Sitefinity 4.0 Forms Authentication
Hello, <
In Sitefinity 4.0 FormsAuthentication is no longer in consideration for authenticating users.
I wonder, where I can set my Login page path, so each page that requires authentication will route to Login page for anonymous users.
To be more clear: in Sitefinity 3.x it was set in web.config
authentication mode="Forms">
<
forms name=".ASPNET" loginUrl="/Login.aspx" protection="All" timeout="1440" path="/" />
</
authentication>
Hi there,
You can still set the login page url from the web.config file but you have to add some other tweaks
<
authentication
mode
=
"Forms"
>
<
forms
loginUrl
=
"~/login"
defaultUrl
=
"~/home"
/>
</
authentication
>
<
customErrors
mode
=
"On"
>
<
error
statusCode
=
"403"
redirect
=
"~/login"
/>
</
customErrors
>
var user = SecurityManager.GetCurrentUser();
string
redirectUrl = GetRedirectUrl();
if
(!
string
.IsNullOrEmpty(redirectUrl) && redirectUrl.StartsWith(
"/sitefinity"
))
Response.Redirect(
"~/Sitefinity/login.aspx?ReturnUrl="
+ redirectUrl);
if
(user.Identity.IsAuthenticated)
Response.Redirect(FormsAuthentication.DefaultUrl,
true
);
if
(Request.QueryString[
"aspxerrorpath"
] !=
null
)
Response.Redirect(Request.RawUrl.Replace(
"aspxerrorpath"
,
"ReturnUrl"
));
private
string
GetRedirectUrl()
HttpContext context = HttpContext.Current;
string
returnUrl = context.Request.QueryString[
"ReturnUrl"
];
if
(returnUrl ==
null
)
return
loginControl.DestinationPageUrl;
return
HttpUtility.UrlDecode(returnUrl);
Hi George,
Thanks for your reply. This is nice trick but it does not work in my case. The problem is much deeper and I should have probably explained it in full.
The thing is that "aspxerrorpath" parameter attached to URL is triggered by custom error 403 set up in web.config.
If you do NOT set up custom error and just set up Forms Authentication loginUrl, no redirects will happen and you will get error saying: "The type of page you have requested is not served because it has been explicitly forbidden."
Why cannot I set 403 in custom errors routing to Login page?
Let's say I have Members and NonMembers roles and page allowed to be viewed for Members only. When user is initially anonymous and logs in as Member, everything works fine. But when user logs in as NonMember he is redirected back to Login page since he has no permissions to view this page. Login page just displays him Welcome message and Sign Out link which makes completely no sence in this case.
So, 403 in custom errors should navigate to some page with simple message "Permissions denied". While redirection to login page must be triggered by something else, not by Custom Errors section.
In all Sitefinity 3.x apps as well as in all non-Sitefinity apps I am working on, I just set loginUrl for Forms Authentication in web.config and it works.
As for Sitefinity 4.0 I have no idea where it should be set up.
Thanks.
Hello,
This feature (of handling the aspxerrorpath in the error pages) is not implemented at this time.
We logged a task pending to be implemented on Q2.
Best wishes,
Ivan Dimitrov
the Telerik team
Hello,
My issue is not the same as described in this thread, but it's related to Forms Authentication. I'm using SF 7.1 on IIS7 and the problem is that httpErrors always override customErrors set in web.config.
Let's say I want to handle 401 error and redirect all anonymous users to login page.
If I do not set any httpErros, my customErrors are ignored and I end up getting 401 - Unauthorized IIS7 error. If I setup httpErrors in web.config I'm being correctly redirected to login page, but the problem in this case is that ReturnUrl parameter is not appended. So I cannot redirect user upon authentication since I do not know where user came from.
I also tried to setup redirect from Global.asax like in the snippet below, but with no luck as well.
Please let me know if there is any solution to this issue.
Thanks.
[quote]
void Application_Error(object sender, EventArgs e)
var currentPage = HttpContext.Current.Request.Url.ToString();
Exception ex = Server.GetLastError();
if (ex is HttpException)
HttpException httpEx = ex as HttpException;
if (httpEx.ErrorCode == 401 || httpEx.Message.ToLower().Contains("access is denied due to invalid credentials") || httpEx.Message.ToLower().Contains("you do not have permission to view this directory or page using the credentials that you supplied"))
Response.Redirect("~/login?ReturnUrl=" + currentPage);
Server.ClearError();
[/quote]
Hello Leo,
You have been provided answers to your question in the support ticket you have opened. Feel free to share the solution with the community.
Regards,
Pavel Benov
Telerik