Can anyone tell me, if it is possible to use both basic and forms authentication on my site without the 2 interfering with each other?
I have a new site that I want only certain people to see for approval purposes.
The site has a members area that uses Forms authentication and now when anyone enters the site after passing basic authentication they are being directed to the forms authentication page, even though they should be viewing a page that isn't protected by forms authentication.
I need a situation whereby anyone who clears basic authentication can then view the whole site excluding the members area of the site where they will need to log in via forms authentication.
Basic authentication is simple and convenient, but it is not secure. It should only be used to prevent unintentional access from nonmalicious parties or used in combination with an encryption technology such as SSL.
Unlike Form-Based Authentication, Basic Authentication DO NOT use cookies, hence there is no concept of a session or logging out a user, which means each request has to carry that header in order to be authenticated. Form-Based Authentication in the other hand is not formalized by any RFC.
Difference between Basic Authentication and Windows authentication. Windows authentication authenticates the user by validating the credentials against the user account in a Windows domain. Basic authentication verifies the credentials that are provided in a form against the user account that is stored in a database.
ASP.NET supports Forms Authentication, Passport Authentication, and Windows authentication providers. The mode is set to one of the authentication modes: Windows, Forms, Passport, or None. The default is Windows.
It sounds like you just haven't configured forms authentication for just the particular members area, but have it configured for everything.
Look at the authorization element and the location element (if you want to control the settings in the main Web.config, instead of creating a Web.config for the member's area).
See also ASP.NET Forms Authentication and a "No Authentication" subfolder (except you want the reverse).
One option is to write your own basic authentication filter attribute and protect the action that just require basic authentication with the custom attribute . The controller action which requires forms authentication should be protected with the normal [Authorize] attribute. Please refer the following example :-
http://www.ryadel.com/en/http-basic-authentication-asp-net-mvc-using-custom-actionfilter/
I had a similar issue in the past but was more along the lines of providing basic authentication for REST calls and form authentication when someone access the mvc site. We ended up creating our own authentication filter
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With