3

I have a problem with my ASP.NET 4.5 app using MVC 5.1 and forms authentication.

This is how I configured forms authentication:

<authentication mode="Forms">
  <forms name=".ASPXAUTH" defaultUrl="~/Account/Login" loginUrl="~/Account/Login" timeout="2880">
  </forms>
</authentication>
<authorization>
  <allow users="*" />
</authorization>

This is my login action:

[HttpGet]
    [AllowAnonymous]
    public ActionResult Login(string ReturnUrl)
    {
        ViewBag.ReturnUrl = ReturnUrl;

        return View();
    }

I run my application in iis express by going to this url:

http://mymachine:59006/Account/Login

I get redirected to:

http://mymachine:59006/Account/Login?ReturnUrl=%2fAccount%2fLogin

When I debug my action method the cursor reaches it twice.

What I found happens in the background is that for this url http://mymachine:59006/Account/Login a 302 response is received then this url is called http://mymachine:59006/Account/Login?ReturnUrl=%2fAccount%2fLogin and I get a 401.

If I remove form authentication from Web.config it works and I get 200 when I access http://mymachine:59006/Account/Login, but I need it for the rest of my website.

Can anyone provide me with a solution?

Update 1: Tried it with the local IIS as well. Same problem

Update 2: My Web.Config file:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
  </configSections>
  <connectionStrings>
    <add name="ConnectionString" *censored* />
  </connectionStrings>
  <appSettings>
    <add key="PreserveLoginUrl" value="true" />
    <add key="ClientValidationEnabled" value="false" />
    <add key="UnobtrusiveJavaScriptEnabled" value="false" />
    <add key="email_smtp" value="*censored*" />
    <add key="email_box" value="*censored*" />
    <add key="enableSimpleMembership" value="false" />
    <add key="autoFormsAuthentication" value="false" />
    <add key="PreserveLoginUrl" value="true" />
    <add key="loginUrl" value="~/Account/Login" />
  </appSettings>
  <location path="Views/Account/Login">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
  <system.web>
    <customErrors mode="Off" />
    <authentication mode="Forms">
      <forms cookieless="UseCookies" enableCrossAppRedirects="false" loginUrl="~/Account/Login" name=".ASPXAUTH" path="/" protection="None" requireSSL="false" slidingExpiration="true" timeout="43200" />
    </authentication>
    <httpRuntime />
    <compilation debug="true" targetFramework="4.5" />
    <pages controlRenderingCompatibilityVersion="4.0">
      <namespaces>
        <add namespace="System.Web.Helpers" />
        <add namespace="System.Web.Mvc" />
        <add namespace="System.Web.Mvc.Ajax" />
        <add namespace="System.Web.Mvc.Html" />
        <add namespace="System.Web.Routing" />
        <add namespace="System.Web.WebPages" />
      </namespaces>
    </pages>
  </system.web>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="WebGrease" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-1.6.5135.21930" newVersion="1.6.5135.21930" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Razor" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.WebPages.Razor" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-5.1.0.0" newVersion="5.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-5.1.0.0" newVersion="5.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Antlr3.Runtime" publicKeyToken="eb42632606e9261f" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-3.5.0.2" newVersion="3.5.0.2" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.AspNet" publicKeyToken="2780ccd10d57b246" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="DotNetOpenAuth.Core" publicKeyToken="2780ccd10d57b246" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.1.0.0" newVersion="4.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Helpers" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.WebPages" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
        <bindingRedirect oldVersion="0.0.0.0-5.1.0.0" newVersion="5.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="WebMatrix.WebData" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-3.0.0.0" newVersion="3.0.0.0" />
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
  <entityFramework>
    <defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
      <parameters>
        <parameter value="v11.0" />
      </parameters>
    </defaultConnectionFactory>
    <providers>
      <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" />
    </providers>
  </entityFramework>
<system.webServer>
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
  </system.webServer></configuration>
Improve this question
6
  • Is "Anonymous Authentication" enabled in IIS? Commented Jun 13, 2014 at 9:45
  • @AndreiV I am using IIS Express, yes Anonymous Authentication is enabled in the project properties Commented Jun 13, 2014 at 10:27
  • what namespace authorize attribute ? System.Web.Mvc ? Commented Jun 15, 2014 at 12:45
  • @Mediator Yes, I even changed it to "[System.Web.Mvc.Authorize] public class AccountController : Controller" to be sure. No luck :( Commented Jun 16, 2014 at 7:09
  • 1
    @Para Could you provide your project to us? Commented Jun 16, 2014 at 10:41

3 Answers 3

Reset to default
1

Remove the authorization method to all controllers you have and try to secure your application using a global filter.

RegisterGlobalFilters(GlobalFilterCollection filters) {
  filters.Add(new HandleErrorAttribute());
  filters.Add(new System.Web.Mvc.AuthorizeAttribute());
}

The OnAuthorization Method of the Authorize Attribute looks for an AllowAnonymous Attribute on the action or the controller and bypasses authorization if this is the case.

protected override void OnAuthorization(AuthorizationContext filterContext)
    {
    if (!filterContext.ActionDescriptor.IsDefined
        (typeof(AllowAnonymousAttribute), inherit) &&
      !filterContext.ActionDescriptor.ControllerDescriptor.IsDefined
        (typeof(AllowAnonymousAttribute), true)) {
          // Check for authorization
    }
    //more....
}
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

How exactly do I bypass authorization if I find the AllowAnonymouseAttribute?
0

Try removing the default redirection url from the web.config. So that is looks like:

<authentication mode="Forms">
  <forms name=".ASPXAUTH" loginUrl="~/Account/Login" timeout="2880">
  </forms>
</authentication>

Also, check if you are referencing WebMatrix in your project. It will influence the redirection behavior. It adds additional keys to control redirection:

<add key="PreserveLoginUrl" value="true" />

and

<add key="LoginUrl" value="~/Account/Login" />
Improve this answer

1 Comment

Tried all of this. It still behaves the same way. I am not referencing Web.Matrix anyway. I tried it anywaybecause I am desperate but no luck :(.
0

I really frustrated about the same issue as this one.

Your log in application web.config must have the same 

<pages controlRenderingCompatibilityVersion="4.0">

to your new develop application or vice versa

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.