Re: URL Authorzation Problem

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 08/20/05 

Date: Sat, 20 Aug 2005 00:16:30 -0700

Hello nicemonitor@hotmail.com,

Thats IMHO a flaw in FormsAuth - it would be nice to have two redirect URLs
in FormsAuth config - one for login, one for access denied.

What you can do (and that's what the built in module should do) is, check
on your login page if the a valid context.user is associated with the request.

In you login.aspx
If the user is unauthenticated, display login UI - if the user is authenticated
- display access denied.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I have created a web application that is utilizing Forms
> Authentication and URL Authorzation for application security.
>
> The problem arises when an authenticated user (the authentication
> ticket cookie has been set) attempts to access a sub directory or file
> where I have explicitely denied them access. For example the code in
> the root web.config is as follows:
>
> <authentication mode="Forms">
> <forms loginUrl="authAgent.aspx"
> name="csgOperationsAuthTicket"
> protection="All"
> timeout="60"
> path="/"
> />
> </authentication>
> <authorization>
> <deny users="?" />
> </authorization>
> A web.config created in a protected directory called "protected" has
> the following authorization tags:
>
> <authorization>
> <allow users="admin" />
> <deny users="*" />
> </authorization>
> Now if i attempt to visit a page within the "protected" sub directory
> the forms authentication ticket is created for the user however if i
> attempt to access the directory as any other user but "admin" I do not
> get an access denied page or message. Instead it stays at the
> loginUrl page (seems to reload over and over). If I do access the
> directory as "admin" everything works fine.
>
> Is there a way to display an access denied page to the user?
>
> Note that when I use Windows authentication a nice access denied page
> is displayed. If you try to use forms authentication the user is left
> hanging. This cannot be by Microsoft's design can it? Is it a bug?
>
> Any insight is *GREATLY* appreciated.
>
> Thanks
>

Relevant Pages

  • Web Forms Auth fails when rfValidator triggered
    ... I have a simple login page to my intranet-based web. ... basically has a username field, ... If I enter garbage text in BOTH fields, the authentication ... controls do their job and display the "error text" stating ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • [Full-Disclosure] Advisory: Dark Age of Camelot - Weak encryption of network traffic exposed persona
    ... Weak encryption in game client exposed customer billing and authentication ... encryption for billing information. ... The login binary has undergone several updates since then. ...
    (Full-Disclosure)
  • Re: [PHP] Is this the best way?
    ... Why is Jason schreefing again? ... maybe I should edit my authentication function... ... attempting to login. ... really be either attempting an authentication *or* outputting some ...
    (php.general)
  • Re: HELP Connection error on Release mode
    ... "Off" Always display detailed ASP.NET error information. ... This section sets the authentication policies of the application. ... Set trace enabled="true" to enable application trace logging. ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.languages.csharp)
  • Authentication Sharing Across Apps
    ... For my part "B" question that I had (Login App was not returning ... authentication to calling app), I found the solution. ... Basically, in both the Login App and Calling App Web.Config, I did ... authenticated connection with SQL server. ...
    (microsoft.public.dotnet.framework.aspnet.security)