Reputation: 1745
Application_AuthenticateRequest infinite loop
I recently added Forms-based Authentication to an MVC 3 project. There seems to be a problem between my Application_AuthenticateRequest function(Global.asax.cs file) and my settings for my Web.Config file because my Application_AuthenticateRequest function seems to get called infinitely. How can I change my configurations for this to work properly and how can I allow a user access to both the login page and the default page, while still denying access to the other pages?
//Global.asax.cs
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Extract the forms authentication cookie
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = Context.Request.Cookies[cookieName];
if (null == authCookie)
{
// There is no authentication cookie.
return;
}
FormsAuthenticationTicket authTicket = null;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch (Exception ex)
{
// Log exception details (omitted for simplicity)
return;
}
if (null == authTicket)
{
// Cookie failed to decrypt.
return;
}
string[] roles = authTicket.UserData.Split('|');
// Create an Identity object
FormsIdentity id = new FormsIdentity(authTicket);
// This principal will flow throughout the request.
UserPrincipal principal = new UserPrincipal(id, roles);
// Attach the new principal object to the current HttpContext object
Context.User = principal;
Thread.CurrentPrincipal = principal;
}
//Web.Config
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn"
protection="All"
cookieless="UseCookies"
slidingExpiration="false"
timeout="30" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
Upvotes: 2
Views: 4123
Answers (2)
Reputation: 3531
Per the comments on Rob's answer...
"So technically, I need all pages blocked except for default, login and registration pages."
You can add the AuthorizeAttribute to the GlobalFilterCollection which is a collection of filters that get applied to all actions on controllers. Then, on your controllers or actions you can add [AllowAnonymous] to the specific ones you want anyone to access. See below for an example.
Create a file called FIlterConfig.cs in the App_Start folder
If this exists already, just add the line: filters.Add(new AuthorizeAttribute());
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute());
filters.Add(new AuthorizeAttribute());
}
}
This will require every Controller and Action to use Authorization by default.
You can make a Controller or Action not authorized by adding the following to your Action or Controller like so.
[AllowAnonymous]
public class MyController
{
public ActionResult MyAction()
{
return View();
}
}
All actions in that controller will be available.
OR
public class MyController
{
[AllowAnonymous]
public ActionResult MyAction()
{
return View();
}
}
Only that action on the controller will be available.
Upvotes: 4
Reputation: 5588
This will be called for every request, not just when the user logs in for the first time.
You can use the [Authorize] attribute to limit access to certain controllers or even methods.
I'd suggest looking through some tutorials or the documents to understand how authentication works in MVC:
http://msdn.microsoft.com/en-us/library/ff398049(v=vs.98).aspx
Upvotes: 1
Related Questions
- asp.net mvc azure AAD authentication infinite loop
- OWIN Authentication in MVC 5 Loops while User.IsAuthenticated = false
- How to fix infinite loop with Asp.NET Identity Login using AuthorizeAttribute?
- MVC 4 AuthorizeAttribute.HandleUnauthorizedRequest ViewResult - infinite loop
- MVC 4 Forms Authentication (Infinite Login)
- How to stop authorization loop?
- HandleUnauthorizedRequest goes in InfiniteLoop
- PostAuthenticateRequest fires several times
- Application_AuthenticateRequest hit for all requests, including images and js files
- Forms authentication infinite loop