How to disable forms authentication

Question

I have a folder in my web site for which I secured with forms-based authentication. I now have to develop two new pages in that folder and I want to turn security off while I test and debug the new forms. I have changed the authentication mode in the web site's web.config file to mode="None" and I have removed the web.config file from the secured folder. I have deleted all the cookies in my browser, but when I go to load a page from this folder, I still am re-routed to the login page.

How do I temporarily disable forms authentication in a web site?

9/25/2009 - I have set forms authentication = "None" in the root web.config file. I have removed the web.config files from the two sub-folders where forms authentication had been implemented. I cleared the cache and deleted the cookies. Still I am asked to login to view a page in the folder. I navigated to the page on a machine that had never been there before and was asked to login there. This is being cached somewhere in the web site on the server that won't let go.

Answer 1

This is an extremely old post but I just had a similar issue and wanted to share my solution.

IIS Manager -> Authentication:

Ensure 'Forms Authentication', 'Windows Authentication', etc. are set to 'Disabled'

Set 'Anonymous Authentication' to 'Enabled'

This will allow the client to passthrough to the application's authentication methods defined in your code.

Answer 2

I wanted to be able to disable authentication throughout the app while debugging so I did the following:

1) Created this class.

namespace System.Web.Mvc
{
    public class SwitchableAuthorizeAttribute : AuthorizeAttribute
    {
        public static bool Enabled = true;

        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            if (Enabled)
            {
                base.OnAuthorization(filterContext);
            }
        }
    }
}

2) Replaced the [Authorize] attribute with [SwitchableAuthorize] throughout the application.

3) Turned authorization off when desired. For example, I added the following to App_Start/AuthConfig.cs:

public static class AuthConfig
{
    public static void RegisterAuth()
    {
        #if DEBUG
        SwitchableAuthorizeAttribute = false;
        #endif

        ...           
    }
}

You may have conditions other than DEBUG. This approach will allow you to programmatically turn authorization on/off at any time.

If your pages require logged in User information, this method could be enhanced by performing some bogus login rather than simply skipping base.OnAuthorization().

Answer 3

try removing mode="XXXX" from authentication node and also comment authorization node

Answer 4

You may have a page (or a base class, or a master page) that is calling FormsAuthentication.RedirectToLoginPage();

Answer 5

I've had this problem before - this may not pertain to you, but I'll mention that it was an in-memory cookie that caused my authentication form to keep coming up. I found out by trying a different browser, that is, FF, Chrome, instead of IE.

Answer 6

Try adding the information below to your web.config. This will remove the items in the path from the authorization required.

<location path="XXXXXXXXX">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

Answer 7

You can use the location tag in the web.config for that secured directory to overidde security for those pages:

 <location path="secureddir/newform.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx

Answer 8

turning the authenticode to none should do it. there must be something you're missing, are you sure you're browsing the deployed code that you updated?