Hi All,
I seem to be stuck with this problem and despite my attempts at looking all kinds of solutions, I still find myself miserably and frustratingly unavailable to solve my problem. My problem is the following: I want to restrict access to a folder which contains the administrator pages to modify my database. For this I am using an MS Access Database as well and have 2 web.config files in each folder as follows:

In folder to be accessed openly (root folder)

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<compilation defaultLanguage="c#" />
</system.web>
<location path = "admin/administrator.aspx" />
<system.web>
<authentication mode ="Forms">
<forms name="FormsEClient" loginUrl = "admin/login.aspx" protection = "All" />
</authentication>
<authorization>
<allow users = "*" />
</authorization>
</system.web>
</configuration>


In folder (root folder/admin) that is to be restricted:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>


This is the login.aspx page I am using as well:
<%@ Import Namespace = "System.Web.Security" %>
<%@ Import Namespace="System.Data.OleDb" %>
<%@ Import Namespace="System.Data" %>


<%@ Page Language="C#" ContentType="text/html" ResponseEncoding="iso-8859-1" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<script language="c#" runat="server">
protected void btnlogin_click(object obj, EventArgs e){
if(Page.IsValid){
//Users user = new Users();
bool auth;
auth = AuthenticateUser(txtUsername.Text, txtPassword.Text);
if(auth){
FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);
Response.Write("Testing as well");


} else {
lblMessage.Text = "Account Information was incorrect! Please try again!";
}
}else {
lblMessage.Text = "Missing some fields. Please try again.";
}
}


public bool AuthenticateUser(string username, string password){
bool authenticated;
OleDbConnection oConn;
OleDbCommand oComm;
OleDbDataReader oReader;
string sSQL;


string sConn = "Provider=Microsoft.Jet.OleDb.4.0;";
sConn += @"Data Source="+MapPath("../AstroDatabase.mdb");


sSQL = "SELECT ID ";
sSQL += "FROM Users ";
sSQL += "WHERE user = '" + txtUsername.Text + "' ";
sSQL += "AND pass = '" + txtPassword.Text + "';";


oConn = new OleDbConnection(sConn);
oConn.Open();


oComm = new OleDbCommand(sSQL, oConn);
oReader = oComm.ExecuteReader();


if(oReader.Read()){
authenticated = true;
}else {
authenticated = false;
}
oReader.Close();
oConn.Close();
oConn.Dispose();



return authenticated;
}
</script>
<body><center>
<h2>Please Login:</h2>
<asp:Label ID="lblInvalid" runat="server" />
<form runat="server">
Username:<asp:TextBox ID="txtUsername" runat="server" /><br />
Password:<asp:TextBox ID="txtPassword" TextMode="Password" runat="server" /><br />
<asp:Button ID="btnlogin" runat="server" Text="Login" OnClick="btnlogin_click" />
<br /><br /><br /><br /><br />
<asp:Label ID="lblMessage" runat="server" Text=""/>
</form>
</center>
</body>
</html>

When I click on the pages within the admin folder, a page asking me for a login and a password shows up. Upon typing the correct username and password, the page seems to get refreshed and does not show the administrator.aspx page which ideally needs to be redirected to upon successful login. Also, in the status bar below, I see the message below:

login.aspx?ReturnUrl=%2fastro%2fadmin%2fadministrator.aspx.

Can anyone pls pls pls pls help me? I am going nuts here!

Edited 3 Years Ago by happygeek: fixed formatting

I think you're problem is your deny users="*" in your secured folder's web.config. That will deny everyone, regardless of if they have been issued a forms authentication ticket. Try changing the asterisk to a question mark. That will only deny users that haven't gotten a ticket yet. Also, I've noticed quite a few quirks when using multiple web.config files in the same app. You could consolidate to one web.config and have multiple location elements in the single file. Hope this helps!

I think you're problem is your deny users="*" in your secured folder's web.config. That will deny everyone, regardless of if they have been issued a forms authentication ticket. Try changing the asterisk to a question mark. That will only deny users that haven't gotten a ticket yet. Also, I've noticed quite a few quirks when using multiple web.config files in the same app. You could consolidate to one web.config and have multiple location elements in the single file. Hope this helps!

Hi. Thanks for the reply. I tried that as well. However, doing so, is not restricting access at all. Clicking onto the link for that page takes me to the page directly bypassing any login process. So I am still in the dark as to what's wrong...:(. I have deleted my cache folder so many times as well thinking that IE just might be remembering the administrator pages but that does not help either. Also, even if I did use just one web.config with several location tags, the problem would still be there.

I am thinking of just using a blank page and doing a login with that first before I start messing up my project.

In the mean time, any other ideas as to solving this problem.

Regards.

Shift this code from the root web.config:
<authentication mode ="Forms">
<forms name="FormsEClient" loginUrl = "admin/login.aspx" protection = "All" />
</authentication>

to the web.config which is in the root folder/admin folder

This article has been dead for over six months. Start a new discussion instead.