
  • Re: HTTP Authentication with multiple attempts
    ... > I have used the simple example of HTTP Authentication from the PHP website ... if the user gets it wrong they are locked-out until they ... No username/password is--for the ...
    (comp.lang.php)
  • Re: HTTP Authentication with multiple attempts
    ... >> I have used the simple example of HTTP Authentication from the PHP ... > then count the number of attempt within a given time period. ...
    (comp.lang.php)