Reputation: 2211
Windows "forms" authentication - <deny users="?"> redirecting to foreign page!
Like the title states - I have a web.config file that looks like,
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="login" protection="All" timeout="30" loginUrl="login" defaultUrl="~/">
<credentials passwordFormat="Clear">
<user name="admin" password="password" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I want to do exactly what it says it should do... I want to deny all users who try to enter the site.
It works however, it redirects to a "Account/Login?ReturnUrl=%2flogin" url I have never heard of...
Is there a place I can change this?
Upvotes: 3
Views: 2657
Answers (4)
Reputation: 1742
I've seen this problem before. No doubt you're also getting this error:
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
And you're being redirected to "/Account/Login" which doesn't even exist. I believe it's some kind of default that get's pulled in due to using MVC components even if you're using an ASP.NET Forms website. Perhaps you have some Razor pages and the following was added to your web.config:
<appSettings>
<add key="webpages:Enabled" value="true" />
</appSettings>
Having this in there seems to be enough to mess up your login page as defined normally:
<authentication mode="Forms">
<forms loginUrl="login" timeout="43200"/>
</authentication>
I've solved this by adding an extra "loginUrl" key to appSettings:
<appSettings>
<add key="webpages:Enabled" value="true" />
<add key="loginUrl" value="~/Login.aspx" /><!-- Override default -->
</appSettings>
Upvotes: 2
Reputation: 39453
The loginUrl param does not have an absolute path, so the path get mixed with the relative folder the website is.
Solution:
loginUrl="~/login"
or
loginUrl="/login"
Upvotes: 1
Reputation: 16680
The LoginUrl is created with the code UrlPath.Combine(HttpRuntime.AppDomainAppVirtualPathString, loginUrl);, so I'm guessing somehow your root of your website is set to "Application".
http://www.ureader.com/msg/15372322.aspx
Upvotes: 0
Reputation: 9712
The problem is
loginUrl="login"
This is the URL to send unauthenticated users to. If the URL to your login page is "Login.aspx" then thats what you should set it too.
loginUrl="login.aspx"
The piece at the end, ReturnURL, is the address to redirect the user to if they successfully login.
Upvotes: 0
Related Questions
- .net IIS form authentication always denies access even with a properly configured web.config
- Forms authentication: disable redirect to the login page
- IIS Forms Authentication Not Redirecting To Login Page
- Forms authentication not working as expected
- Forms authentication redirects back to Login.aspx after authenticating
- ASP.NET Forms Authentication - not redirecting to any page
- asp.net froms authentication always redirects
- asp.net forms authentication deny any user from accessing new web forms
- asp.net forms authentication redirect problem
- ASP.NET redirecting to a page other than the default redirect url