Best IT Recipes

ASP.NET Form Authentication

I have the following ASP.NET Forms authentication configuration:

<system.web> <authentication mode="Forms"> <forms name="MembershipCookie" loginUrl="Login.aspx" protection="All" timeout="525600" slidingExpiration="true" enableCrossAppRedirects="true" path="/"> </forms> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> <location path="Home.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location

If an anonymous user visits the site and asks for home.aspx , if they are denied access and deleted to the Login.aspx page, because the first rule is <deny users="?" /> <deny users="?" /> will match and further processing will stop?

The site runs on IIS7.5, ASP.NET 4.0, and the application pool is configured for Integrated Pipeline mode.

Update:

The reason for this question was sanity to test my understanding of ASP.NET 4.0 Forms authentication behavior (which was really correct). There is a related follow-up question that describes what looks like a bug in a fix (which is also scanned in Windows 2008R2 SP1) - KB980368:

ASP.NET 2.0 and 4.0 seem to handle the root URL differently in Form Authentication

+1
forms-authentication
Feb 22 2018-11-22T00:
source share
2 answers

If the user accesses Home.aspx, he will use the configuration section for Home.aspx specified by <location /> , and therefore, the user will not be uploaded to Login.aspx.

+3
Feb 22 '11 at 13:10
source share
— -

If the user gets access to Home.aspx, then the second rule ie

 <location path="Home.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location>

It should be indicated here: * reports that any authorized user (with any or not assigned role) could access this page, but ? reports an unauthorized user was unable to access the page.

+2
Feb 22 '11 at 13:17
source share


More articles:


All Articles