Archive for the ‘Security’ Category

Bypass Forms Authentication For One Page

June 6, 2011

Haven’t posted for a while and a reader said my blog was looking a bit stale, so here’s a short post to prove the waxen heart of the Tadpole is still beating.

I was asked to provide an alternative login page for a site. This page would be hosted in an IFrame which itself would live on a page in a wholly seperate domain. The users would enter their credentials in this alternative login page instead of the normal Login Page. Once the credentials were received and authenticated in the IFrame Page, the page would Redirect to a ‘Logged In’ page on our site.

It was trivial to perform the Authentication of the credentials but I soon saw the site was protected by Forms Authentication which meant that the Redirect would simply bring up our normal login page, thus requiring the users to Log In a redundant second time, a process was inclined to cause HeadDesking in unsuspecting users.
So to make the Alternative Login Page work I had to:

  • Exclude the Alternative Login Page from Forms Authentication (so the IFrame in which it was contained would display the Alternative Login Page and not the standard Login Page declared in the Forms Authentication section of web.config
  • Create a Forms Authentication Ticket for the user in the Alternative Login Page (so that the user would be recognised as authenticated once the redirection occurred and would not be referred back to the standard Login Page)

Excluding a page from Forms Authentication is quite simple: you configure anonymous access in web.config for that particular page by using the location section:

location path=”Register.aspx”
allow users=”*” /

Here it is nicely laid out thanks to Geeks with Blogs. Congratulations! You are now an expert on UrlAuthorization

Here’s an excellent Overview Of Forms Authentication and its relationship with UrlAuthorization from the Tadpole’s horses mouth at Microsoft ASP.NET.