Forms Authentication - Cookie not being generated...

N

Nugs

Hi there everyone, I'm new to this newsgroup so I hope you don't mind me
just asking a question, but it has been working me for way to long now and I
need some help. I'm fairly new to ASP.NET and VB.NET but have been cramming
for weeks now and hit a snag.It has to do with forms authentication in
ASP.NET. My problem is that when good credentials are sent from the
login.aspx page it doesn't seem to be generating a cookie for the user and
sends the user back to the login page because they are still
unauthenticated. I have been researching this allot and have been buried in
books for way to long now. Creating the login system seems so easy to do
that there are little troubleshooting pages to be found. I did find one that
described my problem in one short paragraph:


[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms> element is being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this indicates
that the cookie is not being created for some reason, or an authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.
FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click" runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this should be all
I need to get this login system up and running, right? Well something is
going on here and i have no clue what. Please could someone show me what I
am doing wrong here and why it is not generating my cookie! How do i ' Call
the authentication event handler delegate' and what is that exactly? Do i
have to set something in IIS for this to work? Please help!

Thanks
Nugs
 
H

Hernan de Lahitte

On your root config authorization entry try change this;
<allow users="?" />

for this ;
<deny users="?" />



--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Nugs said:
Hi there everyone, I'm new to this newsgroup so I hope you don't mind me
just asking a question, but it has been working me for way to long now and I
need some help. I'm fairly new to ASP.NET and VB.NET but have been cramming
for weeks now and hit a snag.It has to do with forms authentication in
ASP.NET. My problem is that when good credentials are sent from the
login.aspx page it doesn't seem to be generating a cookie for the user and
sends the user back to the login page because they are still
unauthenticated. I have been researching this allot and have been buried in
books for way to long now. Creating the login system seems so easy to do
that there are little troubleshooting pages to be found. I did find one that
described my problem in one short paragraph:


[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms> element is being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this indicates
that the cookie is not being created for some reason, or an authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.
FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click" runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this should be all
I need to get this login system up and running, right? Well something is
going on here and i have no clue what. Please could someone show me what I
am doing wrong here and why it is not generating my cookie! How do i ' Call
the authentication event handler delegate' and what is that exactly? Do i
have to set something in IIS for this to work? Please help!

Thanks
Nugs
[/QUOTE]
Click to expand...
 
N

Nugs

Nope that only denies access to my whole main site. I'm pretty sure my
problem has to do with the cookie "creation". <forms name=".CCAUTH"
loginUrl="../login.aspx" protection="All"> I have no clue what though!

Nugs

Hernan de Lahitte said:
On your root config authorization entry try change this;
<allow users="?" />

for this ;
<deny users="?" />



--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Nugs said:
Hi there everyone, I'm new to this newsgroup so I hope you don't mind me
just asking a question, but it has been working me for way to long now
Click to expand...
and
I
need some help. I'm fairly new to ASP.NET and VB.NET but have been cramming
for weeks now and hit a snag.It has to do with forms authentication in
ASP.NET. My problem is that when good credentials are sent from the
login.aspx page it doesn't seem to be generating a cookie for the user and
sends the user back to the login page because they are still
unauthenticated. I have been researching this allot and have been buried in
books for way to long now. Creating the login system seems so easy to do
that there are little troubleshooting pages to be found. I did find one that
described my problem in one short paragraph:
Click to expand...
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms> element is being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this indicates
that the cookie is not being created for some reason, or an authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.
 FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click" runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this should be all
I need to get this login system up and running, right? Well something is
going on here and i have no clue what. Please could someone show me what I
am doing wrong here and why it is not generating my cookie! How do i ' Call
the authentication event handler delegate' and what is that exactly? Do i
have to set something in IIS for this to work? Please help!

Thanks
Nugs
[/QUOTE]
[/QUOTE]
Click to expand...
Click to expand...
 
H

Hernan de Lahitte

Ok, I think I can figure out what might be happening here.
You said that you have a different web.config on the subfolder that you
whant to authenticate access. In this scenario, your second web.config file
is not taken into account so from only your root config file, every time you
hit the login button on your login page, you came bacj to the same login
page therefore the cookie is never created. What I suggest is to use only
one main config file (root) with a location entry specifying the secure
folder.
Here you have a sample of this:

<system.web>
<authentication mode="Forms">
<forms loginUrl="Secure\login.aspx" Login page in an
SSL protected folder
protection="All" Privacy
and integrity
requireSSL="true" Prevents
cookie being sent over http
timeout="10" Limited
session lifetime
name="AppNameCookie" Unique
per-application name
path="/FormsAuth" and path
slidingExpiration="true" > Sliding
session lifetime
</forms>
</authentication>
</system.web>

<!-- The restricted folder is for authenticated and should be SSL access
only (recommended). -->
<location path="Secure" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Nugs said:
Nope that only denies access to my whole main site. I'm pretty sure my
problem has to do with the cookie "creation". <forms name=".CCAUTH"
loginUrl="../login.aspx" protection="All"> I have no clue what though!

Nugs

Hernan de Lahitte said:
On your root config authorization entry try change this;
<allow users="?" />

for this ;
<deny users="?" />



--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

and buried
in one
that
Click to expand...
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms> element is being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this indicates
that the cookie is not being created for some reason, or an authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.
 FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click" runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this should[/QUOTE] be
all[QUOTE]
I need to get this login system up and running, right? Well something is
going on here and i have no clue what. Please could someone show me[/QUOTE][/QUOTE] what[QUOTE]
I[/QUOTE] Do[QUOTE]
i
[/QUOTE]
[/QUOTE]
Click to expand...
Click to expand...
Click to expand...
 
N

Nugs

Ok, I did what you said and the result is that the ClientCenter directory is
accessible. I am not redirected to the login page. but the /ClientCenter
web.config file shoud be denying anonymous users. I might have done
something wrong, this is what I have now:

Root/Main web.config file:
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" requireSSL="true"
timeout="10" name="CCAuth" path="/" slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

And the web.config file located one directory up in /ClientCenter directory.
<configuration>
<location path="ClientCenter">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

You also mentioned SSL and i am not very knowledgeable about it. What do you
think is wrong with the above code?

Nugs


Hernan de Lahitte said:
Ok, I think I can figure out what might be happening here.
You said that you have a different web.config on the subfolder that you
whant to authenticate access. In this scenario, your second web.config file
is not taken into account so from only your root config file, every time you
hit the login button on your login page, you came bacj to the same login
page therefore the cookie is never created. What I suggest is to use only
one main config file (root) with a location entry specifying the secure
folder.
Here you have a sample of this:

<system.web>
<authentication mode="Forms">
<forms loginUrl="Secure\login.aspx" Login page in an
SSL protected folder
protection="All" Privacy
and integrity
requireSSL="true" Prevents
cookie being sent over http
timeout="10" Limited
session lifetime
name="AppNameCookie" Unique
per-application name
path="/FormsAuth" and path
slidingExpiration="true" > Sliding
session lifetime
</forms>
</authentication>
</system.web>

<!-- The restricted folder is for authenticated and should be SSL access
only (recommended). -->
<location path="Secure" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Nugs said:
Nope that only denies access to my whole main site. I'm pretty sure my
problem has to do with the cookie "creation". <forms name=".CCAUTH"
loginUrl="../login.aspx" protection="All"> I have no clue what though!

Nugs
Click to expand...
mind
me now
and user
and
Click to expand...
to
do
Click to expand...
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms> element is being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this
indicates
that the cookie is not being created for some reason, or an authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory
called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which
looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn"
value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security
Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn"[/QUOTE][/QUOTE] value="OleDb"[QUOTE]
/>[QUOTE]
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.
 FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click" runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this should be
all
I need to get this login system up and running, right? Well[/QUOTE][/QUOTE] something[QUOTE]
is what Do
[/QUOTE]
[/QUOTE]
Click to expand...
Click to expand...
Click to expand...
 
H

Hernan de Lahitte

You should have only ONE web.config (root folder) with all these entries.
So the location element should be placed after the </system.web> closing
tag.

You Root/Main web.config file (and the ONLY config file) might look
something like this.

<configuration>

<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" requireSSL="true"
timeout="10" name="CCAuth" path="/"
slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="*" />
</authorization>
</system.web>

<location path="ClientCenter">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

</configuration>


This assumes that you have a ClientCenter subfolder that you want to secure
access with Forms authentication so your login page (and all protected
pages) will be inside this folder.
Check out the authorization configuration in both the root and ClientCenter
location path. The former allows all users and the latter only the
authenticated users.

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Nugs said:
Ok, I did what you said and the result is that the ClientCenter directory is
accessible. I am not redirected to the login page. but the /ClientCenter
web.config file shoud be denying anonymous users. I might have done
something wrong, this is what I have now:

Root/Main web.config file:
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" requireSSL="true"
timeout="10" name="CCAuth" path="/" slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

And the web.config file located one directory up in /ClientCenter directory.
<configuration>
<location path="ClientCenter">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

You also mentioned SSL and i am not very knowledgeable about it. What do you
think is wrong with the above code?

Nugs


Hernan de Lahitte said:
Ok, I think I can figure out what might be happening here.
You said that you have a different web.config on the subfolder that you
whant to authenticate access. In this scenario, your second web.config file
is not taken into account so from only your root config file, every time you
hit the login button on your login page, you came bacj to the same login
page therefore the cookie is never created. What I suggest is to use only
one main config file (root) with a location entry specifying the secure
folder.
Here you have a sample of this:

<system.web>
<authentication mode="Forms">
<forms loginUrl="Secure\login.aspx" Login page in an
SSL protected folder
protection="All" Privacy
and integrity
requireSSL="true" Prevents
cookie being sent over http
timeout="10" Limited
session lifetime
name="AppNameCookie" Unique
per-application name
path="/FormsAuth" and path
slidingExpiration="true" > Sliding
session lifetime
</forms>
</authentication>
</system.web>

<!-- The restricted folder is for authenticated and should be SSL access
only (recommended). -->
<location path="Secure" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>


--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

mind
Click to expand...
authentication
in to find
one
Click to expand...
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms> element is
being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this
indicates
that the cookie is not being created for some reason, or an
authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory
called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which
looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn"
value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security
Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn"[/QUOTE] value="OleDb"[QUOTE]
/>
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.

FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click"
runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this[/QUOTE] should
be[QUOTE]
all
I need to get this login system up and running, right? Well[/QUOTE] something[QUOTE]
is
going on here and i have no clue what. Please could someone show[/QUOTE] me
what[QUOTE]
I
am doing wrong here and why it is not generating my cookie! How do[/QUOTE][/QUOTE] i[QUOTE]
' exactly?
Do
[/QUOTE]
[/QUOTE]
Click to expand...
Click to expand...
Click to expand...
 
N

Nugs

Hernan,

First let me just say thank you so much for taking the time to write me the
previous code. It was very interesting and I learnt plenty from just taking
a look at it. Never thought I could secure a directory from one root
web.config file.

Unfortunately this does not seem to solve my problem. The login page is
still posting me back to itself because it is not authenticating the user. I
have my web.config file looking like you suggested and my login page looking
like so:
----------------------------------------------------------------------------
---------------------------
<%@Page Language="VB" %>
<%@ Register TagPrefix="MM" Namespace="DreamweaverCtrls"
Assembly="DreamweaverCtrls,version=1.0.0.0,publicKeyToken=836f606ede05d46a,c
ulture=neutral" %>
<MM:DataSet
id="eon_login"
runat="Server"
IsStoredProcedure="false"
ConnectionString='<%#
System.Configuration.ConfigurationSettings.AppSettings("MM_CONNECTION_STRING
_eOnConn") %>'
DatabaseType='<%#
System.Configuration.ConfigurationSettings.AppSettings("MM_CONNECTION_DATABA
SETYPE_eOnConn") %>'
CommandText='<%# "SELECT Password, UserID FROM LoginInformation WHERE
LoginInformation.Password = @txtPassword AND LoginInformation.UserID =
@txtUserID" %>'
Debug="true"<Parameters>
<Parameter Name="@txtUserID" Value='<%# IIf((Request.Form("txtUserID")
<> Nothing), Request.Form("txtUserID"), "xyz") %>' Type="VarChar" />
<Parameter Name="@txtPassword" Value='<%#
IIf((Request.Form("txtPassword") <> Nothing), Request.Form("txtPassword"),
"xyz") %>' Type="VarChar" />
</Parameters>
</MM:DataSet>
<MM:pageBind runat="server" PostBackBind="true" />

<html>
<head>
<link href="eOn.css" rel="stylesheet" type="text/css">

<script language="vb" runat="server">
Sub Login_Click(Src As Object, E As EventArgs)
IF eon_login.Recordcount > 0 then
FormsAuthentication.RedirectFromLoginPage(txtUserID.Text,
chkPersistLogin.Checked)
Else
ErrorMsg.InnerHtml = "Login Failed"
End If
End Sub
</script>
</head>
<body>
<form runat="server">
<table width="200" border="0" cellspacing="3" cellpadding="2">
<tr class="Text">
<td>User ID </td>
<td><asp:TextBox Columns="30" CssClass="forms" ID="txtUserID"
runat="server" TextMode="SingleLine" /></td>
</tr>
<tr class="Text">
<td>Password</td>
<td><asp:TextBox Columns="30" CssClass="forms" ID="txtPassword"
runat="server" TextMode="Password" /></td>
</tr>
<tr class="Text">
<td colspan="2"><asp:CheckBox CssClass="forms" ID="chkPersistLogin"
runat="server" Text="Remember Me!" TextAlign="right" /></td>
</tr>
<tr class="Text">
<td colspan="2"><asp:Button CssClass="forms" ID="btnSignIn"
runat="server" Text="Sign In" OnClick="Login_Click" /></td>
</tr>
<tr class="Text">
<td colspan="2"><div id="ErrorMsg" runat="server" /></td>
</tr>
</table>
</form>

</body>
</html>
----------------------------------------------------------------------------
---------------------------
I don't see any reason why this should not be working. All I can think it
may be it is some IIS setting or something that I never learnt about. It's
not the browser. The same result is produced in Netscape.

I'm also not sure why I have to point my loginUrl down a level. On the
examples I have read it seems as though there "<forms loginUrl" assumes they
are already at the root of the app. Mine has to go down a level "<forms
loginUrl="../login.aspx"", almost as though it's assuming I am already in
the /ClientCenter directory. Could this be something that might be causing
this?

Any further help is desperately needed.

Nugs


Hernan de Lahitte said:
You should have only ONE web.config (root folder) with all these entries.
So the location element should be placed after the </system.web> closing
tag.

You Root/Main web.config file (and the ONLY config file) might look
something like this.

<configuration>

<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" requireSSL="true"
timeout="10" name="CCAuth" path="/"
slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="*" />
</authorization>
</system.web>

<location path="ClientCenter">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

</configuration>


This assumes that you have a ClientCenter subfolder that you want to secure
access with Forms authentication so your login page (and all protected
pages) will be inside this folder.
Check out the authorization configuration in both the root and ClientCenter
location path. The former allows all users and the latter only the
authenticated users.

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Nugs said:
Ok, I did what you said and the result is that the ClientCenter
Click to expand...
directory
is
accessible. I am not redirected to the login page. but the /ClientCenter
web.config file shoud be denying anonymous users. I might have done
something wrong, this is what I have now:

Root/Main web.config file:
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" requireSSL="true"
timeout="10" name="CCAuth" path="/" slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

And the web.config file located one directory up in /ClientCenter directory.
<configuration>
<location path="ClientCenter">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

You also mentioned SSL and i am not very knowledgeable about it. What do you
think is wrong with the above code?

Nugs


time
you long
now authentication the
user easy
to
Click to expand...
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms>
Click to expand...
Click to expand...
element
is
being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this
indicates
that the cookie is not being created for some reason, or an
authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory
called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which
looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn"
value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security
Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb"
/>
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.

FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click"
runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this should
be
all
I need to get this login system up and running, right? Well something
is
going on here and i have no clue what. Please could someone show me
what
I
am doing wrong here and why it is not generating my cookie! How[/QUOTE][/QUOTE] do[QUOTE]
i
[/QUOTE]
[/QUOTE]
Click to expand...
Click to expand...
Click to expand...
 
N

Nugs

Oh my god,

That was the longest waist of time for nothing. Just on a hunch I shut down
Zone Alarm, my firewall, and my user authentication is working perfectly
now.

Man I am really sorry about waiting your time but I learned allot, thanks
for your help.

Nugs

Hernan de Lahitte said:
You should have only ONE web.config (root folder) with all these entries.
So the location element should be placed after the </system.web> closing
tag.

You Root/Main web.config file (and the ONLY config file) might look
something like this.

<configuration>

<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" requireSSL="true"
timeout="10" name="CCAuth" path="/"
slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="*" />
</authorization>
</system.web>

<location path="ClientCenter">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

</configuration>


This assumes that you have a ClientCenter subfolder that you want to secure
access with Forms authentication so your login page (and all protected
pages) will be inside this folder.
Check out the authorization configuration in both the root and ClientCenter
location path. The former allows all users and the latter only the
authenticated users.

--
Hernan de Lahitte
Lagash Systems S.A.
http://weblogs.asp.net/hernandl


This posting is provided "AS IS" with no warranties, and confers no rights.

Nugs said:
Ok, I did what you said and the result is that the ClientCenter
Click to expand...
directory
is
accessible. I am not redirected to the login page. but the /ClientCenter
web.config file shoud be denying anonymous users. I might have done
something wrong, this is what I have now:

Root/Main web.config file:
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn" value="default_oledb.htm" />
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb" />
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" protection="All" requireSSL="true"
timeout="10" name="CCAuth" path="/" slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>

<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

And the web.config file located one directory up in /ClientCenter directory.
<configuration>
<location path="ClientCenter">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

You also mentioned SSL and i am not very knowledgeable about it. What do you
think is wrong with the above code?

Nugs


time
you long
now authentication the
user easy
to
Click to expand...
[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h
tml/SecNetch13.asp]
Using Forms Authentication
Make sure that the cookie name specified in the <forms>
Click to expand...
Click to expand...
element
is
being
retrieved in the global.asax event handler correctly
(Application_AuthenticateRequest). Also, make sure the cookie is being
created. If the client is continuously sent back to the login page
(specified by the loginUrl attribute on the <forms> element) this
indicates
that the cookie is not being created for some reason, or an
authenticated
identity is not being placed into the context (HttpContext.User)


The structure I have is fairly simple. I have the root of my main
application open to anonymous users. I then have a secured directory
called
'ClientCenter'. Both have there own web.config files specifying there
separate authorization.

At the root of my site I have my the main sites web.config file which
looks
like so:

Code: 
<configuration>
<appSettings>
<add key="MM_CONNECTION_HANDLER_eOnConn"
value="default_oledb.htm"
/>
<add key="MM_CONNECTION_STRING_eOnConn"
value="Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\Inetpub\wwwroot\eOn\Database\eOn.mdb;Persist Security
Info=False"
/>
<add key="MM_CONNECTION_DATABASETYPE_eOnConn" value="OleDb"
/>
<add key="MM_CONNECTION_SCHEMA_eOnConn" value="" />
<add key="MM_CONNECTION_CATALOG_eOnConn" value="" />
</appSettings>

<system.web>
<authentication mode="Forms">
<forms name=".CCAUTH" loginUrl="../login.aspx"
protection="All">
<credentials passwordFormat="Clear">
<user name="1" password="1" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</configuration>

My login page code (with some help from the MSDN) looks like so:

[Code]
<%@ Page Language="VB" AutoEventWireup="true" %>
<html>
<head>
<script runat="server">
Sub LoginBtn_Click(sender as Object, e as EventArgs)
'            If Page.IsValid Then
' Call the authentication event handler delegate (not
included in this example).
If FormsAuthentication.Authenticate(UserName.Text,
UserPass.Text) Then
' Return to the originally requested URL.

FormsAuthentication.RedirectFromLoginPage(UserName.Text,
Remember.Checked)
Else
Msg.Text = "Invalid Credentials: Please try again"
End If
'            End If
End Sub
</script>

</head>

<body>
<form runat="server">
<h2>Login Page</h2>
<hr size="1" />
<table>
<tbody>
<tr>
<td>Username:</td>
<td><asp:TextBox id="UserName"
runat="server"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator1"
runat="server" ControlToValidate="UserName"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td>Password:</td>
<td><asp:TextBox id="UserPass" runat="server"
TextMode="Password"></asp:TextBox></td>
<td><asp:RequiredFieldValidator
id="RequiredFieldValidator2"
runat="server" ControlToValidate="UserPass"
Display="Static"
ErrorMessage="*"></asp:RequiredFieldValidator></td>
</tr>
<tr>
<td colspan="3"> <asp:CheckBox id="Remember"
runat="server"></asp:CheckBox>Remember credentials?</td>
</tr>
</tbody>
</table>
<asp:button id="LoginBtn" onclick="LoginBtn_Click"
runat="server"
text="Login"></asp:button>
<p><asp:Label id="Msg" runat="server"
ForeColor="red"></asp:Label></p>
</form>
</body>
</html>

And lastly the ClientCenter/web.config file looks like this:

[Code]
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>

Now from all the books and examples I have been through, this should
be
all
I need to get this login system up and running, right? Well something
is
going on here and i have no clue what. Please could someone show me
what
I
am doing wrong here and why it is not generating my cookie! How[/QUOTE][/QUOTE] do[QUOTE]
i
[/QUOTE]
[/QUOTE]
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Loop through record in datareader in aspx for textbox other item 1
Forms Authentication Cookie Expiration Problem for SSO 1
Hello everyone... 3
Forms authentication - clean cookie when close browser 1
Forms Auth (roles being ignored) 0
forms authentication -- expired forms cookie vs. not provided forms cookie 2
Forms Authentication 4
forms authentication brings up dialog 0

Members online

Total: 79 (members: 1, guests: 78)
Robots: 407

Forum statistics

Threads
473,995
Messages
2,570,230
Members
46,819
Latest member
masterdaster

Latest Threads

Top