Allways redirected to login-page, can't get through

Topics: ASP.NET 2.0, Business Logic Layer, Controls
Mar 25, 2009 at 1:16 PM
Hello!

I have a problem with an app that uses BlogEngine when browsing to "www.thesite.com/blog" I should be able to view the blog posts, but instead I get redirected to the login-page. After I logged in, the change password form is displayed, and after I changed the password nothing happens and on every link I click I get redirected back to the login-page.

The strange thing though is when I browse to "localhost:88/blog.aspx" everything works fine I can view the blog post and click every where, and ONLY when I click the login link the login-page get displayed, exactly how it should be.

It seems to me that there is some kind of security setting in BlogEngine thats behind all of this, not shure though, I'm very new to BlogEngine.

Does anybody have a clue what could be the problem?


The app is using BlogEngine 1.4.5, and running on IIS where it has it's own AppPool, .NET 1.1.


Thanks in advcance!

/Fred
Mar 26, 2009 at 7:06 AM
Doesn't anyone  have a clue?'


/Fred
Coordinator
Mar 26, 2009 at 7:27 AM
BlogEngine is a .NET 2.0 application, so the website in IIS will need to be setup for .NET 2.0 -- not 1.1.  This may or may not be the cause of the issues you're seeing.
Mar 26, 2009 at 7:34 AM
Ok, thank you for your answer.

But if that was the case, in my opinion it shouldn't work when I browse to the app on localhost either.


/Fred
Mar 26, 2009 at 8:47 AM
My bad!

The app is using .NET 1.1, but the BE has it's own AppPool that uses :NET 2.0.

So that shouldn't be the problem.


/Fred
Mar 26, 2009 at 12:22 PM
When I'm broswing to "http://www.thesite.com/blog" I get redirected to "http://www.thesite.com/blog/login.aspx?ReturnUrl=%2fblog%2fdefault.aspx", if that helps.

Could it be some authentication setting in my web.config that's incorrect?


I appreciate every answer!

/Fred
Coordinator
Mar 26, 2009 at 9:47 PM
Yes, it sounds like you have forms authentication turned on for the entire blog site.

Is the blog a sub-application of a parent application?  Are you using the web.config file that came with BE?  Specifically, what does the <authentication> element in your web.config file look like.  In the default BE installation, it looks like:

<authentication mode="Forms">
    <forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>
</authentication>

Also, see this discussion.  The person had a <deny users="?"/> tag in his web.config file that caused a problem similar to yours.  You might have a <deny> tag like that in your web.config file, or in a parent application's web.config file.
Mar 27, 2009 at 7:20 AM
Yes it is an sub-application where "www.thesite.com" is the main app an the blog is "www.thesite.com/blog".

The <authentication> element in BE looks like this:

        <authentication mode="Forms">
            <forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>
        </authentication>

I don't have any <deny> tag.


I found this in my parent web.config;

<!--        
        <authentication mode="Forms">
                <forms loginUrl="Login.aspx" name="FORMSAUTHCOOKIE"/>
        </authentication>
    -->
        <!--
        <authorization>
            <deny users="?"/>
        </authorization>
        -->

but as you see it's commented.

I also found out the the BE folder and it's subfolders where read-only, but all the files in BE folder and it's subloders where not read-only so it's just the folders. I tried to uncheck the read-only on the BE folder and for all it's sub-folders, but it didn't seem to have an effect cause when I looked in properties for the folder again it was back to read-only.
Mar 27, 2009 at 9:23 AM
I got it to work by modify the parent web.config from this:


        <authorization>
            <allow roles="AuthorizedPortalUsers" />
            <deny users="*" />  <!-- Deny anonymous users -->
        </authorization>


To this:

        <authorization>
            <allow roles="AuthorizedPortalUsers" />
        <!--    <deny users="*" />  -->
        </authorization>


Do you think this will open up any security risks for my application?, if not, thats great cause now the blog is working fine!


/Fred
Mar 27, 2009 at 9:36 AM
Sorry for posting so much, but I changed my mind, I changed the <authorization> element back to how it was, like this:

        <authorization>
            <allow roles="AuthorizedPortalUsers" />
            <deny users="*" />  <!-- Deny anonymous users -->
        </authorization>

And instead added a <location> element like this:

    <location path="blog">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>

All of this is still in the parent web.config.

It works perfectly, does anyone have any thoughts on my approch?


Thanks in advance!

/Fred
Mar 27, 2009 at 2:37 PM
Seems valid enough (without knowing your setup better).

Nice that you got it to work.
Coordinator
Mar 27, 2009 at 5:43 PM
Using the <location> tag like you did in the parent application's web.config file is a good solution -- there's nothing wrong with that approach.

I think another way you can do it too, but I haven't tested it would be to add the <allow> tag into BE's web.config file, like this:

<authentication mode="Forms">
    <allow users="*" />
    <forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>
</authentication>