Tuesday, February 22, 2011

Common mistake in ASP.NET Forms Authentication

We are all used to this now...


<configuration>

    <system.web>

    <authentication mode="Forms">

    </authentication>

    </system.web>

</configuration>


In ASP.NET Forms authentication, you can allow access to particular users or deny them using the allow and deny tags. Likewise, you can allow or deny access to particular roles.
E.g. to allow access to a page, say Customer, you will do


<location path="Customer">

  <system.web>

        <authorization>

            <allow roles="Customers"/> //Allow users in Customers role

        <deny users="*"/> // Deny rest of all users

    </authorization>

   </system.web>

</location>



Common Mistake is to place 

<deny../> before <allow ../>


This web config below will not allow users even if they are in Customers role


<location path="Customer">

  <system.web>

        <authorization>

            <deny users="*"/> // Deny rest of all users

            <allow roles="Customers"/> //Allow users in Customers role       

    </authorization>

   </system.web>

</location>

3 comments:

Julius A said...

Some interesting stuff on Forms Authentication here:
http://aspalliance.com/2045_Creating_a_Login_Overlay.all

Ananad said...

I have been searching for a useful post like this on salesforce course details, it is highly helpful for me and I have a great experience with this Salesforce Training who are providing certification and job assistance. Salesforce certification training in Gurgaon

Ananad said...

I have been searching for a useful post like this on salesforce course details, it is highly helpful for me and I have a great experience with this Salesforce Training who are providing certification and job assistance. Salesforce certification training in Gurgaon