tags:

views:

1893

answers:

5
+3  Q: 

Authentication through web.config not authenticating in ASP.net 3.5

Hi,

This is one of this things that should be extremely simple and I just can't work out why it's not working.

I'm trying to set up some very quick authentication for an ASP.net 3.5 app but storing the usernames and passwords in the web.config file (I know it's not very secure but it's an internal app that I keep getting asked to add and remove logins for so this is the quickest way to do it).

So, the relevant config section looks like this:

<authentication mode="Forms">
   <forms loginUrl="~/login.aspx">
    <credentials>
     <user name="user" password="password" />
     <user name="user2" password="password2" />
    </credentials>
   </forms>
  </authentication>

  <authorization>
    <deny users="?"/>
  </authorization>

And, in the login page, the code look like this:

string username = tbUsername.Text;
string password = tbPassword.Text;

if (FormsAuthentication.Authenticate(username, password))
    FormsAuthentication.RedirectFromLoginPage(username, false);

But, FormsAuthentication.Authenticate(username, password) always returns false. And I can't figure out why.

I even tried using Membership.ValidateUser but that just adds in a local database to the App_Data folder.

Is there something really basic I'm forgetting here or does this not work at all in .net 3.5?

Thanks,

K

+6  A: 

I'm not sure if this has changed in .NET 3.5, but the <credentials> element has an attribute passwordFormat that defines the format for passwords in the web.config. From the MSDN documentation for .NET 3.5, the default format is SHA1.

If you're using cleartext usernames and passwords in your web.config, you should use:

...
<credentials passwordFormat="Clear">
...

Event though this is an internal application I'd still recommend at least hashing the password instead of leaving it in clear text.

dariom  2009-07-17 12:37:41
Magic, that was it! Good bit of forehead-meets-palm when I read that. Amazing what you forget on a Friday afternoon. Many thanks!
Kevin Wilson  2009-07-17 12:46:45
+2  A: 

I think the reason is because you did not indicate the passwordFormat. http://msdn.microsoft.com/en-us/library/e01fc50a.aspx

Default is SHA1, hence your clear text in fact not used properly.

o.k.w  2009-07-17 12:41:23
+1  A: 

You have to specify <credentials passwordFormat="Clear"> when you store password in clear text.

The alternatives are encrypted passwords using MD5 or SHA1.

See http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.hashpasswordforstoringinconfigfile.aspx for a function to encode a password.

You might also consider using some of the available user controls that does a lot for you automatically. Look under the "Login" section in the control toolbox in Visual Studio.

The following page will provide everything you need for this simple case, and the looks of the Login control is fully customizable:

<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;

<script runat="server">

    protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
    {
        e.Authenticated = FormsAuthentication.Authenticate(Login1.UserName, Login1.Password);
    }
</script>

<html xmlns="http://www.w3.org/1999/xhtml"&gt;
<head runat="server">
    <title>Login</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:Login ID="Login1" runat="server" onauthenticate="Login1_Authenticate">
        </asp:Login>
    </div>
    </form>
</body>
</html>
awe  2009-07-17 12:54:22
A: 

Another possible pitfall that is that the user name "Admin" appears to be special and not honored if your testing a credential set in web.config

<credentials>
 <user name="Admin" password="somepassword" />  //Authentication always returns false for me
</credentials>

<credentials>
 <user name="MyName" password="somepassword" />  //Authentication works normally 
</credentials>

The problem doesn't seem to apply in your case, but I just spent an hour figuring that out so I thought I'd record it here.

Glenn  2009-09-03 06:21:13
A: 

Hello! i find that solution........first you have to get hashvalue by using FormsAuthentication.HashPasswordForStoringInConfigFile("abc","SHA1") in text box by running your program and then provide this value in

naval  2009-10-22 10:06:56

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps