Blog on software engineering
Simplest way to add forms authentication to you Web.config in ASP .NET, when using AspNetSqlMembershipProvider

Simplest way to add forms authentication to you Web.config in ASP .NET, when using AspNetSqlMembershipProvider

If you’ve got a website and this website contains a Login.aspx and a Default.aspx page in the root.

The simplest way to deny all unauthenticated user access to the website is adding the following to you’re Web.config:

 <system.web>
    <authentication mode="Forms">
      <forms loginUrl="Login.aspx"
           protection="All"
           timeout="30"
           name=".ASPXAUTH"
           path="/"
           requireSSL="false"
           slidingExpiration="true"
           defaultUrl="Default.aspx"
           cookieless="UseDeviceProfile"
           enableCrossAppRedirects="false" />
    </authentication>
    <authorization>
      <deny users="?" />
    </authorization>
    <membership>
      <providers>
        <clear />
        <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
      </providers>
    </membership>
 </system.web>

 

This ensures that unauthenticated user can only access the Login.aspx and no other resources, accept the resources needed by the Login.aspx. So if the Login.aspx uses a /Images/Logo.png this images will show on the Login.aspx. Accessing the image directly by an unauthenticated user will redirect this user back to the Login.aspx page.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.