17

Is there a way to dynamically change the LoginUrl of FormsAuthentication? What I have is the whole site protected by FormsAuth, but for some pages in a sub folder, I'd like to take the user to different login page, and have FormsAuth handle the ReturnUrl stuff. Is that possible or do I have to write my own redirect code for the sub folder cases?

Here's an example layout:

   ~/LogOn1.aspx
   ~/Protected1.aspx
   ~/Protected2.aspx
   ~/Subfolder/
   ~/Subfolder/LogOn2.aspx
   ~/Subfolder/NotProtected.aspx
   ~/Subfolder/Protected3.aspx

So my web.config looks like:

 <forms loginUrl="~/Splash.aspx" ... />

All of the Protected*.aspx pages have 

 <deny users="?">

What I'd like though, is for ~/Subfolder/Protected3.aspx to be redirected to ~/Subfolder/LogOn2.aspx if the user is anonymous.

I did try putting a stripped down version of web.config at ~/Subfolder/web.config:

<?xml version="1.0"?>
<configuration>
   <system.web>
      <authentication mode="Forms">
         <forms loginUrl="~/Subfolder/LogOn.aspx" name="SiteAuth" protection="All" timeout="30" path="/" defaultUrl="~/Subfolder/default.aspx" requireSSL="true" cookieless="UseCookies" enableCrossAppRedirects="false" />
      </authentication>
      <authorization>
         <deny users="?" />
      </authorization>
   </system.web>
</configuration>

But all that gets me is this error:

It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

I think making the Subfolder dir an application would cause even more problems at this point, but maybe I am wrong. If it was an application, wouldn't that separate all code in ~/Subfolder from the rest of the parent app?

abatishchev
  • 92,232
  • 78
  • 284
  • 421
slolife
  • 18,415
  • 19
  • 75
  • 116
  • When you say dynamically, are you wanting only some pages in the subfolder to redirect to the loginurl at certain times? Or do you want all the pages in a subfolder to redirect to a loginurl all the time? – rahkim Apr 14 '09 at 17:28
  • I have some pages in the subfolder that allow anonymous access, so those don't need to redirect. But pages in the subfolder that have deny="?" I'd like redirected to ~/subfolder/LogOn.aspx, where the rest of the site's protected pages outside of subfolder get redirected to ~/LogOn.aspx. – slolife Apr 14 '09 at 17:55
  • See my latest edit. I put what I think is a fully baked (albeit stripped down) web.config in subfolder. Looks like, based on that codeproject link, that by default, I cannot override the authentication section in subfolders – slolife Apr 14 '09 at 19:08
  • I needed this in an MVC project and found this related question: http://stackoverflow.com/questions/356982/how-to-redirect-to-a-dynamic-login-url-in-asp-net-mvc – Sjoerd Sep 15 '11 at 13:45

3 Answers3

12

The problem you're having is that the Forms element is only allowed at the application level - you can't define it in a sub-web.config.

Unfortunately you also can't define it using a Location element, and the FormsAuthentication.LoginUrl property is read only.

Hunting around a bit, it looks like your best bet would be to have some code on your login page that detects where the user has arrived from (i.e. by checking the value of the "ReturnUrl" query string) and redirecting to your other login page if they are from the subdirectory. However I admit that this doesn't scale well at all if you want custom login pages for multiple sub-directories. :(

In repsonse to your edit - yes, making the sub-folder an application would "solve" this error, but as you point out, you'd then have more problems, as you'd need to move all the relevant binaries, app_code, what have you into that sub-folder as well, so it's not really a solution.

Zhaph - Ben Duguid
  • 25,726
  • 4
  • 75
  • 111
8

I had this problem as well and have just googled here trying to solve it then remembered had done it long ago and what I did was in the default login.aspx page in the root folder in the Page_Load event I did a redirect based on return url to my sub directory manage and its login.aspx page! You'd have to repeat the relevant bit for each sub directory.

public void Page_Load(object sender, EventArgs e)
{
 //check for existence of ReturnUrl in QueryString       
    //if it contains manage redirect to manage login page
    if (!String.IsNullOrEmpty(Request.QueryString["ReturnUrl"]))
    {
        if (Request.QueryString["ReturnUrl"].Contains("manage"))
        {
            Response.Redirect("manage/login.aspx");

        }
    } 
}
ValS
  • 81
  • 1
  • 2
  • Great answer, solved my problem! The only thing I would add is that the web.config would obviously need to allow users to access sub directory login pages so you don't get a recursive redirect between the base login page and the subdirectory login page. – Richard Pursehouse Jan 22 '13 at 12:02
5

Each subfolder allows you to have a separate webconfig file. So you could put a web.config in your subfolder with the tags:

<authentication mode="Forms">
    <forms loginUrl="~/Subfolder/LogOn2.aspx" />
</authentication>
rahkim
  • 821
  • 2
  • 9
  • 17
  • 2
    Error I get when I put the stripped down web.config in subfolder: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS. – slolife Apr 14 '09 at 18:30
  • Oh...I should have been more clear. You should put a regular web.config in the subfolder, just be sure to include the tag for authentication. – rahkim Apr 14 '09 at 18:46
  • Here is a sample of using multiple configs - http://www.codeproject.com/KB/aspnet/multipleWebConfig.aspx – rahkim Apr 14 '09 at 18:54
  • See my latest edit. I put what I think is a fully baked (albeit stripped down) web.config in subfolder. Looks like, based on that codeproject link, that by default, I cannot override the authentication section in subfolders. – slolife Apr 14 '09 at 19:07
  • Try this link. It basically states what I suggested but gives a method call given in MSDN (sorry to post links, but its briefer than posting all the code.) http://zulfiqar.typepad.com/zulfiqars_web/2004/02/aspnet_web_form.html – rahkim Apr 15 '09 at 11:49
  • None of which actually helps - slolife wants to redirect the user **to** a different Login page, not **from** the same login page - this isn't possible without some code on the login page to handle this redirect before it is displayed. – Zhaph - Ben Duguid Apr 16 '09 at 13:30
  • Well...too bad its not as easy as I thought. I searched around and most solutions seem to incorporate a web.config along with some code, but none of them are very elegant. Ive modified the machine.config with the web.config, but it has some obvious drawbacks as well. – rahkim Apr 16 '09 at 19:15