Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authentication through web.config not authenticating in ASP.net 3.5

Tags:

authentication

asp.net

authorization

forms-authentication

web-config

This is one of this things that should be extremely simple and I just can't work out why it's not working.

I'm trying to set up some very quick authentication for an ASP.net 3.5 app but storing the usernames and passwords in the web.config file (I know it's not very secure but it's an internal app that I keep getting asked to add and remove logins for so this is the quickest way to do it).

So, the relevant config section looks like this:

<authentication mode="Forms">
   <forms loginUrl="~/login.aspx">
    <credentials>
     <user name="user" password="password" />
     <user name="user2" password="password2" />
    </credentials>
   </forms>
  </authentication>

  <authorization>
    <deny users="?"/>
  </authorization>

And, in the login page, the code look like this:

string username = tbUsername.Text;
string password = tbPassword.Text;

if (FormsAuthentication.Authenticate(username, password))
    FormsAuthentication.RedirectFromLoginPage(username, false);

But, FormsAuthentication.Authenticate(username, password) always returns false. And I can't figure out why.

I even tried using Membership.ValidateUser but that just adds in a local database to the App_Data folder.

Is there something really basic I'm forgetting here or does this not work at all in .net 3.5?

like image 519
Kevin Wilson Avatar asked Jul 17 '09 12:07

Kevin Wilson

2 Answers

I'm not sure if this has changed in .NET 3.5, but the <credentials> element has an attribute passwordFormat that defines the format for passwords in the web.config. From the MSDN documentation for .NET 3.5, the default format is SHA1.

If you're using cleartext usernames and passwords in your web.config, you should use:

...
<credentials passwordFormat="Clear">
...

Event though this is an internal application I'd still recommend at least hashing the password instead of leaving it in clear text.

like image 151
dariom Avatar answered Oct 24 '22 07:10

dariom

I think the reason is because you did not indicate the passwordFormat. http://msdn.microsoft.com/en-us/library/e01fc50a.aspx

Default is SHA1, hence your clear text in fact not used properly.

like image 45
o.k.w Avatar answered Oct 24 '22 08:10

o.k.w
Sign in to Comment

Related questions

IIS7 Integrated Pipeline: Interaction between maxConcurrentRequestsPerCPU and requestsQueueLimit settings
Hyperlink OnClick event in code behind
System.Net.ServicePointManager.DefaultConnectionLimit == 24 --> BUG?
When is it "acceptable" to use ViewBag/ViewData in ASP.NET MVC?
Can I retain folder permissions during one-click web publishing?
Web API cannot resolve symbol Http in System.Web.Http, what is missing?
URL redirection from ADFS server
Manually renew forms authentication ticket:
what is Microsoft.Practices.EnterpriseLibrary.Data
Graphics.DrawImage: Out of memory exception
What is benefit of Bridge Pattern [closed]
Unsupported Media Type http response when upload file using c# api.
Adding a checkbox column to asp.net gridview
Internal Server Error 500.24
Async method call and impersonation
Ajax with ViewComponent
Unable to translate bytes [FC] at index 35 from specified code page to Unicode
"Out of Band" Processing Techiniques for asp.net applications
What are some best practices for managing background threads in IIS?
How to add custom ASP.NET pages into sharepoint

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!