How to disable forms authentication

Question

I have a folder in my web site for which I secured with forms-based authentication. I now have to develop two new pages in that folder and I want to turn security off while I test and debug the new forms. I have changed the authentication mode in the web site's web.config file to mode="None" and I have removed the web.config file from the secured folder. I have deleted all the cookies in my browser, but when I go to load a page from this folder, I still am re-routed to the login page.

How do I temporarily disable forms authentication in a web site?

9/25/2009 - I have set forms authentication = "None" in the root web.config file. I have removed the web.config files from the two sub-folders where forms authentication had been implemented. I cleared the cache and deleted the cookies. Still I am asked to login to view a page in the folder. I navigated to the page on a machine that had never been there before and was asked to login there. This is being cached somewhere in the web site on the server that won't let go.

bechbd · Accepted Answer · 2009-09-16 17:07:37Z

6

Try adding the information below to your web.config. This will remove the items in the path from the authorization required.

<location path="XXXXXXXXX">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

answered Sep 16, 2009 at 17:07

bechbd

6,3713 gold badges31 silver badges47 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

pthalacker Over a year ago

I tried this and no joy. I tried again with no path attribute which MSDN says will apply to the current directory and all child directories and still no joy. I tried adding users="?" also and still no joy.

rick schott · Accepted Answer · 2009-09-16 17:06:31Z

2

You can use the location tag in the web.config for that secured directory to overidde security for those pages:

 <location path="secureddir/newform.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

http://msdn.microsoft.com/en-us/library/b6x6shw7.aspx

answered Sep 16, 2009 at 17:06

rick schott

21.1k5 gold badges54 silver badges81 bronze badges

Comments

David Boike · Accepted Answer · 2009-09-17 16:42:30Z

1

You may have a page (or a base class, or a master page) that is calling FormsAuthentication.RedirectToLoginPage();

answered Sep 17, 2009 at 16:42

David Boike

18.7k7 gold badges63 silver badges94 bronze badges

1 Comment

pthalacker Over a year ago

All of my authentication redirection is begin done with web.config files. The only redirect is from the Logout.aspx page. There is nothing in any class or master page having to do with security.

moomoo · Accepted Answer · 2014-01-02 21:27:59Z

I wanted to be able to disable authentication throughout the app while debugging so I did the following:

1) Created this class.

namespace System.Web.Mvc
{
    public class SwitchableAuthorizeAttribute : AuthorizeAttribute
    {
        public static bool Enabled = true;

        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            if (Enabled)
            {
                base.OnAuthorization(filterContext);
            }
        }
    }
}

2) Replaced the [Authorize] attribute with [SwitchableAuthorize] throughout the application.

3) Turned authorization off when desired. For example, I added the following to App_Start/AuthConfig.cs:

public static class AuthConfig
{
    public static void RegisterAuth()
    {
        #if DEBUG
        SwitchableAuthorizeAttribute = false;
        #endif

        ...           
    }
}

You may have conditions other than DEBUG. This approach will allow you to programmatically turn authorization on/off at any time.

If your pages require logged in User information, this method could be enhanced by performing some bogus login rather than simply skipping base.OnAuthorization().

Joel Martinez · Accepted Answer · 2009-09-16 17:00:53Z

0

turning the authenticode to none should do it. there must be something you're missing, are you sure you're browsing the deployed code that you updated?

answered Sep 16, 2009 at 17:00

Joel Martinez

47.9k26 gold badges136 silver badges186 bronze badges

1 Comment

pthalacker Over a year ago

I am sure I am missing something. That is why I posted the question

Steve · Accepted Answer · 2009-09-16 18:11:50Z

0

I've had this problem before - this may not pertain to you, but I'll mention that it was an in-memory cookie that caused my authentication form to keep coming up. I found out by trying a different browser, that is, FF, Chrome, instead of IE.

answered Sep 16, 2009 at 18:11

Steve

6,00212 gold badges57 silver badges76 bronze badges

6 Comments

pthalacker Over a year ago

I am using FireFox as the default. I just tried opening one of the pages in IE using the development server IIS instead of localhost. Still no joy.

Steve Over a year ago

Perhaps there is an intermediate config file between the root and secured folder? Or the web.config file points to another config file for authentication: <authentication configSource="webAuthentication.config"/> Or the machine.config authentication section is somehow being used? Or there's some custom authentication going on in global.asax?

pthalacker Over a year ago

The only thing in Global.asx is a trap for a 404 error. No configSource in web.config. To my knowledge no one has ever touched machine.config so it should be in pristine default condition. There are only three web.config files—one in the root, one in the Secure folder where I put all the login and user management pages and one in the folder that contains the content that needs secure access. Are you saying that the web.config file in one folder can impact the behavior of a peer folder? That would be nasty. - pamela

Steve Over a year ago

Did you try stopping and restarting the webserver? Are you using IIS7? There's a forms authentication setting in iis Manager. A debug session starting with app_start didn't show you anything?

pthalacker Over a year ago

@Steve My IIS management skills are kind of thin. But I get the same results in the VS server on localhost that I do on the server for the development site. We have given IUSER anonymous access for the site and there is no problem accesssing folders that were never put under forms authentication. Just the ones that were. If I put a breakpoint in App_Start, what would I be looking for?

|

techBeginner · Accepted Answer · 2011-09-02 01:45:15Z

0

try removing mode="XXXX" from authentication node and also comment authorization node

answered Sep 2, 2011 at 1:45

techBeginner

3,86813 gold badges45 silver badges61 bronze badges

Comments

Tim Reninger · Accepted Answer · 2022-10-27 15:31:31Z

0

This is an extremely old post but I just had a similar issue and wanted to share my solution.

IIS Manager -> Authentication:

Ensure 'Forms Authentication', 'Windows Authentication', etc. are set to 'Disabled'

Set 'Anonymous Authentication' to 'Enabled'

This will allow the client to passthrough to the application's authentication methods defined in your code.

answered Oct 27, 2022 at 15:31

Tim Reninger

295 bronze badges

Collectives™ on Stack Overflow

How to disable forms authentication

8 Answers 8

1 Comment

Comments

1 Comment

Comments

1 Comment

6 Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

8 Answers 8

1 Comment

Comments

1 Comment

Comments

1 Comment

6 Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related