views:

125

answers:

2

I have a website built with ASP.NET (3.5) and want add some level of security into it.

I am using the login controls to help with this. I have one issue though.

I have within my web.config the following.

<authorization>
  <deny users="?"/>       
</authorization>

This work fine when a user has not logged in before (ie. if they goto the default.aspx form then it redirects the user to the login.aspx form). But if it is a new user then I want to allow that user to enter new details using the CreateUserWizard on signup.aspx form. But for some reason it just jumps back to the login form.

Am I missing something? I thought these login controls would allow for this kind of senario?

+4  A: 

You need to add an exception allowing them access to the login page

<location path="SignUp.aspx">
<system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
</system.web>
</location>

Something like that in the System.Web node.

Brandon
Thanks for the edit, I didn't notice I forgot the closing tag :P
Brandon
A: 

You are confusing Authentication with Authorization.

Authentication is the process of obtaining identification credentials such as name and password from a user and validating those credentials against some authority.

Authorization determines whether an identity should be granted access to a specific resource.

The "authorization" tags you were using is a method of URL authorization. Basically you explicitly allow or deny access to a particular directory.

So, for the page where you have the signup forms you need to explicitly allow access to all users.

Mircea Grelus