Enabling Windows Forms Based Authentication Cause Error

Asked By Taon Gia 120 points N/A Posted on - 05/07/2011

I enabled windows forms based authentication for my website. After enabling windows forms based authentication, some of the images and colors of the website page got lost! When I disabled the authentication mechanism, the images and colors come back again.

I have no idea why! Can somebody explain this situation to me?

• Status: Open
• Question Views: 1737
• Answer Count: 8
• Vote Up 12 Vote Down

• Answer Accepted: Yes
• Question Category: .NET Programming

Best Answer by WizKid

Go To Solution

Answered By WizKid 0 points N/A #90239

Enabling Windows Forms Based Authentication Cause Error

.Net Forms authentication basically locks out all resources except for the login page. In event you are using linked resources in side the HTML page, they are prevented from downloading onto the client browser. Basically all resources need to be "embedded" on the login page itself. This means you need to have in-line styles and preferably no graphics. If you are using linked resources such as style sheets and images, you need to tell the .Net Website to exclude resources from being secure.

About WizKid

Questions
0

Answers
25

Best Answers
4

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming

Answered By Taon Gia 120 points N/A #90241

Enabling Windows Forms Based Authentication Cause Error

In event the login page requires other resources such as images, scripts and CSS files, should not the .Net Framework just free them up and allow it to download? This is because if the entry point to the website is the login page, should not the framework allow it to function correctly ? This is news to me! Is it not a bug in the framework?

About Taon Gia

Questions
1

Answers
4

Best Answers
0

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming

Answered By WizKid 0 points N/A #90242

Enabling Windows Forms Based Authentication Cause Error

When you secure the pages, a total lockdown occurs. Only the page HTML and inline scripts, styles are allowed. Basically you are only allowed to "download" the login page html and NOT its linked resources! This is by design. It follows the security principal that "only thyself and not others". In a way it is good, because in order to allow linked resources to be "downloadable", the respective resources need to be "unsecured". This will invite a security hole. Therefore, I do not think its a bug.

About WizKid

Questions
0

Answers
25

Best Answers
4

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming

Answered By Taon Gia 120 points N/A #90243

Enabling Windows Forms Based Authentication Cause Error

Now comes the big question. How do I get about excluding the style sheet and the images that I have used in my web page from the .Net Authentication framework? I have a logo image, a button image and a style sheet. I also have a set of Java Script files that I use for animations on the Login page. Do I need to set special windows file permission on it? I could not find an option on the web configuration wizard to specify files as "unsecured".

About Taon Gia

Questions
1

Answers
4

Best Answers
0

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming

Best Answer

Best Answer

Answered By WizKid 0 points N/A #90244

Enabling Windows Forms Based Authentication Cause Error

I would recommend that you put all the files that are required for the login page into one folder and then exclude that folder only. This is done by putting an entry in the Web.Config and not via windows file permissions. Assuming you put all the files in a folder called "unsecure", the following code in the Web.Config will do the trick:

<location path="unsecure">

     <system.web>

      <authorization>

             <allow users="*"/>

     </authorization>

      </system.web>

</location>

 

The allow users need to have the value of  "star" (asterisk *). This means all users including anonymous users.

About WizKid

Questions
0

Answers
25

Best Answers
4

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming

Answered By Taon Gia 120 points N/A #90245

Enabling Windows Forms Based Authentication Cause Error

After putting the suggested code, the web page looks half ok. I am using a theme file as well. Do I need to exclude it as well in a similar fashion? Is the following code correct? I am using a them called "default".

 <location path="App_Themes/default">
  <system.web>
   <authorization>
    <allow users="*"/>
   </authorization>
  </system.web>
 </location>

About Taon Gia

Questions
1

Answers
4

Best Answers
0

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming

Answered By WizKid 0 points N/A #90246

Enabling Windows Forms Based Authentication Cause Error

That is correct. You need to exclude the themes directory as well. This is because it follows the same pattern as excluding your images. All resources that is required for the login page need to be excluded. You are learning fast!

About WizKid

Questions
0

Answers
25

Best Answers
4

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming

Answered By Taon Gia 120 points N/A #90247

Enabling Windows Forms Based Authentication Cause Error

Thank you WizKid. Your were excellent! My Webpage now looks good! I learnt a lot from this thread regarding .Net Forms authentication!

About Taon Gia

Questions
1

Answers
4

Best Answers
0

• Vote Up 0 Vote Down

• Posted on - 05/07/2011
• Question Category: .NET Programming