I have a website (IIS6) that provides a download link to download files that are located on another server. Both machines are in the same domain. I've successfully done this before by creating a domain IUSR_Machine that impersonates the webservers ISUR_Machine account and gave appropiate permissions to the folder on the other server however there are several other accounts that need permission too and I don't remember which ones. If I give Everyone read permissions I can access these files without any issue. I just don't want to give everyone read persmissions.  Any idea as to which other accounts need permissions on that shared folder?

TIA

Hi,

I have a website that uses Forms Authentication to secure the ~/Members/ folder. Nobody should be able to access this folder unless they log in.

This works fine on my development system, but after uploading it to a test server and setting up the website on IIS, the Forms Authentication fails. The login is successful, but asp.net redirects me back to the login screen with the ReturnUrl value in the address bar. Login attempts that follow also fail in the same way.

My setup's a little more complex than I'm used to for forum posts, but I'll try to sum up.

Login.aspx.cs

protected void Page_Load(object sender, EventArgs e)
{
	// handle log out
	if (!String.IsNullOrEmpty(Request.Params["action"]) && Request.Params["action"] == "logout")
	{
		Session.Clear();
		FormsAuthentication.SignOut();
		FormsAuthentication.RedirectToLoginPage();
	}
}

protected void btnLogin_Click(object sender, EventArgs e)
{
	Page.Validate("Login");

	if (!Page.IsValid)
	{
		return;
	}

	processLogin();
}

private void processLogin()
{
	try
	{
                // LoginContext is a class wrote to handle login
                // procedures and the creation of session variables
		LoginContext log = new LoginContext();
		log.SetUser(txtEmail.Text, txtPassword.Text);

		if (log.DoLogin())
		{
			if (chkCookie.Checked)
			{
				HttpCookie cookie = createPersistantCookie(txtEmail.Text, 7);
				Response.Cookies.Clear();
				Response.Cookies.Add(cookie);
			}

			FormsAuthentication.SetAuthCookie(txtEmail.Text, true);
			FormsAuthentication.RedirectFromLoginPage(txtEmail.Text, true);
			Response.Redirect("~/Members/Default.aspx");
		}
	}
	catch (Exception ex)
	{
		lblerr.Text = ex.ToString();
	}
}

private HttpCookie createPersistantCookie(string Username, int PersistDays = 0)
{
	HttpCookie cookie = new HttpCookie("stman");
	if (PersistDays != 0)
	{
		cookie.Expires = DateTime.Now.AddDays(PersistDays);
	}

	cookie["user"] = Username;

	return cookie;
}

The user supplies an email address and password to log in with. That information is then sent via the LoginContext class to the database. If the database returns a row (the credentials are used in a SELECT command), then the login is successful and the user should be authenticated.

Members/Members.master.cs

protected void OnPreInit(EventArgs e)
{
	base.Init += new EventHandler(Page_Init);
}

protected void Page_Init(object sender, EventArgs e)
{
	if (HttpContext.Current.User.Identity.IsAuthenticated)
	{
		// the user is still authenticated, but the session expired
		// process the login again with the authenticated user data
		// to re-create the session variables
		if (Session["userid"] == null)
		{
			LoginContext log = new LoginContext();
			log.DoLogin(HttpContext.Current.User.Identity.Name);
		}
	}
	else
	{
		FormsAuthentication.SignOut();
		Response.Redirect("~/Login.aspx");
	}
}

protected void Page_Load(object sender, EventArgs e)
{
	if (!IsPostBack)
	{
		// handles some presentation updates specific to the logged in user
	}
}

The Page_Init() method here monitors the user state. If the session has expired, but the user is still authenticated, it should create a new session for the user. If the authentication cookie has expired, the user needs to log in again.

web.config

<configuration><system.web><compilation debug="true" targetFramework="4.5" /><httpRuntime targetFramework="4.5" /><authentication mode="Forms"><forms name="STMan" loginUrl="~/Login.aspx" path="/Members"
      slidingExpiration="true" timeout="30"></forms></authentication><authorization><allow users="?"/></authorization></system.web><location path="Members"><system.web><authorization><deny users="?"/><allow users="*"/></authorization></system.web></location></configuration>

I wrote this XML for the web.config file in a test site to see whether or not I understood the concept correctly. This test site works perfectly from the code above, but the site that I'm working on now, doesn't.

To make things clearer (hopefully), here's a link to a zip file I made with the relevant files:
http://www.loganyoung.za.net/stman.zip 

Basically what I need to know is:

 - What would cause Forms Authentication to fail to authenticate (any and all possibilities)?
 - Is there anything I've done wrong in my code?
 - How could I do this better to achieve the results I'm looking for every time (as it seems I have a different problem with the same symptoms every time I do this)?

Thanks in advance for your help!

Is it possible to hide a label or checkbox inside the CreateUserWizard depending on what the Role is of the Currently logged in user? 

Hello all. I have a dilemma right now. I need to program a highly secure webpage for my company. I have already researched a few topics about this and decided that at least for passwords I will be using BCrypt for maximum and scalable security. Now I have been reading about implementing a custom membershi provider or go with a custom login system. I am debating between the two and I am not sure which is one is more secure and/or easier to implement as honestly most CMP guides I've seen online seem a bit overly complex and MVC oriented while my application is a WebForm application  (don't really need the speed benefits of MVC and I find it sightly obsture). Are there any good easy to follow guides about CMP for WebForms or perhaps totally custom login system?

Hi,

I have a problem regarding the LoginStatus control in my Homepage,it has 2 status forms, but once I login by the correct login window as a logged in user, its showing correct status,but I can never see its logged out staus image once i Logout,its always direteld to the Login Page.

Now ,i have modified some code and now its not even redirecling to the login page but also not changing the status of the button it should show logged out, and also when I open with normally checking the pages its showing username as myname/administartor-pc and I don't this user dosent exist in aspnetdb.mdf

Here'd code

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

public partial class MasterPage : System.Web.UI.MasterPage
{
    protected void Page_Load(object sender, EventArgs e)
    {
        try
        {
            if (Session["Username"] == "")
            {
                LoginName1.FormatString = "";
                LoginName1.Visible = false;
                HyperLink1.Visible = false;
            }
            else
            {
                LoginName1.FormatString = "You Are Welcome , " + Session["UserName"].ToString();
                HyperLink1.Visible = true;
            }

        }
        catch (Exception exp)
        {
            LoginName1.FormatString = "";
            LoginName1.Visible = false;
            HyperLink1.Visible = false;
        }
    }
    protected void LoginStatus1_LoggingOut(object sender, LoginCancelEventArgs e)
    {
        //if (LoginName1.Page.User.Identity.IsAuthenticated)
        //{
        //    LoginName1.FormatString = "You Are Welcome , " + Session["UserName"].ToString();
        //    HyperLink1.Visible = true;
        //}
        Response.Redirect("http://localhost:2218/BookStore_Web/Home.aspx");
    }
    protected void LoginStatus1_LoggedOut(object sender, EventArgs e)
    {
        LoginName1.FormatString = "";
        HyperLink1.Visible = false;
    }
}

<form id="form1" runat="server" style="position: static">
        <center>
            <asp:LoginName ID="LoginName1" runat="server" FormatString=""
            style="z-index: 1; left: 895px; top: 173px; position: absolute; height: 22px; width: 289px;"
            Font-Bold="True" Font-Underline="True" ForeColor="#FFFFCC"
            Font-Names="Copperplate Gothic Bold" /></center>
            
           <center>
               <asp:HyperLink ID="HyperLink1" runat="server" Font-Bold="True"
            Font-Underline="True" ForeColor="White"
            style="z-index: 1; left: 728px; top: 173px; position: absolute; height: 21px; width: 147px"
            NavigateUrl="~/Users/ChangePassword.aspx" Visible="False">Change Password</asp:HyperLink></center>
            
            <asp:LoginStatus ID="LoginStatus1" runat="server"
            style="z-index: 1; left: 1220px; top: 149px; position: absolute; height: 50px; width: 53px;"
            LoginImageUrl="~/Images/loginimage.png" LogoutAction="Redirect"
            LogoutImageUrl="~/Images/logout.png"
            LogoutPageUrl="~/Users/MemberLogin.aspx"
            onloggedout="LoginStatus1_LoggedOut" onloggingout="LoginStatus1_LoggingOut" />
    </form>

I want to make a remote access to the database stored in the different computer through my web page only...........if I am browsing my web page and the content of the webpage is fetched from database locally........same case i want to do it remotely

I'm using the login control, and it seems very small, so I set its "height" attribute to be 150, which helps, but the heights and fonts in the textboxes seem to be kind of small.  I doubt there is a way to adjust these without using templates, but if there is, it would make my day.

Thanks,

I am working on a Wordpress page rendered with a template. There is a link on the page to another webpage on an external site (i.e., it is on another domain altogether) and this page requires a login. Access to the directory that contains that page is controlled by a Web config and works only on successful login. The web.config is as follows:

<?xml version="1.0"?><!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
--><configuration><appSettings/><connectionStrings/><system.web><authorization><allow roles="Administrator, Client"/><deny users="*"/></authorization></system.web></configuration>

How do I modify this or make any other changes in the external site so that the link on my wordpress page successfully manages to access the external site and I get to see the page without having to login(like make an exception for a request from my wordpress site or something along those lines.) I want to do this because the same user would have already logged in to my wordpress site and would necessarily have to login at this external site again just in order to view the external page. Is this doable?

P.S: The external Web site I have mentioned about is a ASP.NET based web site.

I need to allow only internet explorer 7,8 & 9 for my website, is there any stardard way of checking the browser versions?

if (request.Browser.Browser == "IE")
{
  return (request.Browser.Version == "7.0" || request.Browser.Version == "7.0" || request.Browser.Version == "7.0")
}
else
  return false;

above code is not helping me out, is there any standard way of handling this?
 

how i can encrypt my all details in database so it will not be readable

Hi , 

I want to know what is the difference between ASP.net default membership provider and OpenAuth Membership. I use Default Old Membership provider.

Also , please provide me links and ways to implement the OpenAuth in my Entity Framework Data Model.

thank you

Suppose I enable the Login-control's "remember me" feature.   This means that if the session expires, that when it is started again, the user does not have to login again.  So my idea is that I'll use the global.asax session-start event, and do the following inside it:

myUsername =  Membership.GetUser() 

if not myUsername is nothing then

'....obtain lots of database fields related to this user and store them in session variables

End If

Is that a sensible approach?  And if "remember me" is checked, does the 'GetUser()' method work in Global.asax if the session has expired, but the login-cookie for "remember me" exists?

Thanks,

Gideon

I have created an ASP.net MVC4 application with Internet application template, and want to add List<T> property to MembershipUser object provided by ASP.net builtin Authetication.

  This List property will be a list of StockPermission object:

public class StockPermission
{ 
   private Stock stock; 
   private byte afterSaveAction; 
   private bool allowEditingStockDocs;
   private bool allowChangingUser;
}

Therefore my MembershipUser will contain StockPermission objects which let MembershipUser to perform defined action with those Stocks in the List  

That means I want to create a custom MembershipUser which will contain property like this: List<StockPermission> StockPermissions

  Is there a way I can realize it?

Examination is one of the critical evaluation mechanism in the education world. That why i took challenge of it and i am going to develop this web on asp.net with back end sqlserve database but the major problem is <b>How to make sure that same student is appearing for the exam and there is no identity impersonation happening in remote place ?</b>
Video Capturing some one told me the solution but it is costly. Do you any Idea?

developing MCQs test system using asp.net and sqlserver. All thing fine student need to login into test and i am using his seat no with name and using session.
now the question is how to make my onine test system secure i.e., prevent cheating, not look to other sites, authentic students etc

Hi Everyone,

I have a network printer in which applications on my Windows 2008 Server print to. I've found that my applications will stop being able to access the printer causing applications to hang or crash. To fix this problem I only need to go into the Default Application Pools settings and change the Identity from Network Service to another Identity and then back to Network Service to be able to print to the printer again. Does anyone know what might be causing the application pool to lose the right/privledges to print to a printer like that? 

Thanks

How can I get the users name before they are authenticated using windows authentication w/ anonymous authentication enabled.  I want to see who the user is before I try authenticate them.

//webconfig<authentication mode="Windows" /><authorization><allow users="?" /></authorization>

[Authorize] 
public ViewResult Index(string departmentURL)
{
            var logger = LogManager.GetLogger("CompanyNews");
            logger.Trace("index :" + System.Environment.UserName);
            logger.Trace("index :" + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
            logger.Trace("index :" + System.Threading.Thread.CurrentPrincipal.Identity.Name);
            logger.Trace("index :" + User.Identity.Name);
            logger.Trace("end");
            return View()
}

//results authenticated
07/22/2013 12:17:42: index :ServiceAccount
07/22/2013 12:17:42: index :DOMAIN\ServiceAccount
07/22/2013 12:17:42: index :DOMAIN\UserName
07/22/2013 12:17:42: index :DOMAIN\UserName


[AllowAnonymous] 
public ViewResult Index(string departmentURL)
{
            var logger = LogManager.GetLogger("CompanyNews");
            logger.Trace("index :" + System.Environment.UserName);
            logger.Trace("index :" + System.Security.Principal.WindowsIdentity.GetCurrent().Name);
            logger.Trace("index :" + System.Threading.Thread.CurrentPrincipal.Identity.Name);
            logger.Trace("index :" + User.Identity.Name);
            
            logger.Trace("end");
            return View()
}


//results not authenticated
07/22/2013 12:18:09: index :ServiceAccount
07/22/2013 12:18:09: index :DOMAIN\ServiceAccount
07/22/2013 12:18:09: index :
07/22/2013 12:18:09: index :

I have a website where any body can ask question online and get answer from expert. Would like to say, My website made with PHP. How can make my website more sequired and spam free ?

We have an application that we use internally and externally.

Is there a way within the web.config to block certain pages or folders from external browsing?

I have a classic asp web analytics site that i wrote to track traffic on my website. In my code i specify the SQL account & password, i see the below error in my application log on the SQL server:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided. [CLIENT: webserver ip]

How can i fix this?

Background info:

web server is iis 7.5 (separate box)
SQL 2012 server (separate box)