tags:

views:

61

answers:

1
Q: 

.NET 4.0 Forms Authentication change?

I'm seeing some new behavior in Forms Authentication after upgrading to .NET 4.0. This occurs only on IIS 6, not on 7.

Background - In web.config, we configure Forms Authentication, and then use <authorization> tags to globally deny anonymous/unauthenticated users access. Then we explicitly allow access to a login.aspx page using a <location> tag. Generally, this works fine, as it did when we were on .NET 2.0 (3.5).

The issue only occurs when we visit the root path of the site, ie "http://myserver/". Our default document is configured in IIS to be login.aspx. Under .NET 4.0, upon visiting that URL, we're redirected to "http://myserver/login.aspx?ReturnUrl=/". If you log in from here, you're logged in and returned back at the log in page (yuck).

Just wanted to post this here to see if anyone else is experiencing this. It's not listed on any "breaking changes" documentation I've been able to find. Either I'm missing something, or the UrlAuthorization module has changed and is no longer "smart" about IIS default documents.

+2  A: 

You shouldn't have IIS defaulted to login.aspx.

ASP.NET have its own mechanisms for ensuring authenticated access. In particular for any unauthenticated request to a content which requires authenticated users it will redirect it to the page specified in loginUrl attribute of the Web.config authentication\forms element.

...
<authentication mode="Forms" ...>
    <forms name="login" loginUrl="login.aspx" ... />
</authentication>
...

('login.aspx' is a default value for that property)

Regent  2010-06-15 12:53:19
I understand how I can make this current set of behaviors work for me, by tweaking some things. I'm really just trying to find someone to confirm/deny an undocumented change in ASP.NET from 3.5 to 4. Let's talk about generic pages other than a login.aspx. 4.0 behavior seems to be: given a site that globally disallows anonymous access via `<deny users="?"/>` but ALLOWS anon access to certain resources using `<location>` tags... Then you cannot set an anon-accessible IIS default document, because it will still redirect you to a forms auth login page.
James Koch  2010-06-16 17:53:52
@James Koch: Sorry, I don't know anything specific about related changes in the .NET 4. But if you want your default page to be accessible for anonymous users you why don't you just allow it via `<location>` tag?
Regent  2010-06-17 12:43:30
@Regent: Both my "signup" and "login" pages *are* allowed via `<location>` tags. However an unauthenticated user cannot access either using the default document URL; they are redirected as if the resource were protected. In the particular case of login being the default doc, they're redirected back to the login, which doesn't seem like an issue, until you realize that is also tacks on a "ReturnUrl=/", so guess where you end up after you login?... Right back at the login. Again, quite fixable, but different than 3.5.
James Koch  2010-06-18 13:39:09

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps