开发者

asp.net authorization problem authorizes everyone

So I got 2 .aspx files. One called login and one called default. The idea is that when you start up the application you will be kicked to the Login screen. I'm doing this with the following code in the default.aspx.vb file:

Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)

        If (HttpContext.Current.User.Identity.IsAuthenticated = False) Then

            Response.Redirect("Login.aspx")


        End If

    End Sub

Problem is that you're always authenticated for some reason. It always returns true. My web Config file looks like this:

<configuration>
  <appSettings>
    <add key="strConn" value="EDITED"/>

  </appSettings>
  <location path="~/Styles">
    <system.web>




  <customErrors mode ="Off">

  </customErrors>

  <authentication mode="Forms">
    <forms name=".ASPXAUTH"
           loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           path="/">
    </forms>
  </authentication>

  <authorization>

    <deny users="?" />
    <allow users="*" />

  </authorization>
  <compilation debug="true" strict="false" explicit="true" targetFramework="4.0">
    <assemblies>
      <add assembly="Microsoft.Data.Odbc, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
      <add assembly="system.web.security"/>

    </assemblies>
  </compilation>



 </system.web>
  </location>
</configuration>

I've tried with aswell didn't change anything. The users gets authenticated through a database. Currently I am开发者_JAVA百科 running the program in Visual studio, not on my website. When the users has been checked through the database I use this code:

FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, chkPersistCookie.Checked)

So any idea why people are always authorized?


I think the problem is the location tag. You're only applying these rules to the Styles directory, not the entire site.


You shouldn't need to write any code to perform the redirection when not logged in. The framework is smart enough to look at the authentication, and log you in.

Two items to note:

Change this:

<deny users="*" />

to:

<deny users="?" />
<allow users="*" />

This denies only unauthenticated users.

Se if that makes a difference and the second item to check is the user info. In immediate window, enter:

HttpContext.Current.User.Identity.Name HttpContext.Current.User.Identity.AuthenticationMode //or similarly named, forget exact name

And see what it tells you... also what type of object is Identity? Is it GenericIdentity, FormsIdentity, or WindowsIdentity?

Thanks.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜