I'm trying to redirect from web.config using this structure:
<location path="name-page.asp?id=1">
<system.webServer>
<httpRedirect enabled="true" destination="new-page.asp" httpResponseStatus="Permanent" />
</system.webServer>
</location>
But I get an error in name-page.asp?Id=1 because you can't use the "?" parameter, at least i think. How can I get around?
I've created a new website and some old links don't work so I want to redirect those links to my new homepage with anchor tags. I have tried so many code snippets but nothing is working. Can anyone see what I've done wrong (I'm not a programmer) thanks! -
I just get:
500 - Internal server error. There is a problem with the resource you
are looking for, and it cannot be displayed.
Here is my code:
<location path="page_contact.html">
<system.webServer>
<httpRedirect enabled="true" destination="http://www.mywebsite.com/index.html#contact" httpResponseStatus="Permanent" />
</system.webServer>
</location>
<location path="portfolio.html">
<system.webServer>
<httpRedirect enabled="true" destination="http://www.mywebsite.com/index.html#portfolio" httpResponseStatus="Permanent" />
</system.webServer>
</location>
I want to do a 301 redirect for all the requests on one site (also images, documents, and other files) to the homepage of another site.
I tried putting the web.config on the root of the site, and I'd insert this code:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
<httpRedirect enabled="true" destination="http://www.newsite.com/" httpResponseStatus="Permanent" />
</system.webServer>
</location>
</configuration>
But with this code on the web.config the problem is that if I digit:
http://www.oldsite.com/file.html
The browser redirect me to: http://www.newsite.com/file.html
But I need that all the redirects are on the homepage.
How can I do it?
You need to set exactDestination="true" to make the destination absolute:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location>
<system.webServer>
<httpErrors existingResponse="PassThrough" />
<httpRedirect exactDestination="true" enabled="true" destination="http://www.newsite.com/" httpResponseStatus="Permanent" />
</system.webServer>
</location>
</configuration>
See: https://www.iis.net/configreference/system.webserver/httpredirect
I have the following authorization settings in my web.config:
<authorization>
<deny users="?" />
</authorization>
This deny's all anonymous access to the application accept the login page. In addition to this I am using authorization within each controller action via a custom authorize attribute.
I have one additional action that I would like to expose publicly in addition to the login page. This particular action does not have the authorization attribute on it. I have tried to make this view (resetPassword view) public by using the location tag in the web.config file like so:
<location path="Account/ResetPassword" allowOverride="false">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In the path attribute above I have tried both the view as well as the action path, but it doesnt allow public access to the action.
I have even tried to put this view in a separate folder within the shared folder and put a separate web.config file to make that folder public like so:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
None of the above configuration allow me to make this particular action (view) public. Can anyone suggest any other solutions, or what I may be doing wrong in this case?
Thanks in advance.
You can remove the authorization tag from the web config and just use the authorize attribute.
The action without the Authorize atttribute set will be public.
I had the same problem some time ago. Please have a look to this question and its answers
If you want to do it using the web config then use code like this
<!-- Allow access to _assets directory -->
<location path="_assets">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
In your sample you are using "*" but you should use "?" ;)
How can I set the Secure flag on an ASP.NET Session Cookie, so that it will only be transmitted over HTTPS and never over plain HTTP?
In the <system.web> element, add the following element:
<httpCookies requireSSL="true" />
However, if you have a <forms> element in your system.web\authentication block, then this will override the setting in httpCookies, setting it back to the default false.
In that case, you need to add the requireSSL="true" attribute to the forms element as well.
So you will end up with:
<system.web>
<authentication mode="Forms">
<forms requireSSL="true">
<!-- forms content -->
</forms>
</authentication>
</system.web>
See here and here for MSDN documentation of these elements.
There are two ways, one httpCookies element in web.config allows you to turn on requireSSL which only transmit all cookies including session in SSL only and also inside forms authentication, but if you turn on SSL on httpcookies you must also turn it on inside forms configuration too.
Edit for clarity:
Put this in <system.web>
<httpCookies requireSSL="true" />
Things get messy quickly if you are talking about checked-in code in an enterprise environment. We've found that the best approach is to have the web.Release.config contain the following:
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
<authentication>
<forms xdt:Transform="Replace" timeout="20" requireSSL="true" />
</authentication>
</system.web>
That way, developers are not affected (running in Debug), and only servers that get Release builds are requiring cookies to be SSL.
Building upon #Mark D's answer I would use web.config transforms to set all the various cookies to Secure. This includes setting anonymousIdentification cookieRequireSSL and httpCookies requireSSL.
To that end you'd setup your web.Release.config as:
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
</system.web>
</configuration>
If you're using Roles and Forms Authentication with the ASP.NET Membership Provider (I know, it's ancient) you'll also want to set the roleManager cookieRequireSSL and the forms requireSSL attributes as secure too. If so, your web.release.config might look like this (included above plus new tags for membership API):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<httpCookies xdt:Transform="SetAttributes(httpOnlyCookies)" httpOnlyCookies="true" />
<httpCookies xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
<anonymousIdentification xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<roleManager xdt:Transform="SetAttributes(cookieRequireSSL)" cookieRequireSSL="true" />
<authentication>
<forms xdt:Transform="SetAttributes(requireSSL)" requireSSL="true" />
</authentication>
</system.web>
</configuration>
Background on web.config transforms here: http://go.microsoft.com/fwlink/?LinkId=125889
Obviously this goes beyond the original question of the OP but if you don't set them all to secure you can expect that a security scanning tool will notice and you'll see red flags appear on the report. Ask me how I know. :)
secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text.