M
Mark Teague
Greetings!
I am attempting to secure the root of an IIS virtual directory and an Admin subdirectory separately from one another. At first, I attempted to create an additional Web.Config in the /Admin folder to direct unauthenticated access attempts to URLs within this directory to a different login page. The ASP.Net runtime complained that the <authentication/> element should only be used at the root level (or perhaps it was the <forms/> element).
After returning to the drawing board, I attempted to create two <location/> elements within the root level Web.Config file. The contents of the root Web.Config file are inserted below. There are two <location/> elements. One for the root of the virtual directory and another for the /Admin subdirectory.
Unauthenticated attempts to access root level URLs are properly redirected to /Login.aspx. However, once authenticated to this folder the client may request any URL within the /Admin folder without being subject to the additional authentication/authorization that I would like to enforce upon administrative use.
Is it the case that "Forms" based authentication can only be employed once during a client's session? (i.e. Once they are authenticated, they are authenticated ... period!) And also, that only one form can be established for a particular IIS virtual directory or application? If this is not the case, then any guidance as to what I have configured wrong will be greatly appreciated.
Thanks in advance,
Mark
Contents of Web.Config follow:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<location>
<system.web>
<compilation defaultLanguage="vb" debug="true" />
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name=".rootAccessCookie" loginUrl="Login.aspx" protection="All" timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</location>
<location path="Admin/">
<system.web>
<compilation defaultLanguage="vb" debug="true" />
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name=".adminAccessCookie" loginUrl="Admin/Login.aspx" protection="All" timeout="30" path="Admin/" />
</authentication>
<authorization>
<deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</location>
</configuration>
I am attempting to secure the root of an IIS virtual directory and an Admin subdirectory separately from one another. At first, I attempted to create an additional Web.Config in the /Admin folder to direct unauthenticated access attempts to URLs within this directory to a different login page. The ASP.Net runtime complained that the <authentication/> element should only be used at the root level (or perhaps it was the <forms/> element).
After returning to the drawing board, I attempted to create two <location/> elements within the root level Web.Config file. The contents of the root Web.Config file are inserted below. There are two <location/> elements. One for the root of the virtual directory and another for the /Admin subdirectory.
Unauthenticated attempts to access root level URLs are properly redirected to /Login.aspx. However, once authenticated to this folder the client may request any URL within the /Admin folder without being subject to the additional authentication/authorization that I would like to enforce upon administrative use.
Is it the case that "Forms" based authentication can only be employed once during a client's session? (i.e. Once they are authenticated, they are authenticated ... period!) And also, that only one form can be established for a particular IIS virtual directory or application? If this is not the case, then any guidance as to what I have configured wrong will be greatly appreciated.
Thanks in advance,
Mark
Contents of Web.Config follow:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<location>
<system.web>
<compilation defaultLanguage="vb" debug="true" />
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name=".rootAccessCookie" loginUrl="Login.aspx" protection="All" timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</location>
<location path="Admin/">
<system.web>
<compilation defaultLanguage="vb" debug="true" />
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name=".adminAccessCookie" loginUrl="Admin/Login.aspx" protection="All" timeout="30" path="Admin/" />
</authentication>
<authorization>
<deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->
</authorization>
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
</location>
</configuration>