Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

proper IIS 6 configuration for forms authentication

Tags:

security

asp.net

configuration

iis-6

I'm using Forms Authentication in my current ASP.NET Web Application (not MVC) and my IIS 6 server is configured with the following options:

in the [directory security tab] -> [Authentication Methods] I have:

  • the anonymous access Enabled
  • Integrated windows authentication Enabled

Do the above options prevent Forms Authentication from working properly? In other words, what is the proper IIS 6 configuration for Forms Authentication?

EDIT

I just made test with the two options above enabled and the Forms Authentication session expired and redirected me to the login page, but all the answers so far advise that [Integrated windows authentication] should be off!

like image 584
Jawad Al Shaikh Avatar asked Dec 08 '25 10:12

Jawad Al Shaikh

2 Answers

Here is a check list for using ASP.NET Forms Authentication on IIS6

Configure IIS:

In IIS, Site Properties -> Directory Security -> Authentication and Access Control

  • Enable Anonymous Access
  • Disable all Authenticated access methods

enter image description here

Configure Forms Authentication:

Configure Forms Authentication in your site's web.config:

<authentication mode="Forms">
  <forms name="MySite" 
         path="/" 
         loginUrl="~/logon.aspx" 
         protection="All" 
         timeout="30"
         slidingExpiration="true" />
</authentication>

Your name and loginUrl may vary. The slidigExpiration attribute is used to keep extending the forms authentication cookie lifetime rather than just kicking the user off of the site after the timeout has expired. The timeout value is in minutes.

Configure Session Timeout:

You need to configure your session state timeout to be longer than your Forms Authentication ticket expiry. If you don't do this then an idle session can time out the session but leave the user logged in. Code that expects Session values to be present will throw exceptions because they are gone even though they are still authenticated. The timeout value is also in minutes.

<sessionState mode="InProc" timeout="40" />
like image 62
Kev Avatar answered Dec 10 '25 10:12

Kev

Because forms authentication does not rely on IIS authentication, you should configure anonymous access for your application in IIS if you intend to use forms authentication in your ASP.NET application.

See here http://msdn.microsoft.com/en-us/library/ff647070.aspx for more information.

like image 21
Subhash Dike Avatar answered Dec 10 '25 10:12

Subhash Dike
Sign in to Comment

Related questions

.NET, ASHX, "Server cannot append header after HTTP headers have been sent" after sending PDF Streem
How to do login to my asp.net app using Facebook (or other ID)?
ASP.NET - Custom Validator with Dynamic ErrorMessage
How does RememberMe setting work with WebSecurity in an MVC project?
Type conflict when trying to derive from another class in the App_Code folder in ASP.NET
How to create 'magic quadrant' style chart using ASP.Net?
Fetch userdata on each request
What ASP.NET external libraries to consider for new project?
How to make ASP.NET button call client side javascript and not do postback
How to store videos for a website?
Getting a scriptmanager into a dynamically rendered page
how to upload multiple images (from a folder) using c# asp.net?
XDocument change all attribute names
how to test Asp.Net frontend?
How to cancel server-side OnTextChanged event of textbox when client-side onblur event gets fired and returns false?
Append ASP.Net element via jQuery .append()

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!