ASP.NET窗体身份验证 [英] ASP.NET Forms Authentication
问题描述
我有以下ASP.NET窗体身份验证的配置:
<&的System.Web GT;
<身份验证模式=表格>
<形式的名称=MembershipCookie
loginUrl =的Login.aspx
保护=全部
超时=525600
slidingExpiration =真
enableCrossAp predirects =真
路径=/>
< /形式GT;
< /认证>
<授权>
<拒绝用户=? />
< /授权>
< /system.web>
<位置路径=Home.aspx>
<&的System.Web GT;
<授权>
<让用户=*/>
< /授权>
< /system.web>
< /位置
如果一个匿名用户访问该网站,并要求 home.aspx
他们应该被拒绝访问,并踢翻在的Login.aspx
页,因为第一条规则<拒绝用户=? />
将匹配和进一步的处理将停止
该网站上运行IIS7.5,ASP.NET 4.0和应用程序池配置为使用集成管道模式。
更新:
这样做的原因问题是理智检查我的ASP.NET 4.0的窗体身份验证行为的理解(这实际上是正确的)。还有一个相关的跟进问题描述什么样子的修补程序中的错误(这也是推出到Windows 2008 R2 SP1) - KB980368:
<一个href=\"http://stackoverflow.com/questions/5080837/asp-net-2-0-and-4-0-seem-to-treat-the-root-url-differently-in-forms-authenticatio\">ASP.NET 2.0和4.0似乎在窗体身份验证区别对待的根网址
块引用>解决方案如果一个用户正在访问Home.aspx,它将使用
&LT指定Home.aspx配置部分;位置/&GT;
,因此用户不会被踢出来的Login.aspx。I have the following ASP.NET Forms Authentication configuration:
<system.web> <authentication mode="Forms"> <forms name="MembershipCookie" loginUrl="Login.aspx" protection="All" timeout="525600" slidingExpiration="true" enableCrossAppRedirects="true" path="/"> </forms> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> <location path="Home.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location
If an anonymous user visits the site and requests
home.aspx
should they be denied access and kicked to theLogin.aspx
page because the first rule<deny users="?" />
will match and further processing will stop?The site is running on IIS7.5, ASP.NET 4.0 and the application pool is configured for Integrated Pipeline mode.
Update:
The reason for this question was to sanity check my understanding of ASP.NET 4.0's Forms Authentication behaviour (which was actually correct). There is a related follow up question which describes what looks like a bug in a hotfix (which is also rolled into Windows 2008R2 SP1) - KB980368:
ASP.NET 2.0 and 4.0 seem to treat the root url differently in Forms Authentication
解决方案If an user is accessing Home.aspx , it will use the configuration section for Home.aspx specified by
<location />
and hence the user will not be kicked out to Login.aspx .这篇关于ASP.NET窗体身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!