ReturnURL does not contain the defaultURL file - web-config

I am trying to determine why I am having an issue with forms authentication in my application. Specifically the ReturnURL parameters. I expect my URL to look like this "http://www.example.com/ApplicationName/login.aspx?ReturnURL=%2fApplicationDirectory%2ListImages.aspx" when I browse to the address
"http://www.example.com/ApplicationName".
Web.Config contains
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="ListImages.aspx" name=".WebDashboardAuth" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
The URL created is instead "http://www.example.com/ApplicationName/login.aspx?ReturnURL=%2fApplicationDirectory%2" and does not show the defaultURL file.
What could be wrong with my setup?

defaultUrl parameter in your Web.Config is the path that will be accessed if there is no ReturnURL in the Querystring. It won't be passed as a Querystring.
The ReturnURL in the Querystring can be what you expect if an non-authenticated user would go to http://www.mydomain.com/ApplicationName/ListImages.aspx, then thrown back to the Login.aspx. Only then will the ReturnURL have a path.

Related

restrict access to particular page for particular user

using vb.net . it contain one page named as trlist.aspx . i want to allow particular user(xxx,yyy) to access the page.Others are not allowed. i make some changes in web.config. but am not able to get the result.ie, access not denied for particular user. they are able to access it.
web.config
<location path="trlist.aspx">
<system.web>
<authorization>
<allow users="xxx,yyy"/>
<deny users="*"/>
</authorization>
</system.web>

asp.net forms authentication deny any user from accessing new web forms

I'm having problem with an assignment on asp.net. I would like to ask, is there any way in which i can prevent any users (including authenticated users) from accessing newly created web forms unless I specified the access rights to the page in the web config?
i tried using
<deny users="*">
but it denies all users from accessing any pages, even those which i have already specified access rights, for example:
<location path="home.aspx">
Here is a good article to look at, the example is on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
This should help you:
<location path="FolderName/pagename.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>

Allow anonymous access to Content and Script folder

I am building a ASP.NET MVC 2 website that uses Forms authentication. Now I want to allow unauthenticated users access to the Scripts and Content folders, so the stylesheets and images will load. However, it does not work. From what I found on Google, this should work:
<location allowOverride="false" path="Content">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location allowOverride="false" path="Scripts">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
It does not work in ASP.NET MVC 2 on IIS (win7). The stylesheet and javascript requests are redirected to Account/LogOn. How do I fix this?
Update: Anonymous Authentication is enabled in IIS. So is forms authentication.
Don't use the Authorization tags in the web.config. Use the Authorization attribute in your Controllers (or Actions).

How to make ASP.NET MVC View Insecure via location tag in Web.Config

I have the following authorization settings in my web.config:
<authorization>
<deny users="?" />
</authorization>
This deny's all anonymous access to the application accept the login page. In addition to this I am using authorization within each controller action via a custom authorize attribute.
I have one additional action that I would like to expose publicly in addition to the login page. This particular action does not have the authorization attribute on it. I have tried to make this view (resetPassword view) public by using the location tag in the web.config file like so:
<location path="Account/ResetPassword" allowOverride="false">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In the path attribute above I have tried both the view as well as the action path, but it doesnt allow public access to the action.
I have even tried to put this view in a separate folder within the shared folder and put a separate web.config file to make that folder public like so:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
None of the above configuration allow me to make this particular action (view) public. Can anyone suggest any other solutions, or what I may be doing wrong in this case?
Thanks in advance.
You can remove the authorization tag from the web config and just use the authorize attribute.
The action without the Authorize atttribute set will be public.
I had the same problem some time ago. Please have a look to this question and its answers
If you want to do it using the web config then use code like this
<!-- Allow access to _assets directory -->
<location path="_assets">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
In your sample you are using "*" but you should use "?" ;)

How can I set the Secure flag on an ASP.NET Session Cookie?

How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?
In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.
In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<!-- forms content -->
</forms>
</authentication>
</system.web>
See here and here for MSDN documentation of these elements.
There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
Things get messy quickly if you are talking about checked-in code in an enterprise environment. We've found that the best approach is to have the web.Release.config contain the following:
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
<authentication>
<forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
</authentication>
</system.web>
That way, developers are not affected (running in Debug), and only servers that get Release builds are requiring cookies to be SSL.
Building upon #Mark D's answer I would use web.config transforms to set all the various cookies to Secure. This includes setting anonymousIdentification cookieRequireSSL and httpCookies requireSSL.
To that end you'd setup your web.Release.config as:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
</system.web>
</configuration>
If you're using Roles and Forms Authentication with the ASP.NET Membership Provider (I know, it's ancient) you'll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too. If so, your web.release.config might look like this (included above plus new tags for membership API):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<authentication>
<forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
</authentication>
</system.web>
</configuration>
Background on web.config transforms here: http://go.microsoft.com/fwlink/?LinkId=125889
Obviously this goes beyond the original question of the OP but if you don't set them all to secure you can expect that a security scanning tool will notice and you'll see red flags appear on the report. Ask me how I know. :)
secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.