0

I started with a default WebForms project with Individual Accounts. I have a bunch of content that I've built with database connections. I want to restrict all content to authenticated users with the exception of the default.aspx

I have successfully established the Identity table structures in my SQL database and can "register" new users. This all works fine. However, when I add the authentication setup to the web.config see below, it all breaks.

<system.web>
    <authentication mode="Forms">
        <forms name=".FormsAuth" loginUrl="Login.aspx" protection="All" slidingExpiration="false" requireSSL="false" />
    </authentication>

    <authorization>
        <deny users="?"/>
    </authorization>
</system.web>
<location path="Default.aspx">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

I would expect this to allow me to view my Default.aspx page and redirect if I moved off of it. Instead I attempts to redirect to \account\login and fails with this message.

HTTP Error 404.15 - Not Found The request filtering module is configured to deny a request where the query string is too long.

The ReturnURL is huge and seems to repeat itself. I've tried looking around for a start from scratch example but have not found one that works. This should be simple.

http://localhost:58573/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FDefault

mham99
  • 21
  • 8
  • Seems like you have one `` extra in code you provided. If those are the lines you added, maybe you're closing some existing `` tag too soon – Misa Lazovic Nov 21 '15 at 14:54
  • Thanks - and sorry That was not actually in my project.. I took it out of the example. Based on your comment I tried moving the auth and location tags around - into the main system.web section but I still have the same issue. – mham99 Nov 21 '15 at 16:11
  • Most probably a duplicate of http://stackoverflow.com/questions/5009565/asp-net-mvc3-and-windows-auth-on-iis-keeps-redirecting-to-account-login – Wiktor Zychla Nov 21 '15 at 16:24
  • Thanks - I am using forms not MVC. I did take a look and those .dlls were not in my bin folder. – mham99 Nov 21 '15 at 16:49
  • on second thought it is behaving like the symptom in the suggested article. If I change my loginURL to something else, it ignores the new page name and still redirects to /Account/Login? with that long querystring... – mham99 Nov 21 '15 at 17:16

2 Answers2

0

I figured this out. I had to remove the general "deny all anonymous" statement from web.config:

 <!--<authorization>
        <deny users="?"/>
      </authorization>-->

...which I was trying to use to restrict ALL but the login page. I moved all of my content into a few subfolders then called them out with the location tags and the same deny users statement. 

<location path="System">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>
    <location path="Reports">
      <system.web>
        <authorization>
          <deny users="?"/>
        </authorization>
      </system.web>
  </location>

At this point it seems to be working "properly" and now redirects users to login.aspx if not authenticated.

mham99
  • 21
  • 8
0

The \account\login.aspx was denyed because of the web.config. ...

<authorization>
    <deny users="?"/>
</authorization>

When you redirect to the login page, because anonymous access is forbidden, you are redirected to the login page again, resulting in recursion. You can create web.config in the account folder.The content is like this:

<system.web>
<authorization>
    <allow users="*"/>
</authorization>

ningbo mu
  • 1