page vs directory security

[js]

I am trying to use the form futhentication where the configuration
parameters are specified in web.config in my application root directory
"/".

My applciation has secured pages and public pages scatter in various
directory, and the start page (main.aspx) is public page with a logon
button to control the accessibility of secured pages. When I use the
following configuration, I will get "Server Error in "/" Applciation.
How to set the Web.config so that it will redirect user to login.aspx
discretionally when accessing secured page. Thanks.

<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="Off" />

<authentication mode="Forms" />
<authorization>
<deny users="?" />
</authorization>
<forms name=".ASPXCOOKIEDEMO"
loginUrl="Login.aspx" protection="all" timeout="30" path="/">
</forms>
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState cookieless="true" timeout="20" />
</system.web>

 

[Wouter van Vugt]

Hi,

use the following config file to redirect a user to Login.aspx:

<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
</system.web>

Grtz, Wouter van Vugt,
Trainer Info Support - www.infosupport.com
www.dive-in-it.nl

 

[js]

Thanks but it doesn't work. I think this configuration is for entire
site but not for just secured pages.

 

[Wouter van Vugt]

js schreef:

Thanks but it doesn't work. I think this configuration is for entire
site but not for just secured pages.

Hi JS,

sorry to say, it does work. When a user hits a protected page,(using
the authorization element in the web.config), the framework will auto
redirect to the login page specified like i said. If you want to secure
just a directory, add an extra config file to that directory and
specify the security settings in there.

Grtz, Wouter

 

[Patrick.O.Ige]

You must be missing something
IT DOES WORK

 

[na]

Ok. It worked that upon hiting my website the request is redirected to
the Login.aspx, but I only need the visitors to login when they request
any secured page. After they login, their credentials are persisted
during the active session, they WON'T see the Login.aspx again. By
configuring the way you suggested, the first thing user sees is the
Login.aspx.

Say, my web site URL is http://www.mywebsite.com which contains
Main.aspx (the default page, no login required),
\directory1\Public1.aspx, \directory1\Private2.aspx,
\directory2\Public3.aspx, \directory2\Private4.aspx. When a user hits
the URL, they will see the Main.aspx, they should NOT see Login.aspx.
Neither should they see the Login.aspx when they click the links or
buttons of Public1.aspx or Public3.aspx. ONLY when they click the links
or buttons of Private2.aspx or Private4.aspx will they be asked to
login.

Hope this explains my situation. Thanks.

 

[na]

Well, I figured it out. I just added <location> tags for those pages
that are public. The following is partail of my Web.config setting.

<system.web>
<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="RemoteOnly" />
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState cookieless="true" timeout="20" />
<authentication mode="Forms">
<forms name="my_Authorization"
loginUrl="Login.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="false">
<credentials passwordFormat = "SHA1"/>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>

<location path="main.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

<location path="directory1/public1.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

<location path="directory2/public3.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>