Hello I'm writing a small test app to mess with authentication and I'm stuck :/ A user enters my site from default.aspx. Default.aspx has a single link on it, going to secure/private.aspx. Private.aspx has one line of text: "you shouldnt be reading this if you didnt enter the right user/pw" Thats the whole thing! When the user clicks on the link to private.aspx they get redirected to login.aspx because of what i've written in my web.config: <authentication mode="Forms"> <forms name="=.ASPXAUTH" loginUrl="Login.aspx" > <credentials passwordFormat="Clear"> <user name="myUserName" password="myPassWord" /> </credentials> </forms> </authentication> Code (markup): So that makes them go to login.aspx (OR IS IT? see second web.config at bottom). Login.aspx consists of two inputs (user, password) and a button with the following code behind: protected void Submit_OnClick(object sender, EventArgs e) { if (FormsAuthentication.Authenticate( txtUserName.Text, txtPassword.Text)) { FormsAuthentication.RedirectFromLoginPage( User.Identity.Name, false); //Should the above be txtUserName.Text instead? aren't these the same in theory? } else { Response.Write("invalid credentials"); } } Code (markup): This works KINDA.. if the username and password are wrong it does in fact write "invalid credentials." If the user name and password are correct it simply reloads the login page without redirecting. There's ONE MORE THING and im guessing this is the problem but i don't know why: I have two web.configs (well thats not the problem, whats IN them might be though). The first is the web.config shown above and is in the root of my app: AuthTest/web.config. I have another located at AuthTest/secure/web.config which reads as follows: //shortened <system.web> <authorization> <deny users="?" /> </authorization> </system.web> Code (markup): I dont know what 'deny users' is really.. im guessing its what specifies that the contents of /secure/ require a valid login. I got that code after reading a tutorial. Thanks for your help
well i cant really say i know what was wrong... but i have some quite different code now which works, and i'll share it in case someone has a similar problem root directory web.config: <authentication mode="Forms"> <forms loginUrl="Login.aspx" protection="None" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" enableCrossAppRedirects="false"> <credentials passwordFormat="Clear"> <user name="nubsii" password="somepassword" /> </credentials> Code (markup): logging in: if (FormsAuthentication.Authenticate(txtUserName.Text,txtPassword.Text)) { if (Request.QueryString["ReturnUrl"] != null) { FormsAuthentication.RedirectFromLoginPage(txtUserName.Text, false); } else { FormsAuthentication.SetAuthCookie(txtUserName.Text, false); } } else { Response.Write("Invalid UserID and Password"); } Code (markup): web.config for a directory that i want password protected: <system.web> <authorization> <deny users="?" /> </authorization> </system.web> Code (markup):
The authorization section of your web.config file determines if the user is authenticated and then either allows the user access to the protected directory/page or boots the user to Login.aspx.