Monday, March 12, 2007

ASP.NET Forms Authentication strange behaviors

After I got ASP.NET Forms Authentication up and running on the web application I'm developing, I started having a few problems -- it took me awhile to figure out that they were caused by having Forms Authentication enabled.

The first issue I had was that the site would redirect to login.aspx like it was supposed to, but the login.aspx page would be missing all of the style information from our CSS style sheet. I looked in the Firefox error console (Firefox Web Developer Extension ) and noticed an entry about the site being unable to grab the style sheet because it was the wrong MIME type: it was text/html, when it expected CSS files to be text/css. After banging my head against the MIME type error message for awhile, I had the idea that maybe the type was text/html because it was getting a 404 response when asking for the style sheet. Sure enough, it wasn't too long then before I figured out that Forms Authentication and my Web.config settings were preventing unauthorized users from grabbing my style sheet. Solution - made a second Web.config and placed it in my App_Themes directory where my style sheet lives.

<system.web>
<authorization>
<allow users="*">
</allow>
</authorization>
</system.web>

The solution to my next problem was now pretty obvious. Any javascript file I embedded in my login.aspx page would return a syntax error on line 2 or line 3. It even did this if the .js file was completely empty! I quickly realized it was the same problem, just a very different symptom. Soulution - place another Web.config in your "scripts" directory, or make a "public_scripts" directory if you need to protect some scripts from unauthorized users and place your Web.config there.

4 comments:

Mmmmagic said...

you could also use <location> sections in your root web.config to set access permissions for subdirectories.

ie:

<!-- Allow all users to view the images directory -->
<location path="Images" allowOverride="false">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

This way, your access permissions are all in one place.

Adam Nofsinger said...

Yes, that is actually the way I do it now too Mmmagic. Thanks for updating my article!

I like keeping all of the permissions in one place. Especially once you start getting into having a site map and role-based permissions.

Andolasoft said...

Hi There! Really cool site . Ok so I'm always searching for this kind of stuff. I have this fascination thing. Keep up the good work! http://www.andolasoft.com/services/asp.net-application

Andolasoft said...

Great, but a little bit difficult for me!!
http://www.andolasoft.com/services/asp.net-application

Disqus for A Nofsinger's Blog