Problem with Forms Authentication

[Rob]

I'm not sure if I'm missing something but my forms authentication
doesn't work. I'm trying to access my page and I should be redirected to
login.aspx but it just let's me access the page.

Here's my web.config code:

<authentication mode="Forms">
<forms name="login" loginUrl="login.aspx" protection="All"
timeout="15" />
</authentication>

<authorization>
<allow users="*" />
<deny users="?" />
</authorization>

My login page takes care of the login information:

Dim sql As String
sql = "SELECT username FROM contacts WHERE username ='" &
txtUsername.Text & "' AND password ='" & txtPassword.Text & "'"
Dim cn As SqlConnection = New
SqlConnection(ConfigurationSettings.AppSettings("CONN_STRING"))
Dim comm As SqlCommand = New SqlCommand(sql, cn)
comm.Connection.Open()
Dim reader As SqlDataReader =
comm.ExecuteReader(CommandBehavior.CloseConnection)

If reader.Read() Then
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, True)
Else
lblMessage.Text = "Invalid User"
End If

This web config is in the same folder as my web pages so if I should try
to access "page1.aspx", I should be redirected to login.aspx.

Am I not correct or am I missing something.

Thanks for you help.

Rob

 

[Greg Burns]

I believe is should be:

<authorization>
<deny users="?" />
</authorization>

Greg

 

[Lucas Tam]

<authorization>
<allow users="*" />
<deny users="?" />
</authorization>

Remote allow user="*". You're telling Forms Auth to allow all users access.

If reader.Read() Then
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, True)
Else
lblMessage.Text = "Invalid User"
End If

You should do a reader.close before redirecting. Otherwise you'll have a
connection leak.

 

[Rob]

Thanks guys,
I made the change you suggested and it still allows me to access the
page???

Rob

 

[Greg Burns]

Can you post your web.config?

Greg

 

[Rob]

This is my web.config file. I've removed the comments for clarity.

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key=.../>
<add key=.../>
</appSettings>

<system.web>
<compilation defaultLanguage="vb" debug="true" />
<customErrors mode="RemoteOnly" />
<authentication mode="Forms">
<forms name="login" loginUrl="login.aspx" protection="All"
timeout="15" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />


<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user
id=sa;password="
cookieless="false"
timeout="20"
/>

<globalization requestEncoding="utf-8" responseEncoding="utf-8"
/>

</system.web>

</configuration>

Thanks
Rob

 

[Greg Burns]

The page you can access without it redirecting you to login.aspx, it is
still page1.aspx right? Forms authentication will not stop you from viewing
..html files. (grasping here)

You do have anonymous access turned on for the virtual directory (in IIS,
this is the default). This web.config is in the root directory of your
virtual directory right?

<forms name="login" loginUrl="login.aspx" protection="All" timeout="15" />

(you don't need protect="All", that is the default)

Everything looks ok to me. I dunno what is wrong.

Greg

 

[Rob]

Ya, you're right in all cases. I'll keep trying and if I figure it out,
I'll post the results. Thanks for your help.

Rob