Menu
I created a new ASP.NET MVC 5 application with default access control provided by Visual Studio 2013 and Owin Middleware.
I enabled basic authentication on IIS (disabling all the others authentications) to protect the site from people that don't have the user/password that I created on Windows. It result in a "redirect loop” in the browser.
Any ideas why? How can I protect a web site without change the code?
525
OWIN sits between IIS and your application so that you can switch out IIS without rewriting your application.
In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services. On the Select Role Services page of the Add Role Services Wizard, select Basic Authentication, and then click Next. On the Confirm Installation Selections page, click Install. On the Results page, click Close.
Basic authentication is simple and convenient, but it is not secure. It should only be used to prevent unintentional access from nonmalicious parties or used in combination with an encryption technology such as SSL.
By default in file Startup.Auth.cs, there will be something like this:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Main/Account/Login"),
CookieName = "OwinAuthCookie",
});
When you enable Basic Authentication in IIS, here is what happens:
HTTP 401 Response.401 (Unauthorized) Response, so it redirects to the configured LoginPath.What you can do is comment out the LoginPath property in the above code. This should stop the redirect loop, but also can (but don't have to, depending on your implementation) break authentication for application users.
What I eventually ended up with was implementing a small Owin middleware and doing Basic Authentication myself.
These links could be helpful:
152
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
