How does asp.net know not to apply security to login.aspx? Reverse proxy is giving me issues.

Question

Hi all,

I've got an asp.net app that uses forms authentication that denies anonymous users. It's working fine if i access the server directly, however if i access it via a reverse proxy it does not seem to work so good.

What happens is the reverse proxy sends you to the default page, then gets redirected to the login.aspx page because i'm not logged in, which is all fine and proves that the proxy setup is fine. But it cannot render the login.aspx, giving a 302 (redirect) response.

I'm guessing that somehow asp.net has a way of giving the login.aspx special permissions so that you do not need to be logged in to access it, unlike the rest of a site. I'm further guessing that this logic is failing when accessing it through the reverse proxy, somehow it is thinking 'you're not allowed to see login.aspx because you're not logged in'. However this is just a guess...

Anyway, can someone lend a hand? Thanks a lot in advance.

Answer 1

• use fiddler/wireshark/whatever if possible to see what's actually going on over the wire
• the page that gets 'special treatment' by default is determined by the loginUrl specified in your web.config -> system.web -> authentication -> forms loginUrl - for instance, something like:
• you can disable the auth requirement on specific paths via your web.config:

`

<location path="js">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

A common problem I see happen (and this may be what you're hitting) is that the Login page skips the auth check fine, but things the Login page refers to (images, javascript files, etc) do not, so those requests end up with the 302 back to Login. If that's your case, too, then just add location paths (like the above) sufficient to 'unprotect' whatever your Login page needs access to for displaying properly.